Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
!!SetUp_2244_PassW0rds$.zip

Overview

General Information

Sample name:!!SetUp_2244_PassW0rds$.zip
Analysis ID:1500439
MD5:e9ce58b884143acee5f004128d1fae65
SHA1:899a0b621b6d19da304675ac38d5d47d00e9f511
SHA256:071b8b38b57d457b42a7bcfb6779e602f37f75e588dbdbe731cab784fcd06505
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
LummaC encrypted strings found
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 3704 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • Setup.exe (PID: 6108 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe" MD5: 850A43E323656B86AE665D8B4FD71369)
    • StrCmp.exe (PID: 3684 cmdline: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exe MD5: 916D7425A559AAA77F640710A65F9182)
    • more.com (PID: 6888 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SearchIndexer.exe (PID: 6268 cmdline: C:\Windows\SysWOW64\SearchIndexer.exe MD5: CF7BEFBA5E20F2F4C7851D016067B89C)
        • WerFault.exe (PID: 5320 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6268 -s 396 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • Setup.exe (PID: 6256 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe" MD5: 850A43E323656B86AE665D8B4FD71369)
    • more.com (PID: 6252 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
      • conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SearchIndexer.exe (PID: 1060 cmdline: C:\Windows\SysWOW64\SearchIndexer.exe MD5: CF7BEFBA5E20F2F4C7851D016067B89C)
        • WerFault.exe (PID: 3596 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 396 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • Setup.exe (PID: 2280 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 850A43E323656B86AE665D8B4FD71369)
    • more.com (PID: 3648 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
      • conhost.exe (PID: 3068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SearchIndexer.exe (PID: 4516 cmdline: C:\Windows\SysWOW64\SearchIndexer.exe MD5: CF7BEFBA5E20F2F4C7851D016067B89C)
        • WerFault.exe (PID: 3744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 212 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • Setup.exe (PID: 6896 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 850A43E323656B86AE665D8B4FD71369)
    • more.com (PID: 3488 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
      • conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SearchIndexer.exe (PID: 4252 cmdline: C:\Windows\SysWOW64\SearchIndexer.exe MD5: CF7BEFBA5E20F2F4C7851D016067B89C)
        • WerFault.exe (PID: 2712 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 384 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["stagedchheiqwo.shop", "evoliutwoqm.shop", "condedqpwqm.shop", "stamppreewntnq.shop", "millyscroqwp.shop", "caffegclasiqwp.shop"], "Build id": "MeHdy4--pl1vs1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: caffegclasiqwp.shopAvira URL Cloud: Label: malware
    Source: condedqpwqm.shopAvira URL Cloud: Label: phishing
    Source: stagedchheiqwo.shopAvira URL Cloud: Label: phishing
    Source: stamppreewntnq.shopAvira URL Cloud: Label: phishing
    Antivirus detection for dropped file
    Source: C:\Users\user\AppData\Local\Temp\ohjAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
    Source: C:\Users\user\AppData\Local\Temp\dqgisAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
    Source: C:\Users\user\AppData\Local\Temp\vtesbhvscpfltAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
    Source: C:\Users\user\AppData\Local\Temp\fpmssAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
    Found malware configuration
    Source: SearchIndexer.exe.1060.23.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["stagedchheiqwo.shop", "evoliutwoqm.shop", "condedqpwqm.shop", "stamppreewntnq.shop", "millyscroqwp.shop", "caffegclasiqwp.shop"], "Build id": "MeHdy4--pl1vs1"}
    Multi AV Scanner detection for domain / URL
    Source: caffegclasiqwp.shopVirustotal: Detection: 20%Perma Link
    Source: condedqpwqm.shopVirustotal: Detection: 17%Perma Link
    Source: stagedchheiqwo.shopVirustotal: Detection: 17%Perma Link
    Source: stamppreewntnq.shopVirustotal: Detection: 17%Perma Link
    Multi AV Scanner detection for submitted file
    Source: !!SetUp_2244_PassW0rds$.zipVirustotal: Detection: 61%Perma Link
    Machine Learning detection for dropped file
    Source: C:\Users\user\AppData\Local\Temp\ohjJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Temp\dqgisJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Temp\vtesbhvscpfltJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Temp\fpmssJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: caffegclasiqwp.shop
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: stamppreewntnq.shop
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: stagedchheiqwo.shop
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: millyscroqwp.shop
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: evoliutwoqm.shop
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: condedqpwqm.shop
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: traineiwnqo.shop
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: locatedblsoqp.shop
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: shadowqsnqop.shop
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
    Source: 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString decryptor: MeHdy4--pl1vs1
    Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\host_release\flutter_windows.dll.pdb source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.dr
    Source: Binary string: ntdll.pdb source: Setup.exe, 0000000C.00000002.1424868142.000001DD41EB0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.1424214442.000001DD41ABC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdbUGP source: more.com, 0000000E.00000002.1574162025.0000000004322000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1576088788.0000000004680000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdbUGP source: Setup.exe, 0000000C.00000002.1424868142.000001DD41EB0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.1424214442.000001DD41ABC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: more.com, 0000000E.00000002.1574162025.0000000004322000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1576088788.0000000004680000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: gpapi.pdb source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000010.00000002.1623238842.000000000097F000.00000008.00000001.01000000.00000000.sdmp, ohj.18.dr, dqgis.30.dr, vtesbhvscpflt.35.dr, fpmss.14.dr
    Source: Binary string: gpapi.pdbUGP source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000010.00000002.1623238842.000000000097F000.00000008.00000001.01000000.00000000.sdmp, ohj.18.dr, dqgis.30.dr, vtesbhvscpflt.35.dr, fpmss.14.dr

