Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
CWT_Setup_1.2.0.4.exe

Overview

General Information

Sample name:CWT_Setup_1.2.0.4.exe
Analysis ID:1636133
MD5:47c63e4dd2fe278f49cc6ae6805a8629
SHA1:834ab8124673efebb57920c62f6f4a4dcdad2a38
SHA256:458cbf4b498e7c65fd565086da63b5950f2b9662525172abec15f0516141a9cb
Infos:

Detection

Score:5
Range:0 - 100
Confidence:40%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w11x64_office
  • CWT_Setup_1.2.0.4.exe (PID: 4312 cmdline: "C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exe" MD5: 47C63E4DD2FE278F49CC6AE6805A8629)
    • CWT_Setup_1.2.0.4.tmp (PID: 2820 cmdline: "C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp" /SL5="$90088,853778,843264,C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exe" MD5: 364F9F267DF7A6152F89FED62E66DE53)
      • CWT.exe (PID: 3800 cmdline: "C:\Users\user\AppData\Local\Programs\CWT\CWT.exe" MD5: A6577D54696DF01EF3F16B56FC3DBFE0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Programs\CWT\CWT.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp, ProcessId: 2820, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CWT

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: CWT_Setup_1.2.0.4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5D096A53-86D6-4960-8217-A86411D2216C}_is1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\MSVCR80.dllJump to behavior
Source: CWT_Setup_1.2.0.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dhako94\source\repos\CWT\obj\Release\CWT.pdb source: CWT_Setup_1.2.0.4.tmp, 00000002.00000003.3915830058.0000000006F80000.00000004.00001000.00020000.00000000.sdmp, CWT.exe, 00000012.00000000.3914179166.0000000000072000.00000002.00000001.01000000.00000008.sdmp, is-0EH5I.tmp.2.dr
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sajatypeworks.comi
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sajatypeworks.comk
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://scripts.sil.org/OFL
Source: CWT_Setup_1.2.0.4.tmp, 00000002.00000003.2861172100.0000000003E70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://unckel.de
Source: is-0EH5I.tmp.2.drString found in binary or memory: http://unckel.de/tools/kalenderwoche
Source: is-0EH5I.tmp.2.drString found in binary or memory: http://unckel.de/tools/kalenderwoche/
Source: CWT_Setup_1.2.0.4.tmp, 00000002.00000003.3917305861.0000000002684000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://unckel.de1Rh
Source: CWT_Setup_1.2.0.4.tmp, 00000002.00000003.3917305861.0000000002684000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://unckel.de32
Source: CWT_Setup_1.2.0.4.tmp, 00000002.00000003.3917305861.0000000002684000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://unckel.deiRh
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/cascadia-code/blob/main/LICENSE).
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/cascadia-code/blob/master/LICENSE).
Source: CWT_Setup_1.2.0.4.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scripts.sil.org/OFL
Source: CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scripts.sil.org/OFL)
Source: CWT_Setup_1.2.0.4.exe, 00000000.00000003.2856659534.0000000002600000.00000004.00001000.00020000.00000000.sdmp, CWT_Setup_1.2.0.4.exe, 00000000.00000003.2857077024.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, CWT_Setup_1.2.0.4.tmp, 00000002.00000000.2858899882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-LCC49.tmp.2.dr, CWT_Setup_1.2.0.4.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: CWT_Setup_1.2.0.4.exe, 00000000.00000003.2856659534.0000000002600000.00000004.00001000.00020000.00000000.sdmp, CWT_Setup_1.2.0.4.exe, 00000000.00000003.2857077024.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, CWT_Setup_1.2.0.4.tmp, 00000002.00000000.2858899882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-LCC49.tmp.2.dr, CWT_Setup_1.2.0.4.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps
Source: CWT_Setup_1.2.0.4.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-LCC49.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: CWT_Setup_1.2.0.4.exe, 00000000.00000003.3927308477.0000000000B58000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs CWT_Setup_1.2.0.4.exe
Source: CWT_Setup_1.2.0.4.exe, 00000000.00000003.2856659534.0000000002600000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs CWT_Setup_1.2.0.4.exe
Source: CWT_Setup_1.2.0.4.exe, 00000000.00000000.2854793312.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs CWT_Setup_1.2.0.4.exe
Source: CWT_Setup_1.2.0.4.exe, 00000000.00000003.2857077024.000000007FB90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs CWT_Setup_1.2.0.4.exe
Source: CWT_Setup_1.2.0.4.exeBinary or memory string: OriginalFileName vs CWT_Setup_1.2.0.4.exe
Source: CWT_Setup_1.2.0.4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: clean5.winEXE@5/9@0/0
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeMutant created: NULL
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeMutant created: \Sessions\1\BaseNamedObjects\CWT
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmpJump to behavior
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: CWT_Setup_1.2.0.4.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeFile read: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exe "C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exe"
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp" /SL5="$90088,853778,843264,C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exe"
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess created: C:\Users\user\AppData\Local\Programs\CWT\CWT.exe "C:\Users\user\AppData\Local\Programs\CWT\CWT.exe"
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp" /SL5="$90088,853778,843264,C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess created: C:\Users\user\AppData\Local\Programs\CWT\CWT.exe "C:\Users\user\AppData\Local\Programs\CWT\CWT.exe"Jump to behavior
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: servicingcommon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: cfgmgr32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: CWT.lnk.2.drLNK file: ..\..\..\..\..\Local\Programs\CWT\CWT.exe
Source: CWT.lnk0.2.drLNK file: ..\AppData\Local\Programs\CWT\CWT.exe
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5D096A53-86D6-4960-8217-A86411D2216C}_is1Jump to behavior
Source: CWT_Setup_1.2.0.4.exeStatic file information: File size 1660532 > 1048576
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\MSVCR80.dllJump to behavior
Source: CWT_Setup_1.2.0.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dhako94\source\repos\CWT\obj\Release\CWT.pdb source: CWT_Setup_1.2.0.4.tmp, 00000002.00000003.3915830058.0000000006F80000.00000004.00001000.00020000.00000000.sdmp, CWT.exe, 00000012.00000000.3914179166.0000000000072000.00000002.00000001.01000000.00000008.sdmp, is-0EH5I.tmp.2.dr
Source: is-0EH5I.tmp.2.drStatic PE information: 0xFE104F10 [Tue Jan 27 06:41:20 2105 UTC]
Source: CWT_Setup_1.2.0.4.exeStatic PE information: section name: .didata
Source: CWT_Setup_1.2.0.4.tmp.0.drStatic PE information: section name: .didata
Source: is-LCC49.tmp.2.drStatic PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpFile created: C:\Users\user\AppData\Local\Programs\CWT\CWT.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpFile created: C:\Users\user\AppData\Local\Programs\CWT\is-0EH5I.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2K1OS.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpFile created: C:\Users\user\AppData\Local\Programs\CWT\is-LCC49.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpFile created: C:\Users\user\AppData\Local\Programs\CWT\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CWT.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CWTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CWTJump to behavior
Source: C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeMemory allocated: 890000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeMemory allocated: 26D0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeMemory allocated: 1A6D0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2K1OS.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\CWT\is-LCC49.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\CWT\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCodeItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCodeItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMonoItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SansSerifCollection.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SegUIVar.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SegUIVar.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SegUIVar.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SegUIVar.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SegUIVar.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SitkaVF-Italic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SitkaVF-Italic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SitkaVF.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\CWT\CWT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		1
Masquerading		OS Credential Dumping1
Virtualization/Sandbox Evasion		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job11
Registry Run Keys / Startup Folder		1
Process Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		1
Disable or Modify Tools		Security Account Manager2
System Owner/User Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Process Injection		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets11
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1636133 Sample: CWT_Setup_1.2.0.4.exe Startdate: 12/03/2025 Architecture: WINDOWS Score: 5 6 CWT_Setup_1.2.0.4.exe 2 2->6         started        file3 14 C:\Users\user\...\CWT_Setup_1.2.0.4.tmp, PE32 6->14 dropped 9 CWT_Setup_1.2.0.4.tmp 31 19 6->9         started        process4 file5 16 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 9->16 dropped 18 C:\Users\user\AppData\...\unins000.exe (copy), PE32 9->18 dropped 20 C:\Users\user\AppData\Local\...\is-LCC49.tmp, PE32 9->20 dropped 22 2 other files (none is malicious) 9->22 dropped 12 CWT.exe 4 2 9->12         started        process6