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: stagedchheiqwo.shop
    Source: Malware configuration extractorURLs: evoliutwoqm.shop
    Source: Malware configuration extractorURLs: condedqpwqm.shop
    Source: Malware configuration extractorURLs: stamppreewntnq.shop
    Source: Malware configuration extractorURLs: millyscroqwp.shop
    Source: Malware configuration extractorURLs: caffegclasiqwp.shop
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/1085
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/1423136
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/1423136dumpTranslatedShadersWrite
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/1452
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/1452expandIntegerPowExpressionsThe
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/1512
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/1637
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/1936
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/2046
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/2152
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/2152skipVSConstantRegisterZeroIn
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/2162
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/2273
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/2517
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/2894
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/2970
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/2978
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3027
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3045
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3078
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3205
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3206
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3246
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3246allowClearForRobustResourceInitSome
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3452
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3498
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3502
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3577
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3584
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3586
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3623
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3624
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3625
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3682
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3682allowES3OnFL100Allow
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3729
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3832
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3862
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3965
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3970
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/3997
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4214
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4267
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4324
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4384
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4405
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4428
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4551
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4633
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4646
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4722
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/482
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4836
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4901
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/4937
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5007
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5007disableDrawBuffersIndexedDisable
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5055
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5061
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5281
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5371
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5375
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5421
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5430
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5469
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5535
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5577
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5658
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5658forceGlErrorCheckingForce
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5750
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5750forceRobustResourceInitForce-enable
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5881
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5901
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/5906
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6041
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6041forceInitShaderVariablesForce-enable
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6048
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6141
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6248
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6439
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6651
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6692
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6755
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6860
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6876
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6878
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6929
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/6953
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7036
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7036dumpShaderSourceWrite
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7047
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7172
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7279
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7279cacheCompiledShaderEnable
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7370
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7406
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7488
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7527
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7553
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7556
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7724
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7724disableAnisotropicFilteringDisable
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7760
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7760enableShaderSubstitutionCheck
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7761
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/7761disableProgramCachingDisables
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/8162
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/8172
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/8215
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/8229
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/8280
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://anglebug.com/8280enableTranslatedShaderSubstitutionCheck
    Source: Setup.exe, 0000000C.00000002.1423530742.000001DD41770000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c0rl.m%L
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/1094869
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/110263
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/1144207
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/1171371
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/1181068
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/1181193
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/1420130
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/1434317
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/1456243
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/308366
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/403957
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/550292
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/565179
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/642227
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/642605
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/644669
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/650547
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/672380
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/709351
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/797243
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/809422
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/830046
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/849576
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/883276
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/927470
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/941620
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://crbug.com/941620allowTranslateUniformBlockToStructuredBufferThere
    Source: StrCmp.exe.12.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
    Source: StrCmp.exe.12.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
    Source: StrCmp.exe.12.drString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
    Source: StrCmp.exe.12.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: StrCmp.exe.12.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
    Source: Setup.exe, 0000000C.00000003.1407535173.000001DD41845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com
    Source: Setup.exe, 0000000C.00000003.1406944642.000001DD3F412000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1405231073.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407267999.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407329097.000001DD3F412000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1400892792.000001DD420B0000.00000004.00000001.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1406881575.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001D.00000003.2062294663.000001B2C9A66000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2154624325.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2155473386.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2155844822.0000013D404B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2154987708.0000013D404B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2153747812.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, uni_links_desktop_plugin.dll.12.dr, window_manager_plugin.dll.12.dr, desktop_drop_plugin.dll.12.dr, flutter_windows.dll.12.dr, desktop_multi_window_plugin.dll.12.dr, window_size_plugin.dll.12.dr, url_launcher_windows_plugin.dll.12.dr, flutter_custom_cursor_plugin.dll.12.dr, file_selector_windows_plugin.dll.12.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
    Source: Setup.exe, 0000000C.00000003.1406944642.000001DD3F412000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1405231073.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407267999.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407329097.000001DD3F412000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1400892792.000001DD420B0000.00000004.00000001.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1406881575.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001D.00000003.2062294663.000001B2C9A66000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2154624325.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2155473386.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2155844822.0000013D404B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2154987708.0000013D404B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2153747812.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2156220441.0000013D427F8000.00000004.00000020.00020000.00000000.sdmp, uni_links_desktop_plugin.dll.12.dr, window_manager_plugin.dll.12.dr, desktop_drop_plugin.dll.12.dr, flutter_windows.dll.12.dr, desktop_multi_window_plugin.dll.12.dr, window_size_plugin.dll.12.dr, url_launcher_windows_plugin.dll.12.dr, flutter_custom_cursor_plugin.dll.12.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: Setup.exe, 0000000C.00000003.1406944642.000001DD3F412000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1405231073.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407267999.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407329097.000001DD3F412000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1400892792.000001DD420B0000.00000004.00000001.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1406881575.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001D.00000003.2062294663.000001B2C9A66000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2154624325.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2155473386.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2155844822.0000013D404B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2154987708.0000013D404B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2153747812.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, uni_links_desktop_plugin.dll.12.dr, window_manager_plugin.dll.12.dr, desktop_drop_plugin.dll.12.dr, flutter_windows.dll.12.dr, desktop_multi_window_plugin.dll.12.dr, window_size_plugin.dll.12.dr, url_launcher_windows_plugin.dll.12.dr, flutter_custom_cursor_plugin.dll.12.dr, file_selector_windows_plugin.dll.12.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
    Source: Setup.exe, 0000000C.00000003.1406944642.000001DD3F412000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1405231073.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407267999.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407329097.000001DD3F412000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1400892792.000001DD420B0000.00000004.00000001.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1406881575.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001D.00000003.2062294663.000001B2C9A66000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2154624325.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2155473386.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2155844822.0000013D404B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2154987708.0000013D404B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2153747812.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2156220441.0000013D427F8000.00000004.00000020.00020000.00000000.sdmp, uni_links_desktop_plugin.dll.12.dr, window_manager_plugin.dll.12.dr, desktop_drop_plugin.dll.12.dr, flutter_windows.dll.12.dr, desktop_multi_window_plugin.dll.12.dr, window_size_plugin.dll.12.dr, url_launcher_windows_plugin.dll.12.dr, flutter_custom_cursor_plugin.dll.12.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://issuetracker.google.com/200067929
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://labs.creativecommons.org/licenses/zero-waive/1.0/us/legalcodeRegularVersion
    Source: Setup.exe, 0000000C.00000002.1423530742.000001DD41770000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocs(p.g
    Source: Setup.exe, 0000000C.00000002.1423530742.000001DD41770000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
    Source: StrCmp.exe.12.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
    Source: StrCmp.exe.12.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
    Source: StrCmp.exe.12.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
    Source: StrCmp.exe.12.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
    Source: screen_retriever_plugin.dll.12.drString found in binary or memory: http://ocsp.sectigo.com0
    Source: Setup.exe, 0000000C.00000002.1423530742.000001DD41770000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr30
    Source: StrCmp.exe.12.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
    Source: StrCmp.exe.12.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
    Source: StrCmp.exe.12.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
    Source: StrCmp.exe.12.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
    Source: StrCmp.exe.12.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
    Source: StrCmp.exe.12.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
    Source: Amcache.hve.42.drString found in binary or memory: http://upx.sf.net
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
    Source: Setup.exe, Setup.exe, 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: http://www.w3c.orghttp://dev.w3.org/CSS/fonts/ahem/COPYING
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/4674
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/4830
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/4849
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/4966
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/5140
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/5536
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/5845
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/6574
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7161
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7162
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7246
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7246enableCaptureLimitsSet
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7308
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7319
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7320
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7369
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7382
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7405
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7489
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7604
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7714
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7847
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://anglebug.com/7899
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://chromium.googlesource.com/angle/angle/
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/1042393
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/1046462
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/1060012
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/1091824
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/1137851
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/1300575
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/1356053
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/593024
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/593024selectViewInGeometryShaderThe
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/650547
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/650547callClearTwiceUsing
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/655534
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/655534useSystemMemoryForConstantBuffersCopying
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/705865
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/710443
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/811661
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://crbug.com/848952
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
    Source: flutter_windows.dll.12.drString found in binary or memory: https://dartbug.com/52121.
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://dartbug.com/52121.Dart_WaitForEventwaitForEventSync
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://dartbug.com/52121.enable_deprecated_wait_fordart::../../third_party/dart/runtime/vm/dart_api
    Source: flutter_windows.dll.12.drString found in binary or memory: https://github.com/dart-lang/sdk/blob/master/runtime/docs/compiler/aot/entry_point_pragma.md
    Source: flutter_windows.dll.12.drString found in binary or memory: https://github.com/flutter/flutter/issues.
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://github.com/flutter/flutter/issues.Invalid
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/161903006
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/166809097
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/184850002
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/187425444
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/220069903
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/220069903emulatePixelLocalStorageEmulate
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/229267970
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/250706693
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/253522366
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/255411748
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/258207403
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/274859104
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/284462263
    Source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drString found in binary or memory: https://issuetracker.google.com/issues/166475273
    Source: Setup.exe, 0000000C.00000003.1406944642.000001DD3F412000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1405231073.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407267999.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407329097.000001DD3F412000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1400892792.000001DD420B0000.00000004.00000001.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407535173.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1406881575.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001D.00000003.2062294663.000001B2C9A66000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2154624325.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2155473386.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2155844822.0000013D404B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2154987708.0000013D404B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2153747812.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2156220441.0000013D427F8000.00000004.00000020.00020000.00000000.sdmp, uni_links_desktop_plugin.dll.12.dr, window_manager_plugin.dll.12.dr, desktop_drop_plugin.dll.12.dr, flutter_windows.dll.12.dr, desktop_multi_window_plugin.dll.12.dr, window_size_plugin.dll.12.dr, url_launcher_windows_plugin.dll.12.drString found in binary or memory: https://sectigo.com/CPS0
    Source: Setup.exe, 0000000C.00000002.1423530742.000001DD41770000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.c
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: StrCmp.exe.12.drString found in binary or memory: https://www.globalsign.com/repository/0
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD41750D31 NtResumeThread,12_2_000001DD41750D31
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD41977198 NtSuspendThread,12_2_000001DD41977198
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_000001FBD9C6A198 NtSuspendThread,17_2_000001FBD9C6A198
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_000001B2CBF85198 NtSuspendThread,29_2_000001B2CBF85198
    Source: C:\Users\user\Desktop\Setup.exeCode function: 34_2_0000013D42922198 NtSuspendThread,34_2_0000013D42922198
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4175F3C012_2_000001DD4175F3C0
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD417615C012_2_000001DD417615C0
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4175E2C012_2_000001DD4175E2C0
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD417604C012_2_000001DD417604C0
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD417626C012_2_000001DD417626C0
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4198E78F12_2_000001DD4198E78F
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD41996F9F12_2_000001DD41996F9F
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD419BA73012_2_000001DD419BA730
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4197EE6812_2_000001DD4197EE68
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD419A3EAF12_2_000001DD419A3EAF
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD419A79BF12_2_000001DD419A79BF
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD419A594F12_2_000001DD419A594F
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD419968DF12_2_000001DD419968DF
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD419B143712_2_000001DD419B1437
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4198F41F12_2_000001DD4198F41F
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4198331812_2_000001DD41983318
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4197F2B812_2_000001DD4197F2B8
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD419A3A9F12_2_000001DD419A3A9F
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD419AA5BF12_2_000001DD419AA5BF
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4199753F12_2_000001DD4199753F
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4199159F12_2_000001DD4199159F
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4198AC6F12_2_000001DD4198AC6F
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD419A97BF12_2_000001DD419A97BF
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4198CB5F12_2_000001DD4198CB5F
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_000001FBD9A5081017_2_000001FBD9A50810
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_000001FBD9A52A1017_2_000001FBD9A52A10
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_000001FBD9A4F71017_2_000001FBD9A4F710
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_000001FBD9A5191017_2_000001FBD9A51910
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_000001FBD9A53B1017_2_000001FBD9A53B10
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_000001B2CBD6A6D029_2_000001B2CBD6A6D0
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_000001B2CBD6C8D029_2_000001B2CBD6C8D0
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_000001B2CBD6EAD029_2_000001B2CBD6EAD0
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_000001B2CBD6B7D029_2_000001B2CBD6B7D0
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_000001B2CBD6D9D029_2_000001B2CBD6D9D0
    Source: C:\Users\user\Desktop\Setup.exeCode function: 34_2_0000013D404B0C4834_2_0000013D404B0C48
    Source: C:\Users\user\Desktop\Setup.exeCode function: 34_2_0000013D4062F63034_2_0000013D4062F630
    Source: C:\Users\user\Desktop\Setup.exeCode function: 34_2_0000013D4062D43034_2_0000013D4062D430
    Source: C:\Users\user\Desktop\Setup.exeCode function: 34_2_0000013D4062E53034_2_0000013D4062E530
    Source: C:\Users\user\Desktop\Setup.exeCode function: 34_2_0000013D4063073034_2_0000013D40630730
    Source: C:\Users\user\Desktop\Setup.exeCode function: 34_2_0000013D4062C33034_2_0000013D4062C330
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exe 118DE01FB498E81EAB4ADE980A621AF43B52265A9FCBAE5DEDC492CDF8889F35
    Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6268 -s 396
    Source: StrCmp.exeBinary or memory string: @*\AE:\Eigene Dateien\VB-Zeugs\Projekte\K700 Manager\Bluetooth Daemon\AsyncStartDemo.vbp
    Source: Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, StrCmp.exe, 0000000D.00000000.1408743392.0000000000401000.00000020.00000001.01000000.00000015.sdmp, StrCmp.exe, 0000000D.00000002.1444380121.0000000000401000.00000020.00000001.01000000.00000015.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmp, StrCmp.exe.12.drBinary or memory string: @`@*\AE:\Eigene Dateien\VB-Zeugs\Projekte\K700 Manager\Bluetooth Daemon\AsyncStartDemo.vbp
    Source: classification engineClassification label: mal100.troj.evad.winZIP@31/40@0/0
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\PluginsigJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeMutant created: NULL
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1060
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4252
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3068:120:WilError_03
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4516
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6268
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\2866274dJump to behavior
    Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    Source: !!SetUp_2244_PassW0rds$.zipVirustotal: Detection: 61%
    Source: Setup.exeString found in binary or memory: more-help
    Source: Setup.exeString found in binary or memory: wild-stop-dirs
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile read: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\dorhncvJump to behavior
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe "C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe"
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeProcess created: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exe C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exe
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe "C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe"
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6268 -s 396
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe
    Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 396
    Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe
    Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 212
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe
    Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 384
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeProcess created: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exe C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exeJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exeJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: desktop_drop_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: desktop_multi_window_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: file_selector_windows_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_custom_cursor_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_gpu_texture_renderer_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: screen_retriever_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: texture_rgba_renderer_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: uni_links_desktop_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: url_launcher_windows_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: window_manager_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: window_size_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: url_launcher_windows_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: window_size_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: texture_rgba_renderer_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: opengl32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: d3d9.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: glu32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: pla.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: pdh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: tdh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: shdocvw.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: msvbvm60.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: vb6zz.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: tquery.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: mssrch.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: esent.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: shdocvw.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: desktop_drop_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: desktop_multi_window_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: file_selector_windows_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_custom_cursor_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_gpu_texture_renderer_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: screen_retriever_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: texture_rgba_renderer_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: uni_links_desktop_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: url_launcher_windows_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: window_manager_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: window_size_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: url_launcher_windows_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: window_size_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: texture_rgba_renderer_plugin.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: opengl32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: d3d9.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: glu32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: pla.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: pdh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: tdh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: shdocvw.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: tquery.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: mssrch.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: esent.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: shdocvw.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: desktop_drop_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: desktop_multi_window_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: file_selector_windows_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_custom_cursor_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_gpu_texture_renderer_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: screen_retriever_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: texture_rgba_renderer_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: uni_links_desktop_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: url_launcher_windows_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: window_manager_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: window_size_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: url_launcher_windows_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: window_size_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: texture_rgba_renderer_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: opengl32.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: d3d9.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: glu32.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: pla.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: pdh.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: tdh.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: shdocvw.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: desktop_drop_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: desktop_multi_window_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: file_selector_windows_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_custom_cursor_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_gpu_texture_renderer_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: screen_retriever_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: texture_rgba_renderer_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: uni_links_desktop_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: url_launcher_windows_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: window_manager_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: window_size_plugin.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: flutter_windows.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: opengl32.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: d3d9.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: glu32.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: pla.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: pdh.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: tdh.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: shdocvw.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: tquery.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: mssrch.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: tquery.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: esent.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: shdocvw.dllJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: tquery.dll
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: mssrch.dll
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: cryptdll.dll
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: cryptdll.dll
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: esent.dll
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: shdocvw.dll
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: !!SetUp_2244_PassW0rds$.zipStatic file information: File size 27132933 > 1048576
    Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\host_release\flutter_windows.dll.pdb source: Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.dr
    Source: Binary string: ntdll.pdb source: Setup.exe, 0000000C.00000002.1424868142.000001DD41EB0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.1424214442.000001DD41ABC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdbUGP source: more.com, 0000000E.00000002.1574162025.0000000004322000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1576088788.0000000004680000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdbUGP source: Setup.exe, 0000000C.00000002.1424868142.000001DD41EB0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.1424214442.000001DD41ABC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: more.com, 0000000E.00000002.1574162025.0000000004322000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1576088788.0000000004680000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: gpapi.pdb source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000010.00000002.1623238842.000000000097F000.00000008.00000001.01000000.00000000.sdmp, ohj.18.dr, dqgis.30.dr, vtesbhvscpflt.35.dr, fpmss.14.dr
    Source: Binary string: gpapi.pdbUGP source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000010.00000002.1623238842.000000000097F000.00000008.00000001.01000000.00000000.sdmp, ohj.18.dr, dqgis.30.dr, vtesbhvscpflt.35.dr, fpmss.14.dr
    Source: dqgis.30.drStatic PE information: real checksum: 0x0 should be: 0x5f96c
    Source: fpmss.14.drStatic PE information: real checksum: 0x0 should be: 0x5f96c
    Source: flutter_gpu_texture_renderer_plugin.dll.12.drStatic PE information: real checksum: 0x56a83 should be: 0x5f1f7
    Source: vtesbhvscpflt.35.drStatic PE information: real checksum: 0x0 should be: 0x5f96c
    Source: ohj.18.drStatic PE information: real checksum: 0x0 should be: 0x5f96c
    Source: flutter_windows.dll.12.drStatic PE information: section name: _RDATA
    Source: fpmss.14.drStatic PE information: section name: wcstg
    Source: ohj.18.drStatic PE information: section name: wcstg
    Source: dqgis.30.drStatic PE information: section name: wcstg
    Source: vtesbhvscpflt.35.drStatic PE information: section name: wcstg
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_0000001A54AFCE42 push ecx; retf 12_2_0000001A54AFCE49
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_0000001A54AFD002 push ecx; retf 12_2_0000001A54AFD009
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_0000001A54AFA47F push ecx; retf 12_2_0000001A54AFA489
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_0000001A54AFAA8F push ecx; retf 12_2_0000001A54AFAA99
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_0000001A54AFAB0F push ecx; retf 12_2_0000001A54AFAB19
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_0000001A54AFE020 pushad ; retf 12_2_0000001A54AFE021
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_0000001A54AFA8F2 push ecx; retf 12_2_0000001A54AFA8F9
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD3F3D7772 push esi; iretd 12_2_000001DD3F3D7773
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD3F3CDC70 pushad ; retf 12_2_000001DD3F3CDC71
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD3F3D19E3 push eax; iretd 12_2_000001DD3F3D1A31
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD3F3D510B push eax; ret 12_2_000001DD3F3D512A
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD41755F5C pushfd ; retf 12_2_000001DD41755F5D
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD41756023 push esi; ret 12_2_000001DD41756025
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4199D131 push 3B0CC483h; ret 12_2_000001DD4199D136
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD419ACABF push eax; ret 12_2_000001DD419ACAED
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_00000089612FE410 pushad ; retf 17_2_00000089612FE411
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_00000089612FB920 push ecx; retf 17_2_00000089612FB929
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_00000089612FA86F push ecx; retf 17_2_00000089612FA879
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_00000089612FD3EF push ecx; retf 17_2_00000089612FD3F9
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_000001FBD76205C0 push eax; ret 17_2_000001FBD76205C1
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_000001FBD9A47473 push esi; ret 17_2_000001FBD9A47475
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_000001FBD9A473AC pushfd ; retf 17_2_000001FBD9A473AD
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_0000000A9C1AD31F push ecx; retf 29_2_0000000A9C1AD329
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_0000000A9C1ABA0F push FFFFFFEAh; retf 29_2_0000000A9C1ABA3B
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_0000000A9C1ABA3C push FFFFFFEAh; retf 29_2_0000000A9C1ABA53
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_0000000A9C1AE340 pushad ; retf 29_2_0000000A9C1AE341
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_0000000A9C1AB84F push ecx; retf 29_2_0000000A9C1AB859
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_0000000A9C1ABA70 push FFFFFFEAh; retf 29_2_0000000A9C1ABA93
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_000001B2C99EC189 push eax; retf 29_2_000001B2C99EC2E1
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_000001B2C99ECB9A push eax; retf 29_2_000001B2C99ECBD9
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_000001B2C99ECF1A push eax; retf 29_2_000001B2C99ECF59
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\window_manager_plugin.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\desktop_multi_window_plugin.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\flutter_windows.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\url_launcher_windows_plugin.dllJump to dropped file
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\ohjJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\desktop_drop_plugin.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\flutter_custom_cursor_plugin.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\uni_links_desktop_plugin.dllJump to dropped file
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\dqgisJump to dropped file
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\vtesbhvscpfltJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\file_selector_windows_plugin.dllJump to dropped file
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\fpmssJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\flutter_gpu_texture_renderer_plugin.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\texture_rgba_renderer_plugin.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\screen_retriever_plugin.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeFile created: C:\Users\user\AppData\Roaming\Pluginsig\window_size_plugin.dllJump to dropped file
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\fpmssJump to dropped file
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\ohjJump to dropped file
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\dqgisJump to dropped file
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\vtesbhvscpfltJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Found hidden mapped module (file has been removed from disk)
    Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\FPMSS
    Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\OHJ
    Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\DQGIS
    Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\VTESBHVSCPFLT
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Switches to a custom stack to bypass stack traces
    Source: C:\Windows\SysWOW64\more.comAPI/Special instruction interceptor: Address: 6C933B54
    Source: C:\Windows\SysWOW64\SearchIndexer.exeAPI/Special instruction interceptor: Address: B3DC57
    Source: C:\Windows\SysWOW64\more.comAPI/Special instruction interceptor: Address: 6CC23B54
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD3F3D2750 sldt word ptr [eax]12_2_000001DD3F3D2750
    Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ohjJump to dropped file
    Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dqgisJump to dropped file
    Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vtesbhvscpfltJump to dropped file
    Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fpmssJump to dropped file
    Source: flutter_windows.dll.12.drBinary or memory string: (IsLinux() && isVMWare) || (IsAndroid() && isNvidia) || (IsAndroid() && GetAndroidSdkLevel() < 27 && IsAdreno5xxOrOlder(functions)) || (!isMesa && IsMaliT8xxOrOlder(functions)) || (!isMesa && IsMaliG31OrOlder(functions))
    Source: flutter_windows.dll.12.drBinary or memory string: VMware
    Source: Amcache.hve.42.drBinary or memory string: VMware Virtual USB Mouse
    Source: more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
    Source: Amcache.hve.42.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.42.drBinary or memory string: VMware, Inc.
    Source: more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
    Source: Amcache.hve.42.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.42.drBinary or memory string: VMware-42 27 c8 0c e4 52 1d cc-a0 8f d3 a4 82 3e 8f 04
    Source: Amcache.hve.42.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.42.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.42.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
    Source: Amcache.hve.42.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
    Source: more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
    Source: Amcache.hve.42.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: Amcache.hve.42.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.42.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: flutter_windows.dll.12.drBinary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
    Source: Amcache.hve.42.drBinary or memory string: vmci.sys
    Source: more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
    Source: Amcache.hve.42.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.42.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.42.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.42.drBinary or memory string: VMware20,1
    Source: Amcache.hve.42.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.42.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.42.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: flutter_windows.dll.12.drBinary or memory string: IIBroadcomGoogleMesaMicrosoftSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTest
    Source: Amcache.hve.42.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.42.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.42.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.42.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: Amcache.hve.42.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.42.drBinary or memory string: VMware Virtual RAM
    Source: Amcache.hve.42.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: Amcache.hve.42.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess queried: DebugPort
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD419779C4 mov eax, dword ptr fs:[00000030h]12_2_000001DD419779C4
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD41977ABE mov eax, dword ptr fs:[00000030h]12_2_000001DD41977ABE
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 12_2_000001DD4198749F mov eax, dword ptr fs:[00000030h]12_2_000001DD4198749F
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_000001FBD9C6AABE mov eax, dword ptr fs:[00000030h]17_2_000001FBD9C6AABE
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeCode function: 17_2_000001FBD9C6A9C4 mov eax, dword ptr fs:[00000030h]17_2_000001FBD9C6A9C4
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_000001B2CBF859C4 mov eax, dword ptr fs:[00000030h]29_2_000001B2CBF859C4
    Source: C:\Users\user\Desktop\Setup.exeCode function: 29_2_000001B2CBF85ABE mov eax, dword ptr fs:[00000030h]29_2_000001B2CBF85ABE
    Source: C:\Users\user\Desktop\Setup.exeCode function: 34_2_0000013D42922ABE mov eax, dword ptr fs:[00000030h]34_2_0000013D42922ABE
    Source: C:\Users\user\Desktop\Setup.exeCode function: 34_2_0000013D429229C4 mov eax, dword ptr fs:[00000030h]34_2_0000013D429229C4