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CWT_Setup_1.2.0.4.exe5%VirustotalBrowse
CWT_Setup_1.2.0.4.exe8%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Programs\CWT\CWT.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Programs\CWT\is-0EH5I.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Programs\CWT\is-LCC49.tmp2%ReversingLabs
C:\Users\user\AppData\Local\Programs\CWT\unins000.exe (copy)2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2K1OS.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp7%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://unckel.de/tools/kalenderwoche0%Avira URL Cloudsafe
http://unckel.de320%Avira URL Cloudsafe
http://unckel.deiRh0%Avira URL Cloudsafe
http://unckel.de1Rh0%Avira URL Cloudsafe
http://unckel.de0%Avira URL Cloudsafe
http://unckel.de/tools/kalenderwoche/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUCWT_Setup_1.2.0.4.exefalse
    		high
    http://www.apache.org/licenses/LICENSE-2.0CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.comCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.com/designersGCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.fontbureau.com/designers/?CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://unckel.de1RhCWT_Setup_1.2.0.4.tmp, 00000002.00000003.3917305861.0000000002684000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designers?CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://sajatypeworks.comiCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://scripts.sil.org/OFL)CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://sajatypeworks.comkCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.tiro.comCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://unckel.de/tools/kalenderwoche/is-0EH5I.tmp.2.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://unckel.deCWT_Setup_1.2.0.4.tmp, 00000002.00000003.2861172100.0000000003E70000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designersCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/microsoft/cascadia-code/blob/main/LICENSE).CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.carterandcone.comlCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://unckel.deiRhCWT_Setup_1.2.0.4.tmp, 00000002.00000003.3917305861.0000000002684000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sajatypeworks.comCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/cabarga.htmlNCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/staff/dennis.htmCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cnCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers/frere-jones.htmlCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://unckel.de/tools/kalenderwocheis-0EH5I.tmp.2.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://scripts.sil.org/OFLCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.remobjects.com/psCWT_Setup_1.2.0.4.exe, 00000000.00000003.2856659534.0000000002600000.00000004.00001000.00020000.00000000.sdmp, CWT_Setup_1.2.0.4.exe, 00000000.00000003.2857077024.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, CWT_Setup_1.2.0.4.tmp, 00000002.00000000.2858899882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-LCC49.tmp.2.dr, CWT_Setup_1.2.0.4.tmp.0.drfalse
                                          		high
                                          http://unckel.de32CWT_Setup_1.2.0.4.tmp, 00000002.00000003.3917305861.0000000002684000.00000004.00001000.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.innosetup.com/CWT_Setup_1.2.0.4.exe, 00000000.00000003.2856659534.0000000002600000.00000004.00001000.00020000.00000000.sdmp, CWT_Setup_1.2.0.4.exe, 00000000.00000003.2857077024.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, CWT_Setup_1.2.0.4.tmp, 00000002.00000000.2858899882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-LCC49.tmp.2.dr, CWT_Setup_1.2.0.4.tmp.0.drfalse
                                              		high
                                              http://www.galapagosdesign.com/DPleaseCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers8CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.urwpp.deDPleaseCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://scripts.sil.org/OFLCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.sakkal.comCWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/microsoft/cascadia-code/blob/master/LICENSE).CWT.exe, 00000012.00000002.4109157101.000000001D1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          No contacted IP infos

                                                          General Information

                                                          Joe Sandbox version:42.0.0 Malachite
                                                          Analysis ID:1636133
                                                          Start date and time:2025-03-12 12:46:10 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 5m 57s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                          Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                                                          Run name:Potential for more IOCs and behavior
                                                          Number of analysed new started processes analysed:22
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:CWT_Setup_1.2.0.4.exe
                                                          Detection:CLEAN
                                                          Classification:clean5.winEXE@5/9@0/0
                                                          EGA Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 13
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Exclude process from analysis (whitelisted): dllhost.exe, SystemSettingsBroker.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 172.64.149.23, 104.18.38.233, 172.202.163.200, 2.21.65.132
                                                          • Excluded domains from analysis (whitelisted): www.bing.com, crt.comodoca.com.cdn.cloudflare.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com, crt.comodoca.com
                                                          • Execution Graph export aborted for target CWT.exe, PID 3800 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          No simulations

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASNs

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Users\user\AppData\Local\Temp\is-2K1OS.tmp\_isetup\_setup64.tmpGogles-suter-x64.exeGet hashmaliciousMicroClipBrowse
                                                            PhonerLite.exeGet hashmaliciousGO BackdoorBrowse
                                                              PhonerLite.exeGet hashmaliciousGO BackdoorBrowse
                                                                https://teamsexes.s3.ap-northeast-1.amazonaws.com/Microsoft-Teams.exeGet hashmaliciousMicroClipBrowse
                                                                  SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.exeGet hashmaliciousPrivateLoaderBrowse
                                                                    SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.exeGet hashmaliciousPrivateLoaderBrowse
                                                                      tacticalagent-v2.9.0-windows-amd64.exeGet hashmaliciousUnknownBrowse
                                                                        StrikeLeague_Setup_patched.exeGet hashmaliciousLummaC StealerBrowse
                                                                          Setup64.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                            Setup64.exeGet hashmaliciousPureCrypter, AsyncRATBrowse

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Programs\CWT\CWT.exe (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):225792
                                                                              Entropy (8bit):2.3567788776854104
                                                                              Encrypted:false
                                                                              SSDEEP:768:1Qoj1azsssLQG0H5AF1nDusTEDusT+DusT+p1:Lj1azsss0H5AFdDTqDT0DT+p1
                                                                              MD5:A6577D54696DF01EF3F16B56FC3DBFE0
                                                                              SHA1:98E4FD31901A80C8C7508AB3A22DFF02B9FAB529
                                                                              SHA-256:DE08566F9F7693363371D01D4ABA273191EE37F7198DF5FC707A6A843439FCE8
                                                                              SHA-512:25FB15A92EDACDD01D9A1E7DDC717171D13E6158345E9BBEE66B2B2ADB40BA7145F9FAA8F1DFD827148B717B0AA4F62BC62FB6F185662FEBADC29EDDFEE2C24C
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Reputation:low
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..`...........~... ........@.. ....................................@..................................~..O.......0............................~..8............................................ ............... ..H............text....^... ...`.................. ..`.rsrc...0............b..............@..@.reloc...............p..............@..B.................~......H........<...+..........lh...............................................0..2.......(.....~....r...p.o......r]..p.o....-..r]..p.o....*...0..+.......~....r...p.o......r]..p.o....,..r]..po....*..(....*..0..........~....re..p.o......r]..po....&.r]..p.o......rw..p.o....-..rw..pr...po.....r...p.o....-..r...pr...po.....r...p.o....-..r...pr...po.....r...p.o....-..r...pr...po....*.~....re..p.o....r]..p.o.....o....o....*.~....re..p.o....r]..p.o......o....-..*.*.~....re..p.o....%r]..po

                                                                              C:\Users\user\AppData\Local\Programs\CWT\is-0EH5I.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):225792
                                                                              Entropy (8bit):2.3567788776854104
                                                                              Encrypted:false
                                                                              SSDEEP:768:1Qoj1azsssLQG0H5AF1nDusTEDusT+DusT+p1:Lj1azsss0H5AFdDTqDT0DT+p1
                                                                              MD5:A6577D54696DF01EF3F16B56FC3DBFE0
                                                                              SHA1:98E4FD31901A80C8C7508AB3A22DFF02B9FAB529
                                                                              SHA-256:DE08566F9F7693363371D01D4ABA273191EE37F7198DF5FC707A6A843439FCE8
                                                                              SHA-512:25FB15A92EDACDD01D9A1E7DDC717171D13E6158345E9BBEE66B2B2ADB40BA7145F9FAA8F1DFD827148B717B0AA4F62BC62FB6F185662FEBADC29EDDFEE2C24C
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Reputation:low
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..`...........~... ........@.. ....................................@..................................~..O.......0............................~..8............................................ ............... ..H............text....^... ...`.................. ..`.rsrc...0............b..............@..@.reloc...............p..............@..B.................~......H........<...+..........lh...............................................0..2.......(.....~....r...p.o......r]..p.o....-..r]..p.o....*...0..+.......~....r...p.o......r]..p.o....,..r]..po....*..(....*..0..........~....re..p.o......r]..po....&.r]..p.o......rw..p.o....-..rw..pr...po.....r...p.o....-..r...pr...po.....r...p.o....-..r...pr...po.....r...p.o....-..r...pr...po....*.~....re..p.o....r]..p.o.....o....o....*.~....re..p.o....r]..p.o......o....-..*.*.~....re..p.o....%r]..po