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Found direct / indirect Syscall (likely to bypass EDR)
    Source: C:\Users\user\Desktop\Setup.exeNtClose: Direct from: 0x13D4061EF40
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtQuerySystemInformation: Direct from: 0x1DD4174B310Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtAllocateVirtualMemory: Direct from: 0x7FFF295E8E14Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtQuerySystemInformation: Direct from: 0x1DD00000000Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtAllocateVirtualMemory: Direct from: 0x7FFF26319635Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtCreateNamedPipeFile: Direct from: 0x7FFF26262E70Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtReadFile: Direct from: 0x110Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtCreateNamedPipeFile: Direct from: 0x7FFF295D2E70Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtAllocateVirtualMemory: Direct from: 0x7FFF29B79635Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtAllocateVirtualMemory: Direct from: 0x7FFF26278E14Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtCreateFile: Direct from: 0x7FFF263197E6Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtClose: Direct from: 0x7FFF2631982C
    Source: C:\Users\user\Desktop\Setup.exeNtQuerySystemInformation: Direct from: 0x1B2C9980000Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtProtectVirtualMemory: Direct from: 0x7FFF295E94F5Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtQueryAttributesFile: Direct from: 0x1B2CBD762FCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtQuerySystemInformation: Direct from: 0x1FB00000000Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtAllocateVirtualMemory: Direct from: 0xA0A76ACBJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtQueryAttributesFile: Direct from: 0x13D4063949CJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtCreateNamedPipeFile: Direct from: 0x7FFF26302E70Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtClose: Direct from: 0x2
    Source: C:\Users\user\Desktop\Setup.exeNtProtectVirtualMemory: Direct from: 0x3Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtProtectVirtualMemory: Direct from: 0x7FFF4F2826A1Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtQuerySystemInformation: Direct from: 0x1B200000000Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtProtectVirtualMemory: Direct from: 0xA9C1ADFE0Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtProtectVirtualMemory: Direct from: 0x7FFF2631973AJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtProtectVirtualMemory: Direct from: 0x7FFF263194F5Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtClose: Direct from: 0x1FBD9A42320
    Source: C:\Users\user\Desktop\Setup.exeNtAllocateVirtualMemory: Direct from: 0x13D404B0900Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtAllocateVirtualMemory: Direct from: 0x7FFF26279635Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtProtectVirtualMemory: Direct from: 0x9F26FDF80Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtAllocateVirtualMemory: Direct from: 0x1FBD9A3C010Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtProtectVirtualMemory: Direct from: 0x7FFF29B794F5Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtQuerySystemInformation: Direct from: 0x7FFF40CB21D3Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtQuerySystemInformation: Direct from: 0x6CJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtCreateFile: Direct from: 0xADCDJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtClose: Direct from: 0x1B2CBD5D2E0
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtClose: Direct from: 0x7FFF26304F3A
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtAllocateVirtualMemory: Direct from: 0x7FFF26318E14Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtProtectVirtualMemory: Direct from: 0x89612FE0B0Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtQueryAttributesFile: Direct from: 0x1DD3F3CAF06Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtAllocateVirtualMemory: Direct from: 0x7FFF29B78E14Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtQuerySystemInformation: Direct from: 0x13D40320000Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtClose: Direct from: 0x1DD41750ED0
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtWriteFile: Direct from: 0x7FFF26319822Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtAllocateVirtualMemory: Direct from: 0x1DD4174A250Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtAllocateVirtualMemory: Direct from: 0x7FFF295E9635Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtProtectVirtualMemory: Direct from: 0x1A54AFDCC0Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtProtectVirtualMemory: Direct from: 0x6C006CJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtQueryVolumeInformationFile: Direct from: 0x7FFF26304FA5Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtQueryAttributesFile: Direct from: 0x1FBD9A5AB16Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtCreateNamedPipeFile: Direct from: 0x7FFF29B62E70Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeNtProtectVirtualMemory: Direct from: 0x7FFF262794F5Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtQuerySystemInformation: Direct from: 0x13D00000000Jump to behavior
    Source: C:\Users\user\Desktop\Setup.exeNtAllocateVirtualMemory: Direct from: 0x1B2C99FF1D0Jump to behavior
    LummaC encrypted strings found
    Source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: caffegclasiqwp.shop
    Source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: stamppreewntnq.shop
    Source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: stagedchheiqwo.shop
    Source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: millyscroqwp.shop
    Source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: evoliutwoqm.shop
    Source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: condedqpwqm.shop
    Source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: traineiwnqo.shop
    Source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: locatedblsoqp.shop
    Source: more.com, 0000000E.00000002.1577787068.0000000004C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: shadowqsnqop.shop
    Maps a DLL or memory area into another process
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: NULL target: C:\Windows\SysWOW64\SearchIndexer.exe protection: read writeJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: NULL target: C:\Windows\SysWOW64\SearchIndexer.exe protection: read writeJump to behavior
    Writes to foreign memory regions
    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\SearchIndexer.exe base: B3B300Jump to behavior
    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\SearchIndexer.exe base: 930000Jump to behavior
    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\SearchIndexer.exe base: B3B300Jump to behavior
    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\SearchIndexer.exe base: 270000Jump to behavior
    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\SearchIndexer.exe base: B3B300Jump to behavior
    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\SearchIndexer.exe base: A00000Jump to behavior
    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\SearchIndexer.exe base: B3B300Jump to behavior
    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\SearchIndexer.exe base: 6B0000Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeProcess created: C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exe C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exeJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exeJump to behavior
    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exeJump to behavior
    Source: Amcache.hve.42.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: Amcache.hve.42.drBinary or memory string: msmpeng.exe
    Source: Amcache.hve.42.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.42.drBinary or memory string: MsMpEng.exe

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		11
    DLL Side-Loading    		211
    Process Injection    		11
    Masquerading    		OS Credential Dumping121
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    Abuse Elevation Control Mechanism    		2
    Virtualization/Sandbox Evasion    		LSASS Memory2
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
    DLL Side-Loading    		211
    Process Injection    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Deobfuscate/Decode Files or Information    		NTDS11
    System Information Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Abuse Elevation Control Mechanism    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Obfuscated Files or Information    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    Rundll32    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
    DLL Side-Loading    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1500439 Sample: !!SetUp_2244_PassW0rds$.zip Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 Antivirus detection for URL or domain 2->75 77 6 other signatures 2->77 8 Setup.exe 18 2->8         started        12 Setup.exe 2 2->12         started        14 Setup.exe 2 2->14         started        16 2 other processes 2->16 process3 file4 63 C:\Users\user\...\window_size_plugin.dll, PE32+ 8->63 dropped 65 C:\Users\user\...\window_manager_plugin.dll, PE32+ 8->65 dropped 67 C:\Users\...\url_launcher_windows_plugin.dll, PE32+ 8->67 dropped 69 10 other malicious files 8->69 dropped 89 Maps a DLL or memory area into another process 8->89 91 Found direct / indirect Syscall (likely to bypass EDR) 8->91 18 more.com 2 8->18         started        22 StrCmp.exe 8->22         started        24 more.com 2 12->24         started        26 more.com 2 14->26         started        28 more.com 2 16->28         started        signatures5 process6 file7 55 C:\Users\user\AppData\Local\Temp\fpmss, PE32 18->55 dropped 79 Writes to foreign memory regions 18->79 81 Found hidden mapped module (file has been removed from disk) 18->81 83 Switches to a custom stack to bypass stack traces 18->83 85 LummaC encrypted strings found 18->85 30 SearchIndexer.exe 18->30         started        33 conhost.exe 18->33         started        57 C:\Users\user\AppData\Local\Temp\ohj, PE32 24->57 dropped 87 Maps a DLL or memory area into another process 24->87 35 SearchIndexer.exe 24->35         started        37 conhost.exe 24->37         started        59 C:\Users\user\AppData\Local\...\vtesbhvscpflt, PE32 26->59 dropped 39 SearchIndexer.exe 26->39         started        41 conhost.exe 26->41         started        61 C:\Users\user\AppData\Local\Temp\dqgis, PE32 28->61 dropped 43 SearchIndexer.exe 28->43         started        45 conhost.exe 28->45         started        signatures8 process9 signatures10 93 Switches to a custom stack to bypass stack traces 30->93 47 WerFault.exe 3 21 30->47         started        49 WerFault.exe 21 35->49         started        51 WerFault.exe 39->51         started        53 WerFault.exe 21 43->53         started        process11