                                                                              C:\Users\user\AppData\Local\Programs\CWT\is-LCC49.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3100733
                                                                              Entropy (8bit):6.354109446254771
                                                                              Encrypted:false
                                                                              SSDEEP:49152:cLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvRgI:IwSi0b67zeCzt0+yO3kSv
                                                                              MD5:287EC79590AB09F3BD3EFE30D0EEC313
                                                                              SHA1:9D46101AC58F13C47A14A6ACE88294B2E7600CD2
                                                                              SHA-256:F34644DAEAB6EF6EFE3DF99CA4C27F539A18BBFF9A3BB549A8EACEBB11072195
                                                                              SHA-512:01CA88040D22763064C3FD897426E40D7C5ABA7D4F97765D549E24C4D414BCB03DA6FB0CD0EAB603D503A70AF09AF85DFFBDC453A0C625B7577C0406F7E4F29D
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 2%
                                                                              Reputation:low
                                                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.........................../...........@......@....................-......`-.49....-.X.....................................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc...X.....-.......-.............@..@......................-.............@..@........................................................

                                                                              C:\Users\user\AppData\Local\Programs\CWT\unins000.dat

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp
                                                                              File Type:InnoSetup Log CWT {5D096A53-86D6-4960-8217-A86411D2216C}, version 0x418, 2062 bytes, 830021\37\user\376, C:\Users\user\AppData\Local\Programs\CWT\
                                                                              Category:dropped
                                                                              Size (bytes):2062
                                                                              Entropy (8bit):3.461248566040576
                                                                              Encrypted:false
                                                                              SSDEEP:48:CkHkkG6tkGrdCy1T7kG4kGedCyRdCyDbEIrxf0oxeUhc:9Hk2ZdC0H+QdCedCObEIrttHhc
                                                                              MD5:940C2C9B4E292D7A1AEED124801A1476
                                                                              SHA1:C8623B4FE21D158BBBC3735ADB936B72A4D2B1FC
                                                                              SHA-256:320D3566A7E4BFA3F55EFB1871C4991DC7E3FDFCDCC2440E89FEB1E6551E14C1
                                                                              SHA-512:CA9A9CD22DAF47E6A9F317E6B1999C7DB093997270323E1A4445D123DB937F55698B2FBA44CF1B5FEB8FBC95C1708450B0FFFBE95A931F27AC0C397A7488FBB2
                                                                              Malicious:false
                                                                              Preview:Inno Setup Uninstall Log (b)....................................{5D096A53-86D6-4960-8217-A86411D2216C}..........................................................................................CWT.........................................................................................................................................%...............................................................................................................+.-sB.......m..p...............8.3.0.0.2.1......M.a.o.g.a......C.:.\.U.s.e.r.s.\.M.a.o.g.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.C.W.T................1...... .....2..................C.:.\.U.s.e.r.s.\.M.a.o.g.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.C.W.T..d...C.:.\.U.s.e.r.s.\.M.a.o.g.a.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.(.D.e.f.a.u.l.t.)......(.D.e.f.a.u.l.t.)......e.n.g.l.i.s.h......................C.W.T........X........C.:.\.U.s.e.r.s.\.M.a.o.g.a.\.A.p.p.

                                                                              C:\Users\user\AppData\Local\Programs\CWT\unins000.exe (copy)

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3100733
                                                                              Entropy (8bit):6.354109446254771
                                                                              Encrypted:false
                                                                              SSDEEP:49152:cLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvRgI:IwSi0b67zeCzt0+yO3kSv
                                                                              MD5:287EC79590AB09F3BD3EFE30D0EEC313
                                                                              SHA1:9D46101AC58F13C47A14A6ACE88294B2E7600CD2
                                                                              SHA-256:F34644DAEAB6EF6EFE3DF99CA4C27F539A18BBFF9A3BB549A8EACEBB11072195
                                                                              SHA-512:01CA88040D22763064C3FD897426E40D7C5ABA7D4F97765D549E24C4D414BCB03DA6FB0CD0EAB603D503A70AF09AF85DFFBDC453A0C625B7577C0406F7E4F29D
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 2%
                                                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.........................../...........@......@....................-......`-.49....-.X.....................................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc...X.....-.......-.............@..@......................-.............@..@........................................................

                                                                              C:\Users\user\AppData\Local\Temp\is-2K1OS.tmp\_isetup\_setup64.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp
                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):6144
                                                                              Entropy (8bit):4.720366600008286
                                                                              Encrypted:false
                                                                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: Gogles-suter-x64.exe, Detection: malicious, Browse
                                                                              • Filename: PhonerLite.exe, Detection: malicious, Browse
                                                                              • Filename: PhonerLite.exe, Detection: malicious, Browse
                                                                              • Filename: , Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.exe, Detection: malicious, Browse
                                                                              • Filename: tacticalagent-v2.9.0-windows-amd64.exe, Detection: malicious, Browse
                                                                              • Filename: StrikeLeague_Setup_patched.exe, Detection: malicious, Browse
                                                                              • Filename: Setup64.exe, Detection: malicious, Browse
                                                                              • Filename: Setup64.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3076608
                                                                              Entropy (8bit):6.36737955346238
                                                                              Encrypted:false
                                                                              SSDEEP:49152:ELJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvRgL:QwSi0b67zeCzt0+yO3kSK
                                                                              MD5:364F9F267DF7A6152F89FED62E66DE53
                                                                              SHA1:133DDA7164C083555495EB94018073D0368F94A9
                                                                              SHA-256:F198335F72C770067866301E645BA780B5C3627759888882FA6A4757544A0846
                                                                              SHA-512:074882877F6DE84B1AA93F6DDB48246F7103E9105DCB782C07C90F0699820401EFFCEB0CAF717660CC5E8F63A21C6AE05F8BC81A6C5158AFA265C5AFE2D3DA07
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 7%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.........................../...........@......@....................-......`-.49....-.X.....................................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc...X.....-.......-.............@..@......................-.............@..@........................................................

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CWT.lnk

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Mar 12 10:49:07 2025, mtime=Wed Mar 12 10:49:07 2025, atime=Fri Mar 12 15:03:52 2021, length=225792, window=hide
                                                                              Category:dropped
                                                                              Size (bytes):1200
                                                                              Entropy (8bit):4.896564928050088
                                                                              Encrypted:false
                                                                              SSDEEP:24:8m8VPin6wRzKlyQ5+3A2MwZOGzkGOsD/Ykvsm:8m8VPinXRzKnHnwZOGzkG7YkU
                                                                              MD5:E1B274FFF9D8F69C1F81C2A93715092E
                                                                              SHA1:60C52156EFF50213E457BBDA85C81BD098526FD9
                                                                              SHA-256:4D74E94F3DD92478E96AE88A6D42A2F1DD3445F3583EB137E2A00E9114050DAE
                                                                              SHA-512:E119297F62140266370598707CE3EB7F52ED9915F4348D4EA5803ED7719DA543085ED1CADD842B628BBCD2987B15E43D994DC83517E7401AAEB8683342275B7A
                                                                              Malicious:false
                                                                              Preview:L..................F.... ....%..D.......D.....KY....r........................:..IG..Yr?.D..U..k0.&...&......p...eJ.....~D.......D.......t...CFSF..1......Y....AppData...t.Y^...H.g.3..(.....gVA.G..k...@......Y..lZ.]..............................A.p.p.D.a.t.a...B.P.1.....lZ.]..Local.<......Y..lZ.]...........................e.L.o.c.a.l.....Z.1.....lZ.]..Programs..B......lZ.]lZ.]....b.....................S.e.P.r.o.g.r.a.m.s.....J.1.....lZ$^..CWT.8......lZ$^lZ$^.....u......................f.C.W.T.....V.2..r..lRz. .CWT.exe.@......lZ$^lZ$^.....z........................C.W.T...e.x.e.......`...............-......._............@.{.....C:\Users\user\AppData\Local\Programs\CWT\CWT.exe..).....\.....\.....\.....\.....\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.C.W.T.\.C.W.T...e.x.e.).C.:.\.U.s.e.r.s.\.M.a.o.g.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.C.W.T.........|....I.J.H..K..:...`.......X.......830021..........R/U....G.........@./........n...R/U....G.........@./........n...............1S

                                                                              C:\Users\user\Desktop\CWT.lnk

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Mar 12 10:49:07 2025, mtime=Wed Mar 12 10:49:07 2025, atime=Fri Mar 12 15:03:52 2021, length=225792, window=hide
                                                                              Category:dropped
                                                                              Size (bytes):1192
                                                                              Entropy (8bit):4.90700285760585
                                                                              Encrypted:false
                                                                              SSDEEP:24:8mURPin6wRE/lyQ5+3A2MwZnGzkGOsD/Ykvsm:8mUPinXRE/nHnwZnGzkG7YkU
                                                                              MD5:0A2411CA4A219D8F8271CC9066BF35DF
                                                                              SHA1:A3BFBC813CAB2A1CF544D8A07396BEF45CDBD04E
                                                                              SHA-256:C318B77152DF41B2A660B406E9F810A263F9B1D3226F6FFF277E67459F75F913
                                                                              SHA-512:9F03435E62774BF31C75F1A50BC747E35390291142CD88865CCC2BB4167745B9B7722AABC1356A65CFFF045CF0EE533EE3BADAF50915F02B0F1D9D721AFF853D
                                                                              Malicious:false
                                                                              Preview:L..................F.... ....%..D....F..D.....KY....r........................:..IG..Yr?.D..U..k0.&...&......p...eJ.....~D.......D.......t...CFSF..1......Y....AppData...t.Y^...H.g.3..(.....gVA.G..k...@......Y..lZ.]..............................A.p.p.D.a.t.a...B.P.1.....lZ.]..Local.<......Y..lZ.]...........................e.L.o.c.a.l.....Z.1.....lZ$^..Programs..B......lZ.]lZ$^....b.....................l...P.r.o.g.r.a.m.s.....J.1.....lZ$^..CWT.8......lZ$^lZ$^.....u......................f.C.W.T.....V.2..r..lRz. .CWT.exe.@......lZ$^lZ$^.....z........................C.W.T...e.x.e.......`...............-......._............@.{.....C:\Users\user\AppData\Local\Programs\CWT\CWT.exe..%.....\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.C.W.T.\.C.W.T...e.x.e.).C.:.\.U.s.e.r.s.\.M.a.o.g.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.C.W.T.........|....I.J.H..K..:...`.......X.......830021..........R/U....G.........@./........n...R/U....G.........@./........n...............1SPS.XF.L

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.394676629680096
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                              • Inno Setup installer (109748/4) 1.08%
                                                                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              File name:CWT_Setup_1.2.0.4.exe
                                                                              File size:1'660'532 bytes
                                                                              MD5:47c63e4dd2fe278f49cc6ae6805a8629
                                                                              SHA1:834ab8124673efebb57920c62f6f4a4dcdad2a38
                                                                              SHA256:458cbf4b498e7c65fd565086da63b5950f2b9662525172abec15f0516141a9cb
                                                                              SHA512:80784aecbea4d4388956842cab0f5e3fd4edb8f560f9f43360d529e07bf0d35bfefddd1463f7040232d6b5c7d750e93f23b01c5d0e4794de469548a75f5cb26b
                                                                              SSDEEP:24576:y4nXubIQGyxbPV0db26XudMTl3PIvgNEMXdApGqHYeSbBa8k+/nfN1y:yqe3f6jbpKMXFqHYda8XfNU
                                                                              TLSH:2C757D2BF258AD3EC45A0E3D8572D2A0597B6E51E41ACF1B07E03D0CEBF64601E3AE55
                                                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                              File Icon