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    !!SetUp_2244_PassW0rds$.zip62%VirustotalBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\ohj100%AviraTR/Crypt.XPACK.Gen
    C:\Users\user\AppData\Local\Temp\dqgis100%AviraTR/Crypt.XPACK.Gen
    C:\Users\user\AppData\Local\Temp\vtesbhvscpflt100%AviraTR/Crypt.XPACK.Gen
    C:\Users\user\AppData\Local\Temp\fpmss100%AviraTR/Crypt.XPACK.Gen
    C:\Users\user\AppData\Local\Temp\ohj100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Temp\dqgis100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Temp\vtesbhvscpflt100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Temp\fpmss100%Joe Sandbox ML
    C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Pluginsig\desktop_drop_plugin.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Pluginsig\desktop_multi_window_plugin.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Pluginsig\file_selector_windows_plugin.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Pluginsig\flutter_custom_cursor_plugin.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Pluginsig\flutter_gpu_texture_renderer_plugin.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Pluginsig\flutter_windows.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Pluginsig\screen_retriever_plugin.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Pluginsig\texture_rgba_renderer_plugin.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Pluginsig\uni_links_desktop_plugin.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Pluginsig\url_launcher_windows_plugin.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Pluginsig\window_manager_plugin.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Pluginsig\window_size_plugin.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://anglebug.com/46330%URL Reputationsafe
    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
    https://anglebug.com/73820%URL Reputationsafe
    http://crbug.com/8832760%URL Reputationsafe
    https://anglebug.com/77140%URL Reputationsafe
    https://crbug.com/7058650%URL Reputationsafe
    http://crbug.com/1102630%URL Reputationsafe
    http://anglebug.com/62480%URL Reputationsafe
    http://anglebug.com/69290%URL Reputationsafe
    http://anglebug.com/52810%URL Reputationsafe
    https://anglebug.com/72460%URL Reputationsafe
    https://anglebug.com/73690%URL Reputationsafe
    https://anglebug.com/74890%URL Reputationsafe
    https://crbug.com/5930240%URL Reputationsafe
    https://issuetracker.google.com/1619030060%URL Reputationsafe
    http://www.symauth.com/cps0(0%URL Reputationsafe
    https://crbug.com/7104430%URL Reputationsafe
    http://anglebug.com/30780%URL Reputationsafe
    http://anglebug.com/75530%URL Reputationsafe
    http://anglebug.com/53750%URL Reputationsafe
    http://anglebug.com/53710%URL Reputationsafe
    http://anglebug.com/39970%URL Reputationsafe
    http://anglebug.com/47220%URL Reputationsafe
    http://crbug.com/6426050%URL Reputationsafe
    http://www.symauth.com/rpa000%URL Reputationsafe
    http://anglebug.com/14520%URL Reputationsafe
    http://anglebug.com/75560%URL Reputationsafe
    http://anglebug.com/66920%URL Reputationsafe
    http://ocsp.sectigo.com00%URL Reputationsafe
    http://anglebug.com/35020%URL Reputationsafe
    http://anglebug.com/36230%URL Reputationsafe
    http://anglebug.com/36250%URL Reputationsafe
    http://anglebug.com/36240%URL Reputationsafe
    http://anglebug.com/50070%URL Reputationsafe
    http://anglebug.com/38620%URL Reputationsafe
    http://anglebug.com/48360%URL Reputationsafe
    https://issuetracker.google.com/issues/1664752730%URL Reputationsafe
    http://anglebug.com/43840%URL Reputationsafe
    http://anglebug.com/39700%URL Reputationsafe
    http://anglebug.com/4820%URL Reputationsafe
    https://anglebug.com/46740%Avira URL Cloudsafe
    https://anglebug.com/76040%URL Reputationsafe
    http://anglebug.com/77610%URL Reputationsafe
    http://anglebug.com/77600%URL Reputationsafe
    http://labs.creativecommons.org/licenses/zero-waive/1.0/us/legalcodeRegularVersion0%Avira URL Cloudsafe
    http://crbug.com/3083660%URL Reputationsafe
    http://anglebug.com/59010%URL Reputationsafe
    http://www.vmware.com/00%Avira URL Cloudsafe
    http://anglebug.com/39650%URL Reputationsafe
    http://anglebug.com/64390%URL Reputationsafe
    https://issuetracker.google.com/2844622630%Avira URL Cloudsafe
    http://anglebug.com/74060%URL Reputationsafe
    https://anglebug.com/71610%URL Reputationsafe
    https://anglebug.com/71620%URL Reputationsafe
    http://anglebug.com/37290%URL Reputationsafe
    http://anglebug.com/59060%URL Reputationsafe
    http://crbug.com/8300460%URL Reputationsafe
    http://anglebug.com/25170%URL Reputationsafe
    http://anglebug.com/49370%URL Reputationsafe
    https://issuetracker.google.com/1668090970%URL Reputationsafe
    http://crbug.com/6723800%URL Reputationsafe
    http://anglebug.com/38320%URL Reputationsafe
    http://anglebug.com/8280enableTranslatedShaderSubstitutionCheck0%Avira URL Cloudsafe
    http://crbug.com/5502920%Avira URL Cloudsafe
    https://crbug.com/13560530%Avira URL Cloudsafe
    https://anglebug.com/46740%VirustotalBrowse
    http://www.vmware.com/00%VirustotalBrowse
    http://labs.creativecommons.org/licenses/zero-waive/1.0/us/legalcodeRegularVersion0%VirustotalBrowse
    http://crbug.com/5502920%VirustotalBrowse
    https://anglebug.com/55360%Avira URL Cloudsafe
    https://crbug.com/13560530%VirustotalBrowse
    http://ocs(p.g0%Avira URL Cloudsafe
    https://anglebug.com/55360%VirustotalBrowse
    https://issuetracker.google.com/2554117480%Avira URL Cloudsafe
    http://anglebug.com/8280enableTranslatedShaderSubstitutionCheck0%VirustotalBrowse
    https://crbug.com/11378510%Avira URL Cloudsafe
    caffegclasiqwp.shop100%Avira URL Cloudmalware
    https://crbug.com/13005750%Avira URL Cloudsafe
    http://anglebug.com/2152skipVSConstantRegisterZeroIn0%Avira URL Cloudsafe
    https://crbug.com/10423930%Avira URL Cloudsafe
    https://crbug.com/10600120%Avira URL Cloudsafe
    http://anglebug.com/3246allowClearForRobustResourceInitSome0%Avira URL Cloudsafe
    caffegclasiqwp.shop21%VirustotalBrowse
    https://crbug.com/13005750%VirustotalBrowse
    http://anglebug.com/2152skipVSConstantRegisterZeroIn0%VirustotalBrowse
    https://crbug.com/11378510%VirustotalBrowse
    https://crbug.com/10423930%VirustotalBrowse
    https://crbug.com/650547callClearTwiceUsing0%Avira URL Cloudsafe
    http://crbug.com/14201300%Avira URL Cloudsafe
    https://issuetracker.google.com/2582074030%Avira URL Cloudsafe
    https://www.digicert.c0%Avira URL Cloudsafe
    condedqpwqm.shop100%Avira URL Cloudphishing
    https://crbug.com/10600120%VirustotalBrowse
    http://crbug.com/11810680%Avira URL Cloudsafe
    http://crbug.com/14201300%VirustotalBrowse
    http://anglebug.com/28940%Avira URL Cloudsafe
    http://anglebug.com/3246allowClearForRobustResourceInitSome0%VirustotalBrowse
    https://dartbug.com/52121.0%Avira URL Cloudsafe
    stagedchheiqwo.shop100%Avira URL Cloudphishing
    https://github.com/dart-lang/sdk/blob/master/runtime/docs/compiler/aot/entry_point_pragma.md0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    caffegclasiqwp.shoptrue
    • 21%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown
    condedqpwqm.shoptrue
    • 18%, Virustotal, Browse
    • Avira URL Cloud: phishing
    		unknown
    stagedchheiqwo.shoptrue
    • 18%, Virustotal, Browse
    • Avira URL Cloud: phishing
    		unknown
    stamppreewntnq.shoptrue
    • 18%, Virustotal, Browse
    • Avira URL Cloud: phishing
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://anglebug.com/4674Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.vmware.com/0Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/8280enableTranslatedShaderSubstitutionCheckSetup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/4633Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#Setup.exe, 0000000C.00000003.1406944642.000001DD3F412000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1405231073.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407267999.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1407329097.000001DD3F412000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1400892792.000001DD420B0000.00000004.00000001.00020000.00000000.sdmp, Setup.exe, 0000000C.00000003.1406881575.000001DD41845000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001D.00000003.2062294663.000001B2C9A66000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2154624325.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2155473386.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2155844822.0000013D404B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2154987708.0000013D404B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000022.00000003.2153747812.0000013D427F5000.00000004.00000020.00020000.00000000.sdmp, uni_links_desktop_plugin.dll.12.dr, window_manager_plugin.dll.12.dr, desktop_drop_plugin.dll.12.dr, flutter_windows.dll.12.dr, desktop_multi_window_plugin.dll.12.dr, window_size_plugin.dll.12.dr, url_launcher_windows_plugin.dll.12.dr, flutter_custom_cursor_plugin.dll.12.dr, file_selector_windows_plugin.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://labs.creativecommons.org/licenses/zero-waive/1.0/us/legalcodeRegularVersionSetup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://anglebug.com/7382Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://issuetracker.google.com/284462263Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://crbug.com/550292Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://crbug.com/883276Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://crbug.com/1356053Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://anglebug.com/7714Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://anglebug.com/5536Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://crbug.com/705865Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://crbug.com/110263Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/6248Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://ocs(p.gSetup.exe, 0000000C.00000002.1423530742.000001DD41770000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/6929Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/5281Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://issuetracker.google.com/255411748Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://anglebug.com/7246Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://anglebug.com/7369Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://anglebug.com/7489Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://crbug.com/593024Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://crbug.com/1137851Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://issuetracker.google.com/161903006Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/2152skipVSConstantRegisterZeroInSetup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://crbug.com/1300575Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.symauth.com/cps0(Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://crbug.com/710443Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://crbug.com/1042393Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://crbug.com/1060012Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/3078Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/7553Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/5375Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/3246allowClearForRobustResourceInitSomeSetup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/5371Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/3997Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/4722Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://crbug.com/642605Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://www.symauth.com/rpa00Setup.exe, 0000000C.00000002.1423842298.000001DD419CD000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000E.00000002.1572211498.0000000000A67000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/1452Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/7556Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://crbug.com/650547callClearTwiceUsingSetup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://crbug.com/1420130Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/6692Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://issuetracker.google.com/258207403Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.digicert.cSetup.exe, 0000000C.00000002.1423530742.000001DD41770000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://ocsp.sectigo.com0screen_retriever_plugin.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/3502Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/3623Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/3625Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/3624Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/5007Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://crbug.com/1181068Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/2894Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/3862Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://dartbug.com/52121.flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/4836Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://issuetracker.google.com/issues/166475273Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/4384Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://github.com/dart-lang/sdk/blob/master/runtime/docs/compiler/aot/entry_point_pragma.mdflutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://anglebug.com/7246enableCaptureLimitsSetSetup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/3970Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/4267Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://crbug.com/1181193Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/482Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/3045Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://anglebug.com/7604Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/7761Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/7760Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://crbug.com/308366Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    https://github.com/flutter/flutter/issues.flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/5901Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/3965Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/6439Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/7406Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/7527Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://anglebug.com/7161Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/5469Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://anglebug.com/7162Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/3729Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/5906Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://crbug.com/830046Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/2517Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/4937Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://c0rl.m%LSetup.exe, 0000000C.00000002.1423530742.000001DD41770000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://issuetracker.google.com/166809097Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://issuetracker.google.com/200067929Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://anglebug.com/7847Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://crbug.com/1094869Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://crbug.com/672380Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://crbug.com/941620allowTranslateUniformBlockToStructuredBufferThereSetup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://crbug.com/849576Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://anglebug.com/3832Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • URL Reputation: safe
    		unknown
    http://anglebug.com/5577Setup.exe, 0000000C.00000002.1435656829.00007FFF27318000.00000002.00000001.01000000.00000011.sdmp, flutter_windows.dll.12.drfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1500439
    Start date and time:2024-08-28 13:30:43 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 46s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:42
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:1
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:!!SetUp_2244_PassW0rds$.zip
    Detection:MAL
    Classification:mal100.troj.evad.winZIP@31/40@0/0
    EGA Information:Failed
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .zip

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 104.208.16.94, 52.168.117.173, 20.42.73.29, 20.189.173.20
    • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
    • Execution Graph export aborted for target Setup.exe, PID 2280 because there are no executed function
    • Execution Graph export aborted for target Setup.exe, PID 6108 because there are no executed function
    • Execution Graph export aborted for target Setup.exe, PID 6256 because there are no executed function
    • Execution Graph export aborted for target Setup.exe, PID 6896 because there are no executed function
    • Execution Graph export aborted for target StrCmp.exe, PID 3684 because there are no executed function
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    07:31:45API Interceptor9x Sleep call for process: more.com modified
    07:31:58API Interceptor4x Sleep call for process: WerFault.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exeSetup.exeGet hashmaliciousLummaCBrowse
      Setup.exeGet hashmaliciousLummaCBrowse
        verify-captcha-987.b-cdn.net.ps1Get hashmaliciousClipboard HijackerBrowse
          verifyhuman476.b-cdn.net.ps1Get hashmaliciousClipboard HijackerBrowse
            https://streamvideox.b-cdn.net/HD-video-downloaders.htmlGet hashmaliciousClipboard HijackerBrowse
              Setup.exeGet hashmaliciousLummaCBrowse
                QvbimOZ2Ww.exeGet hashmaliciousLummaCBrowse
                  Setup.exeGet hashmaliciousLummaCBrowse
                    Setup.exeGet hashmaliciousLummaCBrowse
                      Setup.exeGet hashmaliciousLummaCBrowse

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SearchIndexer.ex_cd53bb3f2f8e47747a257a3577baa06d94df3e33_9e0a92cb_31092b90-5a0b-4bab-855d-d2d338fb63c5\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.8091214999588487
                        Encrypted:false
                        SSDEEP:192:KT36mkeuJT2Q0BU/oBRjqqzuiFxZ24IO8XOn:ujuTsBU/wjfzuiFxY4IO8g
                        MD5:BC7CC125BD745536E0096665B63212A4
                        SHA1:B2270784D5FC0878F32587CE8709124B67E2AD54
                        SHA-256:8EC19D949E00B77E43C5B1935B0849A4C2E50BFA66C3CA4E61F5939423D08526
                        SHA-512:D7BDDEECDB42867ABA44DA402739DB165CF9846FEFE5B436B950F253BD46C9F03213643507C004138138D075445F6B982C7DB7F84B1271A04B52E6FCD0ED32FA
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.3.1.8.3.2.9.4.8.9.3.2.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.3.1.8.3.2.9.7.4.5.3.1.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.0.9.2.b.9.0.-.5.a.0.b.-.4.b.a.b.-.8.5.5.d.-.d.2.d.3.3.8.f.b.6.3.c.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.9.b.d.4.2.6.-.c.2.5.a.-.4.5.b.1.-.b.9.b.a.-.5.4.5.7.3.6.1.c.9.1.1.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.2.4.-.0.0.0.1.-.0.0.1.6.-.8.f.d.1.-.f.4.e.6.3.d.f.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.0.4.6.4.a.9.c.6.7.f.c.b.d.d.9.3.e.b.5.6.9.6.a.9.e.5.

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SearchIndexer.ex_cd53bb3f2f8e47747a257a3577baa06d94df3e33_9e0a92cb_660dfc9a-8a8a-4a04-b30b-819eb4d27d44\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.8089527296489964
                        Encrypted:false
                        SSDEEP:192:+L0s336QkeuJI2Q0BU/oBRjCqzuiF2Z24IO8XOn:i/H1uIsBU/wjnzuiF2Y4IO8g
                        MD5:A936C76EA371069C781195C4ADB9583D
                        SHA1:2AF29F0A2C326BCFFF76C9562E9201D176285645
                        SHA-256:897842D6D7B0002A9B10B180F4EA61C23C9E628F5C64997325933E91E6B96506
                        SHA-512:36CE7511119288FFE864F782DDBA03C8FC922D5933C2FB138CFAE6EA43B29F364C259F7F6C67100DC9B60A574CC2BD247E42DC9EF65A0815BE96198040654B3A
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.3.1.8.3.8.2.3.1.8.7.7.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.3.1.8.3.8.2.5.9.0.7.7.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.0.d.f.c.9.a.-.8.a.8.a.-.4.a.0.4.-.b.3.0.b.-.8.1.9.e.b.4.d.2.7.d.4.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.a.3.8.7.1.1.-.8.f.4.a.-.4.5.6.0.-.8.9.1.7.-.b.7.0.0.d.3.a.2.0.f.3.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.a.4.-.0.0.0.1.-.0.0.1.6.-.5.0.d.7.-.f.e.0.7.3.e.f.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.0.4.6.4.a.9.c.6.7.f.c.b.d.d.9.3.e.b.5.6.9.6.a.9.e.5.

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SearchIndexer.ex_cd53bb3f2f8e47747a257a3577baa06d94df3e33_9e0a92cb_c7c1e45b-bf3e-4103-b15f-48fb82114c87\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.8087637182501055
                        Encrypted:false
                        SSDEEP:192:dIdD369keuJI2Q0BU/oBRj6qzuiF2Z24IO8XOn:azWuIsBU/wjPzuiF2Y4IO8g
                        MD5:EC6A5110146B24E9E6F2F6CB106F8A7B
                        SHA1:49FD3832B83C6F46A5D51B4F0D795E390507ED23
                        SHA-256:304E05CB6373D4DA400BB11F994082590A95E8EC7BEEB41406224A7E207F6A29
                        SHA-512:2B3F59AFDE37D43F5C7B33E1EA319BBE14F515EF8E153A1961B59EB31C96CC40E4A14C5F0E78BF76381ECD1B7FDAD1CB6E96EAFCB3A606A6ECBE4A6AA942073C
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.3.1.8.3.9.1.4.0.1.4.0.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.3.1.8.3.9.1.6.2.5.4.0.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.c.1.e.4.5.b.-.b.f.3.e.-.4.1.0.3.-.b.1.5.f.-.4.8.f.b.8.2.1.1.4.c.8.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.7.9.6.a.0.3.-.8.9.0.0.-.4.c.4.d.-.a.4.6.d.-.9.6.5.e.d.8.d.9.b.3.a.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.9.c.-.0.0.0.1.-.0.0.1.6.-.4.3.d.2.-.6.b.0.d.3.e.f.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.0.4.6.4.a.9.c.6.7.f.c.b.d.d.9.3.e.b.5.6.9.6.a.9.e.5.

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SearchIndexer.ex_cd53bb3f2f8e47747a257a3577baa06d94df3e33_9e0a92cb_f7491d2a-1787-4ae6-8b42-cec888524aed\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.808977773262306
                        Encrypted:false
                        SSDEEP:192:yGQdz36ZkeuJjt2Q0BU/oBRjqqzuiFxZ24IO8XOn:qjyuJsBU/wjfzuiFxY4IO8g
                        MD5:F63E8971EE74E5951C637DBFCA937C21
                        SHA1:0DC3E8573A7BB4FC4C566CFB20B39671B32F2927
                        SHA-256:625A9F29D1D959A86B3B685E47A0F2DE394210D05490331DBD7BB980B2C5B848
                        SHA-512:74BB95D48F7ADA42623F73FC0FB902B3B8BA7A5F6E81B078BE86DE42D040E732CF5940F7A4CDE3E994B066CFB1A962217A72B317F67D30CBF63D70D942B45F3E
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.3.1.8.3.1.4.8.9.4.3.3.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.3.1.8.3.1.5.7.2.8.3.3.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.4.9.1.d.2.a.-.1.7.8.7.-.4.a.e.6.-.8.b.4.2.-.c.e.c.8.8.8.5.2.4.a.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.5.1.0.7.1.8.-.9.b.1.8.-.4.7.e.1.-.8.b.1.d.-.d.1.0.3.1.9.7.b.5.0.2.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.7.c.-.0.0.0.1.-.0.0.1.6.-.2.2.b.0.-.1.3.d.f.3.d.f.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.0.4.6.4.a.9.c.6.7.f.c.b.d.d.9.3.e.b.5.6.9.6.a.9.e.5.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B44.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Wed Aug 28 11:31:55 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):25706
                        Entropy (8bit):2.3062086537349327
                        Encrypted:false
                        SSDEEP:192:CwTCqr/dYM7OdUbcAxEoz+GgdFuQqsGLSG:BTCg/dYlMcA+3dkySS
                        MD5:1B9E5FD57B2F6CB32D84EB090E864119
                        SHA1:1A78E0F6107E954630EF7EEF014409D332CB8869
                        SHA-256:EF5454330E8158C8448BA722B29CCE32E13F9145F840BC776C8698B36CA86F61
                        SHA-512:DB5FCFEA7D8921E4CDC632E4606EB9685FA87B0B1E24020DFA48209FE950C9FC069E9A85FA5F24082C59FC0ECCAED4D455F75679E96AA25E85495107170609A0
                        Malicious:false
                        Preview:MDMP..a..... ..........f............4...............<.......d...`...........T.......8...........T................Q......................................................................................................eJ..............GenuineIntel............T.......|......f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D97.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):6324
                        Entropy (8bit):3.72258474006222
                        Encrypted:false
                        SSDEEP:96:RSIU6o7wVetbvEe6JJjjYkyQE/h355aM4Ur89bST4sfKwLm:R6l7wVeJvEe6XPYkydprr89b+4sfKqm
                        MD5:D2858B3AB402E191E920C8A4E2E0E479
                        SHA1:908C6A43998D7A234E3EB11330F3C89ECECF89F3
                        SHA-256:012EFAD5D3C82B3B51E4602FB2AB4BE6FA66721DEC53D1A7A654EBD073C1FBDC
                        SHA-512:EC7724E226EE8B36CB4F0F9A0928F83310138A5B5CDDBD0A87C6935B43544773998DE1B0695B4E2FD3E3A59C43EAFA14FCD2EB49BA5832F11CF84806DE66637E
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.6.8.<./.P.i.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DE6.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4686
                        Entropy (8bit):4.489814609980029
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsPJg77aI9TpyWda80aCYm8M4JUA+P/lFD0aVB+q81Qn3cKSJLYd:uIjfxI79pdlDJUAY/QeBEQnMRJLYd
                        MD5:F87B49EB402B3F46F0EDB35D7DC8D36E
                        SHA1:C9DCF9EFD3119CEBFCF2846A721C70A702BDFB33
                        SHA-256:D0200355B25E44E568B69FFA057FF8292D190EF7C392497A0D941122B04F782C
                        SHA-512:F8607F96ECF041F4FEBB41C828DC87694561FE26D7FFDD700D58AFA12512127A0A197DA2B1FA3F35A058A92755D238563A2710BBD7D2CB6680C8D4068E49171F
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="475354" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2B2.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Wed Aug 28 11:33:02 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):26410
                        Entropy (8bit):2.247426776055451
                        Encrypted:false
                        SSDEEP:96:5m8VbNFE1fs8jq5s3iNqHlu7q7XD07i7dYDTVQ+MVQRIF4oEWIkWI0iI8yhtY0h7:Da1CqU7OdsFKmochtYOn6hy1
                        MD5:3419911F31CFF05053E10394E1C6194D
                        SHA1:7B2E51B77DF18AC45FFAE39B874A74C945AAC9C0
                        SHA-256:2B0EDF063DB3ED19FE281DE20CC368B50AFF002138C9150757FD997C5F02C3ED
                        SHA-512:E839BEF069B8AB735332B92BC6B386A3922BAAE36C25A5255296FC11DDEFA72BEF2A54C7FD1A57C255AEAEB154AF6E62E6E5C6568F2F16ED7ACED4A27C1A5346
                        Malicious:false
                        Preview:MDMP..a..... ..........f............4...............<.......d...`...........T.......8...........T...............ZT......................................................................................................eJ..............GenuineIntel............T..............f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA301.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):6324
                        Entropy (8bit):3.722422490620371
                        Encrypted:false
                        SSDEEP:192:R6l7wVeJjEX6wYkydprG89bmnMsfEsUCm:R6lXJo6wYNvmnffPA
                        MD5:21AFDBA138797C71CC0ED1ED2A8C3B49
                        SHA1:2217BFEC7183F44B9909AB001D0AB66119713311
                        SHA-256:69A96D7F5FE9D2805B486985E3671C560733A9494D88081025A4A8135B97044D
                        SHA-512:BDF3A0C56796B367F69F13257FC7D3CE3569C4A24C1A8A728178137E727AD2049BD7CA4C8CFC103970B7F994AE9494B2FD095353EF6AE4EC4CD750C7CFA45524
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.1.6.<./.P.i.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA321.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4686
                        Entropy (8bit):4.487941985318249
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsAJg77aI9TpyWda80aAYm8M4JUA+P/lF5T+q81Qn33KSJPYd:uIjfGI79pdlVJUAY/ZTEQnnRJPYd
                        MD5:93D55D331683CD6A926F77CC997EE414
                        SHA1:E69A4C4C01B2579A64BA3E42FCA418C9C9BD80F8
                        SHA-256:881D904E3F0713E655D6D99120FB232DA811D28989E6B0C69E507DA8C6955F9A
                        SHA-512:EF2184FC88243BB95DB305A850C33601098D1EED51089FB6E30DEE1870D15FFB63382A5227B51BED11B5182CED1390A412787F2367C9D2476CB640CD36C7B13B
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="475355" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC608.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Wed Aug 28 11:33:11 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):26776
                        Entropy (8bit):2.2156109459162407
                        Encrypted:false
                        SSDEEP:192:227y/1b7OdgKQzJzD6XrAHw8mzccZ793SR:by0Cf6WwFlZp3S
                        MD5:3EF09B602958DF1B421DB388DAF984AC
                        SHA1:698D72FBAEFB76FBBBF9D9946F582F7A24262C6A
                        SHA-256:F9A7D27652407AE919AA389328C173CFEEB43DD66CE86DD5392DE2C86E2860A5
                        SHA-512:C1EDF9F424A60FB0FAFE3A05B6D82529213A9561835DC82EC365D6A133B6A5AA8A9E029EDC7D7CF2B1FC9F86583386E6770D097865148A89441BF6CE98946D11
                        Malicious:false
                        Preview:MDMP..a..... ..........f............4...........@...<.......d...............T.......8...........T...........X...@V..........|...........h...............................................................................eJ..............GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC648.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):6324
                        Entropy (8bit):3.7240935699350373
                        Encrypted:false
                        SSDEEP:96:RSIU6o7wVetbyEA6HYkyQE/h355aM4Uw89bSxnXsfPFvwhm:R6l7wVeJyEA6HYkydprw89bcnXsfVUm
                        MD5:3367C7708C48F1E303045903FD4FA3CD
                        SHA1:AE9DBADD22224587693F516D5E5A21015D790A94
                        SHA-256:8345D5F03F356C4082B08F585BBAF66ADFF5185D2488074E8123018E8910A375
                        SHA-512:749CB9921DE56E11C5DBBE705E7F2A72A18C7F46B0180456DA9036A8B12EFC0E5693E1C8A62C15F9060682C321925559E8799C190B767026E244294748E004BE
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.5.2.<./.P.i.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC668.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4686
                        Entropy (8bit):4.48661139135634
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsAJg77aI9TpyWda80a2Ym8M4JUA+P/lF8+q81Qn3J+KSJrYd:uIjfGI79pdlXJUAY/cEQnARJrYd
                        MD5:EF14AFDCBA4B07D00E42052E7EA551DB
                        SHA1:82868BAA38F7E2E7C2BDEB3FA1B63004696BBD45
                        SHA-256:9A59570EB712EA99B3B3E77457735A7D111C81DAD579C5CDE867D0FCEE20E260
                        SHA-512:CCA8BE4CA8A9AA43D845E0499FD38EF069A2426084D33EEA7CDF29750B78A39790979C1AC2C5AA388F5CAB512509B4DF108853EA39E7CE79F8C63C8FFB5AB4FD
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="475355" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD446.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Wed Aug 28 11:32:09 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):25658
                        Entropy (8bit):2.292023012884135
                        Encrypted:false
                        SSDEEP:96:5R8mtNFE1fscBOEiNqHlu7q7m7i7d4J5VQgqz7TDCkv3QWIkWIEeaIp74E0+o8Xu:M/tCqS7OdOa3D1vA44f+oM81nGFw
                        MD5:5EF870D9374DC2EB9254AC059FA19133
                        SHA1:8819C106D94A4974FD59B3848D6CED0BEFD3BA4D
                        SHA-256:FF92AA5C6383417D5D62ADC59B96983EDF12B57A6C113E66F3B0CFD60F8CAFAD
                        SHA-512:48DD0A3DC72457A1A8AC4D73C5BD7E42D121AD386DA6D3F031A10D3270F10263700633CF7D3D6E3CF95E09FB131050ABDC62C5B6916FB3D47149239F86C8891B
                        Malicious:false
                        Preview:MDMP..a..... ..........f............4...............<.......d...`...........T.......8...........T...............jQ......................................................................................................eJ..............GenuineIntel............T.......$......f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD485.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):6324
                        Entropy (8bit):3.7221667116674304
                        Encrypted:false
                        SSDEEP:96:RSIU6o7wVetbMbEy6LqZXYkyQE/h355aM4Ua89bS5VsfmIw5m:R6l7wVeJMbEy6eYkydpra89bkVsfbsm
                        MD5:5EFA3101EA9C9823FF8D68D6F0FAB7CC
                        SHA1:D6CF9233CBC90182C1379223B7427D6C60286495
                        SHA-256:DAB6A92401108DF4043BA99856F9092B83DFB091ED122C8B107AF913C4D644F6
                        SHA-512:EAFDB2AD584061D8C0C2318361025DBCA7328530C4DA83D07C3DC2FA9681B2EEBFA0830AF1AF0BF6463232B0BB762F396823194F97151E36A15B11BF4CDA56D1
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.0.6.0.<./.P.i.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A6.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4686
                        Entropy (8bit):4.4895861192610935
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsPJg77aI9TpyWda80aWYm8M4JUA+P/lFpe+q81Qn3TKSJzYd:uIjfxI79pdl3JUAY/JeEQnDRJzYd
                        MD5:635F7F99976941CD2F9CBB86CC4AEAAC
                        SHA1:E828623F4A2EA3DBF638BBDB16EDB95EABEB1016
                        SHA-256:7F525E8B74E55C1109E17672D0F2E5FEEC55D2D0038DD597B59D459FED4A303A
                        SHA-512:9B9D31259C528924B6B768B8B5DAECEBE419B59A11B468A5076F7A7C359B7EDE6DFE5F03C48140152A6DD676970BEF97A5454451DAB9A51616C8CE4F46A3F0D7
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="475354" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                        C:\Users\user\AppData\Local\Temp\2866274d