                                                                              Icon Hash:072954d2f245338f

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4b5eec
                                                                              Entrypoint Section:.itext
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x5FB0F96E [Sun Nov 15 09:48:30 2020 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:6
                                                                              OS Version Minor:1
                                                                              File Version Major:6
                                                                              File Version Minor:1
                                                                              Subsystem Version Major:6
                                                                              Subsystem Version Minor:1
                                                                              Import Hash:5a594319a0d69dbc452e748bcf05892e
                                                                              Instruction
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              add esp, FFFFFFA4h
                                                                              push ebx
                                                                              push esi
                                                                              push edi
                                                                              xor eax, eax
                                                                              mov dword ptr [ebp-3Ch], eax
                                                                              mov dword ptr [ebp-40h], eax
                                                                              mov dword ptr [ebp-5Ch], eax
                                                                              mov dword ptr [ebp-30h], eax
                                                                              mov dword ptr [ebp-38h], eax
                                                                              mov dword ptr [ebp-34h], eax
                                                                              mov dword ptr [ebp-2Ch], eax
                                                                              mov dword ptr [ebp-28h], eax
                                                                              mov dword ptr [ebp-14h], eax
                                                                              mov eax, 004B10F0h
                                                                              call 00007FFAB0795365h
                                                                              xor eax, eax
                                                                              push ebp
                                                                              push 004B65E2h
                                                                              push dword ptr fs:[eax]
                                                                              mov dword ptr fs:[eax], esp
                                                                              xor edx, edx
                                                                              push ebp
                                                                              push 004B659Eh
                                                                              push dword ptr fs:[edx]
                                                                              mov dword ptr fs:[edx], esp
                                                                              mov eax, dword ptr [004BE634h]
                                                                              call 00007FFAB0837A8Fh
                                                                              call 00007FFAB08375E2h
                                                                              lea edx, dword ptr [ebp-14h]
                                                                              xor eax, eax
                                                                              call 00007FFAB07AADD8h
                                                                              mov edx, dword ptr [ebp-14h]
                                                                              mov eax, 004C1D84h
                                                                              call 00007FFAB078FF57h
                                                                              push 00000002h
                                                                              push 00000000h
                                                                              push 00000001h
                                                                              mov ecx, dword ptr [004C1D84h]
                                                                              mov dl, 01h
                                                                              mov eax, dword ptr [004237A4h]
                                                                              call 00007FFAB07ABE3Fh
                                                                              mov dword ptr [004C1D88h], eax
                                                                              xor edx, edx
                                                                              push ebp
                                                                              push 004B654Ah
                                                                              push dword ptr fs:[edx]
                                                                              mov dword ptr fs:[edx], esp
                                                                              call 00007FFAB0837B17h
                                                                              mov dword ptr [004C1D90h], eax
                                                                              mov eax, dword ptr [004C1D90h]
                                                                              cmp dword ptr [eax+0Ch], 01h
                                                                              jne 00007FFAB083E0FAh
                                                                              mov eax, dword ptr [004C1D90h]
                                                                              mov edx, 00000028h
                                                                              call 00007FFAB07AC734h
                                                                              mov edx, dword ptr [004C1D90h]
                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xf36.idata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x13b88.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0xc22e40x244.idata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000xb361c0xb3800ad6e46e3a3acdb533eb6a077f6d065afFalse0.3448639341051532data6.356058204328091IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .itext0xb50000x16880x1800d40fc822339d01f2abcc5493ac101c94False0.544921875data5.972750055221053IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .data0xb70000x37a40x38004c195d5591f6d61265df08a3733de3a2False0.36097935267857145data5.044400562007734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .idata0xc20000xf360x1000a73d686f1e8b9bb06ec767721135e397False0.3681640625data4.8987046479600425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .didata0xc30000x1a40x20041b8ce23dd243d14beebc71771885c89False0.345703125data2.7563628682496506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .edata0xc40000x9a0x20037c1a5c63717831863e018c0f51dabb7False0.2578125data1.8722228665884297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xc70000x13b880x13c0067efff3e5be516ed7e5295223f1f1a74False0.09468947784810126data2.5507635438447025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0xc74380x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/mEnglishUnited States0.04723175204069561
                                                                              RT_STRING0xd7c600x360data0.34375
                                                                              RT_STRING0xd7fc00x260data0.3256578947368421
                                                                              RT_STRING0xd82200x45cdata0.4068100358422939
                                                                              RT_STRING0xd867c0x40cdata0.3754826254826255
                                                                              RT_STRING0xd8a880x2d4data0.39226519337016574
                                                                              RT_STRING0xd8d5c0xb8data0.6467391304347826
                                                                              RT_STRING0xd8e140x9cdata0.6410256410256411
                                                                              RT_STRING0xd8eb00x374data0.4230769230769231
                                                                              RT_STRING0xd92240x398data0.3358695652173913
                                                                              RT_STRING0xd95bc0x368data0.3795871559633027
                                                                              RT_STRING0xd99240x2a4data0.4275147928994083
                                                                              RT_RCDATA0xd9bc80x10data1.5
                                                                              RT_RCDATA0xd9bd80x2c4data0.6384180790960452
                                                                              RT_RCDATA0xd9e9c0x2cdata1.1590909090909092
                                                                              RT_GROUP_ICON0xd9ec80x14dataEnglishUnited States1.15
                                                                              RT_VERSION0xd9edc0x584dataEnglishUnited States0.273371104815864
                                                                              RT_MANIFEST0xda4600x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4005464480874317
                                                                              DLLImport
                                                                              kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                              comctl32.dllInitCommonControls
                                                                              version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                              netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                              advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW
                                                                              NameOrdinalAddress
                                                                              TMethodImplementationIntercept30x454060
                                                                              __dbk_fcall_wrapper20x40d0a0
                                                                              dbkFCallWrapperAddr10x4be63c
                                                                              DescriptionData
                                                                              CommentsThis installation was built with Inno Setup.
                                                                              CompanyNameMike Unckel & Dominik Hasenkopf
                                                                              FileDescriptionCWT Setup
                                                                              FileVersion
                                                                              LegalCopyright
                                                                              OriginalFileName
                                                                              ProductNameCWT
                                                                              ProductVersion1.2.0.4
                                                                              Translation0x0000 0x04b0