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):1162311
                        Entropy (8bit):7.528065018009383
                        Encrypted:false
                        SSDEEP:24576:/DoIPC3Qjn/K92E3M9e7OPAQe9puu1BRY7OxVEcsOKa94c:/D1PIj3ROYrnOOxC+4c
                        MD5:EFDFC148E663CD56714E443602CA49DA
                        SHA1:3142CF23B578A171A2D5C6C8A323FEF72934FCF5
                        SHA-256:05AB3A533BD728277D126760A54F6CEEDF8D0EE83CCBC2F79934C261712475EE
                        SHA-512:97559AF88BF081E354A8416207FE74B24F9DA12D263D376B53F5E1509D76AF2C964962C98896664382677F7C337B5CEFF995870728A8456BC21D15624EEB95C8
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\305b7104

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):1162311
                        Entropy (8bit):7.528064161351671
                        Encrypted:false
                        SSDEEP:24576:7DoIPC3Qjn/K92E3M9e7OPAQe9puu1BRY7OxVEcsOKa94c:7D1PIj3ROYrnOOxC+4c
                        MD5:6C7F41C961E5218300A713338D0273D1
                        SHA1:0281A4FAB63559354C8BD9A54954165F4B499D85
                        SHA-256:BE2CC53B72BC3DDC9FA325C823DD43FB771824451B5DE251745229A145EF6DAE
                        SHA-512:FB51635DBB7B16D262AABF9960A1DB34A381516D31CDE0093129F6BEE79533E7D94C3383B4C2B018ABBC566989B827BD19FABB7E448FB20F7EA1F3885FDF12BC
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\4f6b300e

                        Download File
                        Process:C:\Users\user\Desktop\Setup.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):1162311
                        Entropy (8bit):7.527943937835153
                        Encrypted:false
                        SSDEEP:24576:cDoIPC3Qjn/K92E3M9e7OPAQe9puu1BRY7OxVEcsOKa94c:cD1PIj3ROYrnOOxC+4c
                        MD5:674B017645D2701704EC866A155B0385
                        SHA1:1843D08BD7DB07513E9450068841956FE78ECFFE
                        SHA-256:E79277241598C7FE38282D0FC378C40BFF8A8D852ED665B09EEF133208B79C5A
                        SHA-512:44B56DC13951EDE4A8018C56E11B07AE5CBB5375EB611F69CEFD9F87A9D19DF483873C5E1C6B202E9C12CC42B7F76035915E7B679F71D6AABD3EC412A821D478
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\5509dc59

                        Download File
                        Process:C:\Users\user\Desktop\Setup.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):1162311
                        Entropy (8bit):7.527942390557999
                        Encrypted:false
                        SSDEEP:24576:rDoIPC3Qjn/K92E3M9e7OPAQe9puu1BRY7OxVEcsOKa94c:rD1PIj3ROYrnOOxC+4c
                        MD5:F80CD1EFD1F7606DDC43656C3F165A59
                        SHA1:AC04A197F6F143C3B4B0D04B9CDC2576BF39FB2C
                        SHA-256:40D78BA4CC69EE868ED31B59D8756BBB75631485A833E035D60E683B8EE572A2
                        SHA-512:06F9B9B13660219E98EE09A9B2B267C718B071DCFB4AFA5C67C9161651D0038D3AF44D73F06B24F195DEBD4ABFAF235F092BE38439A6107BFBE979A14294CD50
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\dqgis

                        Download File
                        Process:C:\Windows\SysWOW64\more.com
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):380416
                        Entropy (8bit):6.672609632002305
                        Encrypted:false
                        SSDEEP:6144:eU/dhou2Jzo+WesKd66y8wyiCgPdhZoAitU3H7d:NyLd6SiTRoAitU3R
                        MD5:474A97852F8C7EEE1491E1A068392D2A
                        SHA1:635D1CF9B323B8E68ECDFDD619C5560B4109917E
                        SHA-256:E1BDD2EF3F6C745D261941CFFB8E892DAA3C603C113FC89B2C5A7583A08D8884
                        SHA-512:AFE27711FF1E535BDAB64D64DC4E5AF3CFB47BF36DFD3E22A6E0AA784E4D905F0BEE7F69B3197C2D13B8002AD1EC72AD1C3027D34776C7112FC1154F135C2CBC
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....0U.................l........................@.......................................@.....................................x................................@..................................................,................................text....k.......l.................. ..`.rdata..;(.......*...p..............@..@.data...@........V..................@....reloc...@.......B..................@..Bwcstg................2..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\fpmss

                        Download File
                        Process:C:\Windows\SysWOW64\more.com
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):380416
                        Entropy (8bit):6.672609632002305
                        Encrypted:false
                        SSDEEP:6144:eU/dhou2Jzo+WesKd66y8wyiCgPdhZoAitU3H7d:NyLd6SiTRoAitU3R
                        MD5:474A97852F8C7EEE1491E1A068392D2A
                        SHA1:635D1CF9B323B8E68ECDFDD619C5560B4109917E
                        SHA-256:E1BDD2EF3F6C745D261941CFFB8E892DAA3C603C113FC89B2C5A7583A08D8884
                        SHA-512:AFE27711FF1E535BDAB64D64DC4E5AF3CFB47BF36DFD3E22A6E0AA784E4D905F0BEE7F69B3197C2D13B8002AD1EC72AD1C3027D34776C7112FC1154F135C2CBC
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....0U.................l........................@.......................................@.....................................x................................@..................................................,................................text....k.......l.................. ..`.rdata..;(.......*...p..............@..@.data...@........V..................@....reloc...@.......B..................@..Bwcstg................2..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\ohj

                        Download File
                        Process:C:\Windows\SysWOW64\more.com
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):380416
                        Entropy (8bit):6.672609632002305
                        Encrypted:false
                        SSDEEP:6144:eU/dhou2Jzo+WesKd66y8wyiCgPdhZoAitU3H7d:NyLd6SiTRoAitU3R
                        MD5:474A97852F8C7EEE1491E1A068392D2A
                        SHA1:635D1CF9B323B8E68ECDFDD619C5560B4109917E
                        SHA-256:E1BDD2EF3F6C745D261941CFFB8E892DAA3C603C113FC89B2C5A7583A08D8884
                        SHA-512:AFE27711FF1E535BDAB64D64DC4E5AF3CFB47BF36DFD3E22A6E0AA784E4D905F0BEE7F69B3197C2D13B8002AD1EC72AD1C3027D34776C7112FC1154F135C2CBC
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....0U.................l........................@.......................................@.....................................x................................@..................................................,................................text....k.......l.................. ..`.rdata..;(.......*...p..............@..@.data...@........V..................@....reloc...@.......B..................@..Bwcstg................2..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\vtesbhvscpflt

                        Download File
                        Process:C:\Windows\SysWOW64\more.com
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):380416
                        Entropy (8bit):6.672609632002305
                        Encrypted:false
                        SSDEEP:6144:eU/dhou2Jzo+WesKd66y8wyiCgPdhZoAitU3H7d:NyLd6SiTRoAitU3R
                        MD5:474A97852F8C7EEE1491E1A068392D2A
                        SHA1:635D1CF9B323B8E68ECDFDD619C5560B4109917E
                        SHA-256:E1BDD2EF3F6C745D261941CFFB8E892DAA3C603C113FC89B2C5A7583A08D8884
                        SHA-512:AFE27711FF1E535BDAB64D64DC4E5AF3CFB47BF36DFD3E22A6E0AA784E4D905F0BEE7F69B3197C2D13B8002AD1EC72AD1C3027D34776C7112FC1154F135C2CBC
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....0U.................l........................@.......................................@.....................................x................................@..................................................,................................text....k.......l.................. ..`.rdata..;(.......*...p..............@..@.data...@........V..................@....reloc...@.......B..................@..Bwcstg................2..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):48896
                        Entropy (8bit):5.121181282636362
                        Encrypted:false
                        SSDEEP:384:UIJpPkn2VDVdOQe7vB4LN9tntl4crAlRcDuy1Tyk6K/uLvVWuFRNV1VF0hXHMGBJ:UQ35YtUIbERx/6jjVTbV1VaXLkjW
                        MD5:916D7425A559AAA77F640710A65F9182
                        SHA1:23D25052AEF9BA71DDEEF7CFA86EE43D5BA1EA13
                        SHA-256:118DE01FB498E81EAB4ADE980A621AF43B52265A9FCBAE5DEDC492CDF8889F35
                        SHA-512:D0C260A0347441B4E263DA52FEB43412DF217C207EBA594D59C10EE36E47E1A098B82CE633851C16096B22F4A4A6F8282BDD23D149E337439FE63A77EC7343BC
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Joe Sandbox View:
                        • Filename: Setup.exe, Detection: malicious, Browse
                        • Filename: Setup.exe, Detection: malicious, Browse
                        • Filename: verify-captcha-987.b-cdn.net.ps1, Detection: malicious, Browse
                        • Filename: verifyhuman476.b-cdn.net.ps1, Detection: malicious, Browse
                        • Filename: , Detection: malicious, Browse
                        • Filename: Setup.exe, Detection: malicious, Browse
                        • Filename: QvbimOZ2Ww.exe, Detection: malicious, Browse
                        • Filename: Setup.exe, Detection: malicious, Browse
                        • Filename: Setup.exe, Detection: malicious, Browse
                        • Filename: Setup.exe, Detection: malicious, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..*...*...*...6...*...5...*..t5...*..Rich.*..................PE..L......U.................P...0...............`....@.........................................................................4L..(....p..\................/..................................................0... ....... ............................text....A.......P.................. ..`.data...,....`.......`..............@....rsrc...\....p... ...p..............@..@l.[J............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\darw

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):888298
                        Entropy (8bit):7.9098508179851175
                        Encrypted:false
                        SSDEEP:24576:PSR9B/Chxyv64c7MJT4uAPCoxJkvoeq8iRHyKlRCIMFtEGp:PaChxya7croDkAexWHyKlRCIMFttp
                        MD5:6D2396FC1E50A85554DC7D2E3E601AC5
                        SHA1:07E4D0459394F3F2E7CDE32837B35E5A84208473
                        SHA-256:7572B3A91DCC1BE61218E95492E8FF32262083D255361C846B118D506AF80A03
                        SHA-512:EC9809CF5EDBFDBE870C67D7C007B40EB137696EBCB774ED0D3EFF42C2A9215C0BEDE180B03EE8090744F0B90C6DEE52A4981BB15BA1DD750FD8CB3BD7D2C9ED
                        Malicious:false
                        Preview:..dq.s.q..RiaW..s^...pacr...h^.`.w.uX.fnH....li....._....L..H...hw]..ZFA.yG.ob.K.NTN.k..N.xf..d....Zv.nP.AU...j...ofOjmRJ.^bR.jnE.Jl.y..j.hG.jU...n.G...gTK.k_...D.o....O...Y.mc..qr.R.]G..].d._Ov.T.E..gT.f`ZV..OU.d...O....AlS..R.pj\..J.E..vuZmQq..cImtB.U..p..N.QkwO..rJRe.gXC....P..dY.CZ\aOE^..G..LN.P.t.NG.j.ltvIl..m.I......Yvv..ojEJW.HDJklb.J.X.JUyjhw..w.U..D...U.x...I...UMI..S.b..Y..tG..^.nNc....o.V..bObnUyxi..R..S.fsKrfENSvHik...yq.cwd....nE.JAQ.PRLxw.q.....[...`..sEfjw.....d.tiT.o....m..R.].....AkJ...ho.s].bBg.TbH.H..r.`...d.F.p......]v._^..M..OLH.w.\M...].k_p.A_.....\..XT..t..B..G.S]\.d...`.y..Bq.Z..[BJ.g..g.poXeN.......RhuPl.CT....b.n.....Vvb...v...y...lhN.hv..JC.[RyJW.T..A.r..SZ.....w.......L.n.....I..lM.xK.MSA.N.U..`n.......H.Q.y.X.sF.JO..`lbC.AAv.mD...g`o.vj..D.h..q.RPGc.K.w.`b.v.nPc.\wcDZ\..`Foh.^..O\fD......mnah....c..lsFB[kgLW...owHu...L.Y.S.FR.u\.....Wsi...............ZV...r.k.y...b..r...el.I...GY.W....m.UF.vw[rD.a\N.NP..S.]._m......b.XA..[..s....i.G]`..li]....\k...vjk...Q.t

                        C:\Users\user\AppData\Roaming\Pluginsig\desktop_drop_plugin.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):321936
                        Entropy (8bit):6.255417319874531
                        Encrypted:false
                        SSDEEP:6144:29N2dRHqGR0N9BtVLATWWFQEDyhNSDEAI/MmwfqC9ulM9UBaKL:A2dRHqGRahAT9FxoSIAIvDC9ulM+EKL
                        MD5:F4DF6A33F0E0633DC756F78F8838A067
                        SHA1:CE1C4544E1EA3DB01CE2738B2575B0C33C25377D
                        SHA-256:C373994FBE373F500B129AFF6700339C663EF14052EEACA53DA8500877CBB937
                        SHA-512:B3F7323E8EABEA7ECE7E52BA65BB6489029BCEF6CB4935A01522FA973B3A0A108E1DB2C8EA64ABDD8A0529F5A9E15526B1677650C51757F775C38BFC1CD05E14
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z.H.;...;...;..6K...;..6K..q;.......;.......;.......;..6K...;..6K...;...G...;...;...;.......;.......;....p..;.......;..Rich.;..........................PE..d...O.wf.........." ...(.*...........0....................................... ......h1....`..........................................t..t...Du..x................-..............................................(.......@............@...............................text...,(.......*.................. ..`.rdata..rC...@...D..................@..@.data...x7....... ...r..............@....pdata...-..........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\desktop_multi_window_plugin.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):397712
                        Entropy (8bit):6.40156340476818
                        Encrypted:false
                        SSDEEP:12288:ThaEhq4cY0f8IlE6BZR2nUx9lYOUgLZUrd:T4EhqR5lE6xSUx9lYOUg6rd
                        MD5:42C063882FD7CEDD3CC62356450D8987
                        SHA1:A09DB77F70A6F7D7C59418FC08250A8E13E8A60D
                        SHA-256:37D1EBFC8F423BF02DEC598C6421E4124C8C5666C27782180D84003039E88DFF
                        SHA-512:77AC9C670F91059B2CAA12DA9B5417CD71D525F900B7DDA51FFCF499AA2882734B342F6803814C6FDE1B527C9742ED9CF67AB1EE8D141CB437B57C979D89B456
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q{.?...l...l...l.j.m...l.j.m...l.j.m...l..m...l..m...l..mY..l.j.m...l.f.m...l...m...l...l...l...m...l...m...l..zl...l...l...l...m...lRich...l........PE..d...j.wf.........." ...(.....L......l........................................0......E.....`..........................................*......x+..........h[.......3........... ..`...............................(...p...@............................................text...|........................... ..`.rdata...o.......p..................@..@.data....?...@...(...2..............@....pdata...3.......4...Z..............@..@.rsrc...h[.......\..................@..@.reloc..`.... ......................@..B........................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\dorhncv

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):22939
                        Entropy (8bit):5.547656814260589
                        Encrypted:false
                        SSDEEP:384:d5sDpuuQSXDu4tYNntUFozwfR5Ln9IzN5NyJW9xN5UgILkQiVNLQ/rUmu0Yu:d52pRQSXK46NtVzGRnUxyJQNdykQiVNA
                        MD5:9C93066EE30EB741FE551D43DC96819B
                        SHA1:8A9F34B3E9B42562E40927439B8CB001A7827E50
                        SHA-256:158729ED7B5F6B7CC30805A0B2AF11E0CE677A9E13E60914A813C8918D904DE2
                        SHA-512:9F76A354783EDDCBE356A8436A2E1865A88EEB27CAD7D76EBCE6AED0F97C4BA62EB70F07F149D20B80586936B71C30D8633DA0BFC99A3A77CA747A4E4309E4BE
                        Malicious:false
                        Preview:.]M.ct.Pgto...gB....eV..e..Es..._C.p.M.LNOh..O.....p.ib.[.k\.fqU....T...u..._Ub.U.a...knAQc.\..p.R..C..a...F...r..d_..d......E]........O.H.]y.E.S[.....Mx..TjV.d..N....I.G.NunqoHJ.p..y^bP.V.q...Xk\..w..][..qF..dSi....W.uAlWm.T..L....S.ac....nJ.v..h...UO..oKft.g......cm...JN.VB.E..f...w.o.Wy.c.....f...Ec..v...W.O.`GA.R..o...FXkFK...\.s.N....W^.j^.WB..Zav^.V[J.TRAC......Ix..O.c..nP...L.......XRd.M^.F...b^f.Z.e....c...AS..muy.v..VfmVJR...v..F..G.F.XSXk....d..FSXtF.N.NjCH.c.R....wD.Rw...KZ.M.Y........d..BDjs.....e.._....c.oS..G..PK..qKqlH....o...xPsP_.jJ.........XJ..Se.k.[.o...N.MXaZ.Yr...X.m.d.._yk.q.X.Y.v.x.T..DNlpb..a.\.Q........y..[..XC.Hs.`..M\..x...w...Ie.o..j.Vv......J.^.lF.........NDR.HD..N..Q...iU[..[rV......O..f..CK.......qIB..Y..Z\KV...fi.H..H...u..D..I.....sy...E.i......peCu.BIJJ.ne.Q.rqL.....e.]f..d...UYT.A.........XyR...IST.^.Hk.AT`\.O..gik....^....D`E.D......mh`.Y.V...gg..y.bfGC`[gv.t..V.VK.mj.YhRA......bgqsL_.n..EqK]....WU.`GVL.r..FV..Ke...Aa_CBSh....fpJ.JQ.N..`..._.ukXc[.E.