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              No network behavior found

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              • File
                                                                              • Registry

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:07:47:22
                                                                              Start date:12/03/2025
                                                                              Path:C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exe"
                                                                              Imagebase:0x400000
                                                                              File size:1'660'532 bytes
                                                                              MD5 hash:47C63E4DD2FE278F49CC6AE6805A8629
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Reputation:low
                                                                              Has exited:true
                                                                              Show Windows behavior

                                                                              File Activities

                                                                              Show Windows behavior

                                                                              Section Activities

                                                                              Show Windows behavior

                                                                              Registry Activities

                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              Show Windows behavior

                                                                              Process Activities

                                                                              Show Windows behavior

                                                                              Thread Activities

                                                                              Show Windows behavior

                                                                              Memory Activities

                                                                              Show Windows behavior

                                                                              System Activities

                                                                              Show Windows behavior

                                                                              Windows UI Activities

                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                              General

                                                                              Target ID:2
                                                                              Start time:07:47:23
                                                                              Start date:12/03/2025
                                                                              Path:C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\is-T8RL2.tmp\CWT_Setup_1.2.0.4.tmp" /SL5="$90088,853778,843264,C:\Users\user\Desktop\CWT_Setup_1.2.0.4.exe"
                                                                              Imagebase:0x400000
                                                                              File size:3'076'608 bytes
                                                                              MD5 hash:364F9F267DF7A6152F89FED62E66DE53
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Antivirus matches:
                                                                              • Detection: 7%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:true
                                                                              Show Windows behavior

                                                                              File Activities

                                                                              Show Windows behavior

                                                                              Section Activities

                                                                              Show Windows behavior

                                                                              Registry Activities

                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              Show Windows behavior

                                                                              Process Activities

                                                                              Show Windows behavior

                                                                              Thread Activities

                                                                              Show Windows behavior

                                                                              Memory Activities

                                                                              Show Windows behavior

                                                                              System Activities

                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                              Show Windows behavior

                                                                              Windows UI Activities

                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                              General

                                                                              Target ID:18
                                                                              Start time:07:49:08
                                                                              Start date:12/03/2025
                                                                              Path:C:\Users\user\AppData\Local\Programs\CWT\CWT.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Users\user\AppData\Local\Programs\CWT\CWT.exe"
                                                                              Imagebase:0x70000
                                                                              File size:225'792 bytes
                                                                              MD5 hash:A6577D54696DF01EF3F16B56FC3DBFE0
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:false
                                                                              Show Windows behavior

                                                                              File Activities

                                                                              Show Windows behavior

                                                                              Section Activities

                                                                              Show Windows behavior

                                                                              Registry Activities

                                                                              Show Windows behavior

                                                                              Mutex Activities

                                                                              Show Windows behavior

                                                                              Process Activities

                                                                              Show Windows behavior

                                                                              Thread Activities

                                                                              Show Windows behavior

                                                                              Memory Activities

                                                                              Show Windows behavior

                                                                              System Activities

                                                                              Show Windows behavior

                                                                              Timing Activities

                                                                              Show Windows behavior

                                                                              Windows UI Activities

                                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                              Disassembly

                                                                              Executed Functions

                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a4a307da6879f252ca4f22d1ccba1fee4ee9610229c3e622122c3f808aed0878
                                                                              • Instruction ID: 038db6c9c5ce23e299c771d328ee06847af9a37adfbba7a8cea92e9c7a7a8cef
                                                                              • Opcode Fuzzy Hash: a4a307da6879f252ca4f22d1ccba1fee4ee9610229c3e622122c3f808aed0878
                                                                              • Instruction Fuzzy Hash: 20517C5290DBC64FE793AB2858653643FB0AF67204B4A84FBD489CF0D3DA586C0DD762
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8b2ee20de45dd2a84d85878fd6f13f6fc5ba94c65d8a81698e6614fcc6340ef4
                                                                              • Instruction ID: a3730530690e83eedab2d7a6a69888e8d441f169647ac3b955731a2a7533eb57
                                                                              • Opcode Fuzzy Hash: 8b2ee20de45dd2a84d85878fd6f13f6fc5ba94c65d8a81698e6614fcc6340ef4
                                                                              • Instruction Fuzzy Hash: B3616B20B0CE494FE798FB2C949576977E1EFA9301B5404BEE08DC7293DE68F8458742
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7320ff1fb5949122fa49eaf69c0cc114a5b09261434f235323e750492e9fb924
                                                                              • Instruction ID: 0a9d1a87c34a1e6edae04ca6957fbb04cdc30bae74d3a5f8d8d58bdfa19ce6ea
                                                                              • Opcode Fuzzy Hash: 7320ff1fb5949122fa49eaf69c0cc114a5b09261434f235323e750492e9fb924
                                                                              • Instruction Fuzzy Hash: 8C51C231A0CA894FE789EB2C948977977E1FF99314F04457EE48DC7293DEA8B8458341
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: abde26cad26fca7e8e99bef8890d60eaad879cf76355edec90786267f1768874
                                                                              • Instruction ID: 49e351fee8b3c46cedb9dc0c5ccdd51e632b1632702f0168b169d27a1e7cc664
                                                                              • Opcode Fuzzy Hash: abde26cad26fca7e8e99bef8890d60eaad879cf76355edec90786267f1768874
                                                                              • Instruction Fuzzy Hash: 8D51AE31A0CA890FE788EB2C948977977D1FF99314F04467EE48DC32A3DEA8B8458741
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fbb2957c50cf01dae157a2efbc74e312511c3d737317fe92318f5fdc4943c026
                                                                              • Instruction ID: 6bb5b603077cbb1dee906f73b0d36c3557a09d05e1a26d785d732377dd3760b8
                                                                              • Opcode Fuzzy Hash: fbb2957c50cf01dae157a2efbc74e312511c3d737317fe92318f5fdc4943c026
                                                                              • Instruction Fuzzy Hash: 0E417111A0DBCD0FE746FB3848A47147FA1EF66344B9A55F6D089CB2D3DE68AC098711
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 203cc78123d3055c2dd61eed2e78472a05fc410f2ecf2e3d7e7377904dc1611b
                                                                              • Instruction ID: 42419a891ebd842117c0ef7f025eedfaaf43105193d85d2a3cfe7bec126056c1
                                                                              • Opcode Fuzzy Hash: 203cc78123d3055c2dd61eed2e78472a05fc410f2ecf2e3d7e7377904dc1611b
                                                                              • Instruction Fuzzy Hash: 6621AF61A0DBC94FE746AB7848A97603FA1EF5B304F5E40E6D088CF1E3DA695C49C321
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b7a3ac610f48b80369df96fe8b17c0a02ce9e36494a9b2ebeb6fec9da63b042d
                                                                              • Instruction ID: 10df0afbd37dcd17f2b3375cae71a1e47e14eaa4e6152213928e31b0548eaa5f
                                                                              • Opcode Fuzzy Hash: b7a3ac610f48b80369df96fe8b17c0a02ce9e36494a9b2ebeb6fec9da63b042d
                                                                              • Instruction Fuzzy Hash: AA119111E0DBCA1FE756EB7844A43603FA1EF67308F5A44E6C089CF1D3EA595846C361
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: be2d159d385682762697aaffc98ae53d1a315599835f69430a6b02ff3a08c89a
                                                                              • Instruction ID: 9cd4e5671e3096ebd09ed7778eda6287950a0fbc952beb7f2415e433859849c6
                                                                              • Opcode Fuzzy Hash: be2d159d385682762697aaffc98ae53d1a315599835f69430a6b02ff3a08c89a
                                                                              • Instruction Fuzzy Hash: 8611C431708B448FE740EF28C8997697BE1FF99305F0905F9E48ACB293DA74AC098781
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1c76c98b25a3ca7a75b189cfcd5c56c8b3caf9fc11e32bc1c514733fda352bd0
                                                                              • Instruction ID: ddaacd40cbdf4ab97381b943ca7ddd7e9a7d8e663851d13142e520d29de6bf55
                                                                              • Opcode Fuzzy Hash: 1c76c98b25a3ca7a75b189cfcd5c56c8b3caf9fc11e32bc1c514733fda352bd0
                                                                              • Instruction Fuzzy Hash: 7611E112A0DBC90FE352EB3858A43253FA1EF5A244F9A40E7C088CB1D7D954AC498361
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e718233d0d6c5cccbed6a532fcd4b01906b9fd8420641553f5d5605d9c85665b
                                                                              • Instruction ID: 57e22560da78d7aca9e1c9973481d808d7ad8f9f8697371ec5b6a2a874989457
                                                                              • Opcode Fuzzy Hash: e718233d0d6c5cccbed6a532fcd4b01906b9fd8420641553f5d5605d9c85665b
                                                                              • Instruction Fuzzy Hash: 5501D221F0D94A0FF791EA6CA4453B877C1DF99221F5501BED08DC3283CEAABC468381
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a8085ff85c3ad7fad4a23ce9ca61f3a24ab8e0e7597040424136607d4573640d
                                                                              • Instruction ID: f785a6616cc5e415823d01645fa1e87dba7564da471c31ec9893682ceafcdd60
                                                                              • Opcode Fuzzy Hash: a8085ff85c3ad7fad4a23ce9ca61f3a24ab8e0e7597040424136607d4573640d
                                                                              • Instruction Fuzzy Hash: 6C112E52E1DE861FE356FB2814293686A91EF69214B5940FED0C9C75D3DE5878098382
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 13c57d05e6568c000bf3a8d20dd0ceeea587d43d7abe3b0dbfb8a4fe6633bba2
                                                                              • Instruction ID: ed6cd679dbb1b9d5efd8b5f5699d11570729d3d18c55b2dcd6b7b729d53707bf
                                                                              • Opcode Fuzzy Hash: 13c57d05e6568c000bf3a8d20dd0ceeea587d43d7abe3b0dbfb8a4fe6633bba2
                                                                              • Instruction Fuzzy Hash: C9116130714A488FEB44FF28C888BA977E1FF89315F0905F8E44ACB256CA74AC458791
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.4110962211.00007FF94FDE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF94FDE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ff94fde0000_CWT.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2311086b954470295b17b0987657f7dff5eb2517b738c347418ca1a878107811
                                                                              • Instruction ID: bee54784703e88a8d268a015079afa1dbe6dea4ba49f81d22be166ce9602c30a
                                                                              • Opcode Fuzzy Hash: 2311086b954470295b17b0987657f7dff5eb2517b738c347418ca1a878107811
                                                                              • Instruction Fuzzy Hash: CBD0A722F0E80F1FBA50FA58200636473A1EB94344711417CE54FC3192DD18BC488280