                        C:\Users\user\AppData\Roaming\Pluginsig\file_selector_windows_plugin.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):346512
                        Entropy (8bit):6.253406880555808
                        Encrypted:false
                        SSDEEP:6144:sQz5UqJwVKCsnOeuj9PDnBQpUZyNVHhl/FPTCgTx:sQ1UqChsnOeMhBaQy9l/FPW0x
                        MD5:9641732F1DB2EAB135130C9128C1427A
                        SHA1:88B0857CFE055A1D920E55B3094116162E4EAA00
                        SHA-256:B47CD11E4089FE0AE8BAF4E05B4CCF19B1DFE403FD392649E9253C05D58F3CBC
                        SHA-512:5C87B26E51771B61FDF87D577781B1FB163527D0F03E74327BC11EA1A24B1B449D4AB23F7393466ED4BAF3809A5151EB30928F462B5FCD55BB8DE4BD733856A8
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..B........................f......f......f..J.............................a......a......aZ.....a.....Rich...........PE..d...r.wf.........." ...(.p...........v...............................................=....`.........................................p...|.......x....`....... ...1...........p..,...PK.......................M..(....J..@............................................text...`o.......p.................. ..`.rdata...V.......X...t..............@..@.data...T8......."..................@....pdata...1... ...2..................@..@.rsrc........`....... ..............@..@.reloc..,....p......."..............@..B........................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\flutter_custom_cursor_plugin.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):313744
                        Entropy (8bit):6.2705364965004815
                        Encrypted:false
                        SSDEEP:6144:7OqwvZdI0CglL0fN5ra4KBb5cSgQkJjMoplVNLQDrkHW:6qwvigF0fN5OB5dgQkBplVNLQDeW
                        MD5:2EEEB7F9DCC44DC28CBFBAF94176CA6F
                        SHA1:65055D6EE4E5A322DB3C74B0EF8CDADECDB32737
                        SHA-256:966DDE59F9ABD125F763A95273BF923C2543A4B9F43F6F0C5587CCA308BD9FFD
                        SHA-512:5919481A1768E9B19CE79ADDDFFC25A6BCDA326232FEB6E61729C2173292F3E2EC7266C646090DCC061A2E9643084583E43947774FDF76842316249B3B2E911F
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@D..%...%...%...U...%...U..%...U...%......%......%.....H%...U...%...Y...%...%..}%.......%.......%....v..%.......%..Rich.%..................PE..d...t.wf.........." ...(.................................................................`.........................................0].......]..P................,..............................................(.......@............0..x............................text...,........................... ..`.rdata..h;...0...<..................@..@.data....7...p.......T..............@....pdata...,...........r..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\flutter_gpu_texture_renderer_plugin.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):337408
                        Entropy (8bit):6.213830231254806
                        Encrypted:false
                        SSDEEP:6144:KG6W10qIOfhXrbR0fkN0addZrKKOYQ9gsYlFvFGpP8f:KGd0qIq10fkNBvgK5QRYlFvFEP8f
                        MD5:2C18DC7B011115B00F66ECBEDCAAF4F7
                        SHA1:5C8F904A3BD686911431F534AF04D4FD86A76369
                        SHA-256:857E4CB0B41F7AAC5494C8554601888C1C82202DE3DAB7258B2FF322BC94CA43
                        SHA-512:C44C6C89DEB153F7B362586EE7950C4A5FE3E942254C227EBCEB16F31493812CA73BB7F982B0713BAAC47ABC753FA8D05B4E2C3E417FDEC9D109D89276AC0A28
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@..!...!...!...Q...!...Q..l!...Q...!.......!.......!......!...Q...!...]...!...!..C!......!......!...~..!......!..Rich.!..........................PE..d...z.wf.........." ...(.l...........e...............................................j....`.........................................0.......8...<....`....... ...2...........p.......M.......................O..(....L..@...............x............................text...tj.......l.................. ..`.rdata...Q.......R...p..............@..@.data....=......."..................@....pdata...2... ...4..................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\flutter_windows.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):17983376
                        Entropy (8bit):6.549243204630475
                        Encrypted:false
                        SSDEEP:98304:2M5ISKnKKu/60i9gzTcriqcN9MX4C7GsIAfiz8xS6RWhi62KFfQWmLu2EkKZ3uNx:xO6ggzLI7op6Rt69L2kuNx
                        MD5:E3E8D995E4A1D5E84EE11DBD58D21F3B
                        SHA1:52E7AFB03DD3F45F7B8839879FEC1ACC7965A62E
                        SHA-256:29782AC1F424865FA1007A5F818F35ABB5307B01C099AAA38067513E516A0454
                        SHA-512:F4FB26D4DC2D91D36FD8F26B9BE6B74F50DF94DE530AFDD8D2D5E9D6D6300B52FB9C6EFBD94A95D630094CE59D5D1AA1B898F810BE8806B7E9DFC5466D312659
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............J..J..J..fJ..J...K..J...K..J...Ko.J...K..J...K..J...K..J...K..J..Jh.J..J..Jr..K..Jr..K..JRich..J........................PE..d...]. f.........." ...".d....=......;....................................................`.........................................0[.......b...............p.......L..................T.......................(...`...@....................Y..`....................text... b.......d.................. ..`.rdata....-.......-..h..............@..@.data................v..............@....pdata.......p......................@..@_RDATA..\............2..............@..@.reloc...............4..............@..B................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\screen_retriever_plugin.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):545680
                        Entropy (8bit):6.371479071684404
                        Encrypted:false
                        SSDEEP:12288:8xqABhfuM6KsuJPR9K+EvLHhDcsgsEO5CllKDh/eF4:8xqDM9+lHNcsgACllKDh/eF4
                        MD5:2D885495E81A8B8D1D5305FE20566484
                        SHA1:F1D2083D399DD48927CBD83E23F90AD3CE3E0632
                        SHA-256:EB2E18881DDD80A3E54527264B3E7C5046F15854A196B76CCAD28E8258F3F1B2
                        SHA-512:E2BB9F8E377B381CC13538B39E8B3FB749341FCEF84E7B26749BF35141C6C52A48636BB00C6FA7C585EEC4C01B03CD0EC38C8F3E85E0CA2C2CDA26D026DEF326
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Do!O..O...O...O..~L...O..~J...O..~K...O..L...O..K...O..J.K.O..~N...O..rN...O...N.y.O...J...O...O...O.......O...M...O.Rich..O.........................PE..d...|.wf.........." ...(.&...&......................................................$D....`.............................................|.......P....p....... ..TB...8..........P...p........................ ..(...0...@............@...............................text...P$.......&.................. ..`.rdata.......@.......*..............@..@.data...tA.......*..................@....pdata..TB... ...D..................@..@.rsrc........p.......&..............@..@.reloc..P............(..............@..B........................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\texture_rgba_renderer_plugin.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):323472
                        Entropy (8bit):6.260791393809843
                        Encrypted:false
                        SSDEEP:6144:xadPqy3/nKyWFZS3PCmxiVvUTiJ+1I2hWHlHTkPXdxs4:wqyAA3PCmwV8i41I2gHlHTkvdW4
                        MD5:128D06B8C5739F35A7C76A76BF1E6149
                        SHA1:901F9698BF4C4A10E8E902E6DBDDF1782E1067D0
                        SHA-256:BF585DBC4E4DCE47F9EFDEEAD15F67A69644CE6F1177CEEC518882DC85ECC096
                        SHA-512:ECE9254486347751D6F68AE86AFB36508FED81B00C4588F555DB584A0E9DE5F4710A24E6BB5B2B19A25BEE20AA4BF90068F9EB2E37B48271614B6C97199E419C
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x.........................Y...........>w......>w......>w..............<...........u....p.......p.......p......p......Rich............................PE..d...Y.wf.........." ...(.............5....................................... ............`..........................................t......0u..<...............L/..................P...........................(.......@............@..P............................text...0,.......................... ..`.rdata...B...@...D...2..............@..@.data...X6....... ...v..............@....pdata..L/.......0..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\uni_links_desktop_plugin.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):543632
                        Entropy (8bit):6.3781262731970685
                        Encrypted:false
                        SSDEEP:12288:zqzF5VH24Jy+0PeZOYbxobw+QY0heC9lVNLETyoK:zqh32SRoc+QY0n9lVNLETbK
                        MD5:94267176E212B8EBFF06728CC6C3F432
                        SHA1:F65313083C2B3177F405B7AB884BA0A9BE3251D9
                        SHA-256:08D08CBFA4D5531CEEE16BFCB2255EDA79C5B7F7C0894C4E6F49F673457AB362
                        SHA-512:014459C9D3DBE7C09E0D6DB085CE9F715248BA6D784845339B2D6896A8BA7B680C93E707D4990350E30C8853A95FD0DC6F8E9244643787DB65AB8A2F95C26967
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W..6..6..6..XF..6..XF...6..XF..6......6......6.......6..XF..6..}J..6..6...6.....6.....6...O.6.....6..Rich.6..........PE..d...~.wf.........." ...(.....4......L.....................................................`.........................................p...........d....p....... ...B...0..........................................(...p...@............0...............................text............................... ..`.rdata.......0......................@..@.data....J.......2..................@....pdata...B... ...D..................@..@.rsrc........p......................@..@.reloc............... ..............@..B........................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\url_launcher_windows_plugin.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):323472
                        Entropy (8bit):6.24323878406639
                        Encrypted:false
                        SSDEEP:6144:aK/qrBUA8kikYQQ2sXvNnot1bdNtb1lHSdrkjoE:a8qC5kikpQX1ny1bdv1lHSdYjoE
                        MD5:BFEC2012B6589D4496EA0283E90A5269
                        SHA1:813E3FAD5CFE4A30E20F05080D106811C5544FA3
                        SHA-256:F9406ECAA9C86F2946F8B9D997F0210F1F5EE974BE6548D1DB039014D1B45552
                        SHA-512:396F28EB15ED793DB453CD3B3E9118F4386FE24A75E3F3914E881CCA3ADA8918B98751BDAC51C4A5E897CCA1E700B2A545686463A6B0DD6719EA172682CFB928
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`&..$Gt.$Gt.$Gt..7w.!Gt..7q.Gt..7p.4Gt...w..Gt...p.*Gt...q.iGt..7u."Gt..;u.'Gt.$Gu.\Gt.7.q.#Gt.7.t.%Gt.7..%Gt.7.v.%Gt.Rich$Gt.........PE..d...^.wf.........." ...(.*................................................... .......7....`.........................................@x..|....x..d...............P...............................................(.......@............@..x............................text...@).......*.................. ..`.rdata...F...@...H..................@..@.data....6....... ...v..............@....pdata..P........0..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\window_manager_plugin.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):589712
                        Entropy (8bit):6.371606969587959
                        Encrypted:false
                        SSDEEP:12288:Qnu0YqCbnvh0xDqjFR0NdzhdkPJZIR0vnrXkcc9VNLqYWTF:Qu0YqInZCD7mZI0vnrPc9VNLqYWB
                        MD5:EAB165F7A1856FC4FC191416A26F20F3
                        SHA1:3E3BAAA9A8AE20680D4B347A3A65E4A388DC0F4D
                        SHA-256:A2C87DFE4D43C7CC8AC44F2AC43BD45EC4F3F6BA87A2C73AE8B55F26286600E9
                        SHA-512:897E0F107BEB1FCC6402183C535F2550E954B379451415E8B40403D0575EFA6E1D1373F9F0B9A0649AB09515259490C7BFB9E9926F76735EE513F68460FB5143
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:q..T"..T"..T"..W#..T"..Q#W.T"7MW#..T"7MP#..T"7MQ#..T"..P#..T"..U#..T"5.U#..T"..U"T.T".JQ#..T".JT#..T".J."..T".JV#..T"Rich..T"................PE..d.....wf.........." ...(.....P.......8.......................................@............`..........................................\..x...8]....... ..........tF...........0......@...........................(.......@............................................text............................... ..`.rdata..2...........................@..@.data....C.......,...^..............@....pdata..tF.......H..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Pluginsig\window_size_plugin.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):539536
                        Entropy (8bit):6.374120901700144
                        Encrypted:false
                        SSDEEP:12288:F2qV/eGvVJVbhqs7MRkPXpaCLz9gS+f/9VNtP8zC:F2q9rVJeMp1Lz9gj/9VNtP8zC
                        MD5:7024D49DF9315B5718F40FCD29A8656F
                        SHA1:EF243D1EC09F2FB714459D596F40A87B5B51C054
                        SHA-256:51877E41297AE94FE33D01D980717AE18938A3E81A32C57ADC77D754EF7E66BE
                        SHA-512:D9B7661B923B45020641F80A4695079A86F92848A022C8374C9339258A3F63D628000628CF75163B7C707A8506BB4D4928A1EA75E09FA6416EB9A2150EB5B705
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k....m...m...m..zn...m..zh._.m..zi...m.?.n...m.?.i...m.?.h...m..zl...m.=vl...m...l.}.m..h...m..m...m.....m..o...m.Rich..m.........................PE..d...`.wf.........." ...(.....&......<........................................p.......N....`.........................................P...p.......P....P..........<B... .......`..\...P...........................(.......@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data....B.......*..................@....pdata..<B.......D..................@..@.rsrc........P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................

                        C:\Windows\appcompat\Programs\Amcache.hve

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1835008
                        Entropy (8bit):4.310179597674706
                        Encrypted:false
                        SSDEEP:6144:gyw8CE/ZeaJFSSP6Y6B0CvpuIUOa4+e9gFbJUjWKdHjj5+jJ1gREf4JCA:gn8RWvp63qtdHH3eA8
                        MD5:761B5241872BB7B629D892390D663013
                        SHA1:6CEA2837F3B453658102355617BE1BE90232438C
                        SHA-256:26C4ACA55CA3F08C1C8CC50DB3FC261872C1C07A8BAEA9520DE1358951486028
                        SHA-512:A245D81B8EF23DC804C02E100176F61FA2A886BA209FAB4C9921547B9B2936B5488642E37EFA3588BE68C54CCFDC4D9AC896F632A3FC074E9A3A949FE717ACE6
                        Malicious:false
                        Preview:regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.v..>................................................................................................................................................................................................................................................................................................................................................e.$........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                        Entropy (8bit):7.986479685680289
                        TrID:
                        • ZIP compressed archive (8000/1) 100.00%
                        File name:!!SetUp_2244_PassW0rds$.zip
                        File size:27'132'933 bytes
                        MD5:e9ce58b884143acee5f004128d1fae65
                        SHA1:899a0b621b6d19da304675ac38d5d47d00e9f511
                        SHA256:071b8b38b57d457b42a7bcfb6779e602f37f75e588dbdbe731cab784fcd06505
                        SHA512:fa6210dae8883601e29939423f2f94897ebdeb3be7b52553755bba5c9d66f8ba5d509499e1ed9c9844c9449cc41ee768fec9e146810727bda962ebd0a07011af
                        SSDEEP:786432:i8w4L3djFqXtojtCdou8zAGYFfxQ1byFN976sa/E3k:ZwItFqX6jtCdoHJksyFN976Tc3k
                        TLSH:3B5733F47E71DADA7C9769333A2E2BD54F96BD0F048587E173AF84380981BEE5904089
                        File Content Preview:PK...........X.b.H............config.prx..}|...8>.;I.X..6..*.,.%j..&n....&awCvAHB+.kj.../5...B.. ..j...^...-.z[....!..M.....hi;qA.h....y...n^..{....._`fg..s.y.s..<.y....73..aX.T.a..........a.Lze....7.m7U.y......K.>........o>..#..[.v/..v?...dv..{.,..-.G...

                        File Icon

                        Icon Hash:1c1c1e4e4ececedc

                        Network Behavior

                        No network behavior found

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:07:31:15
                        Start date:28/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        Imagebase:0x7ff7a9890000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:12
                        Start time:07:31:35
                        Start date:28/08/2024
                        Path:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe"
                        Imagebase:0x7ff7989e0000
                        File size:256'912 bytes
                        MD5 hash:850A43E323656B86AE665D8B4FD71369
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:13
                        Start time:07:31:37
                        Start date:28/08/2024
                        Path:C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\Pluginsig\OZXLODVVKP\StrCmp.exe
                        Imagebase:0x400000
                        File size:48'896 bytes
                        MD5 hash:916D7425A559AAA77F640710A65F9182
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:14
                        Start time:07:31:37
                        Start date:28/08/2024
                        Path:C:\Windows\SysWOW64\more.com
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\more.com
                        Imagebase:0xb70000
                        File size:24'576 bytes
                        MD5 hash:03805AE7E8CBC07840108F5C80CF4973
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:15
                        Start time:07:31:37
                        Start date:28/08/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6684c0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:16
                        Start time:07:31:49
                        Start date:28/08/2024
                        Path:C:\Windows\SysWOW64\SearchIndexer.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\SearchIndexer.exe
                        Imagebase:0xb00000
                        File size:711'680 bytes
                        MD5 hash:CF7BEFBA5E20F2F4C7851D016067B89C
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:17
                        Start time:07:31:49
                        Start date:28/08/2024
                        Path:C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_!!SetUp_2244_PassW0rds$.zip\Setup.exe"
                        Imagebase:0x7ff6146f0000
                        File size:256'912 bytes
                        MD5 hash:850A43E323656B86AE665D8B4FD71369
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:18
                        Start time:07:31:50
                        Start date:28/08/2024
                        Path:C:\Windows\SysWOW64\more.com
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\more.com
                        Imagebase:0xb70000
                        File size:24'576 bytes
                        MD5 hash:03805AE7E8CBC07840108F5C80CF4973
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:19
                        Start time:07:31:50
                        Start date:28/08/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6684c0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:22
                        Start time:07:31:54
                        Start date:28/08/2024
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6268 -s 396
                        Imagebase:0x40000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:23
                        Start time:07:32:02
                        Start date:28/08/2024
                        Path:C:\Windows\SysWOW64\SearchIndexer.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\SearchIndexer.exe
                        Imagebase:0xb00000
                        File size:711'680 bytes
                        MD5 hash:CF7BEFBA5E20F2F4C7851D016067B89C
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:25
                        Start time:07:32:09
                        Start date:28/08/2024
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 396
                        Imagebase:0x40000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:29
                        Start time:07:32:41
                        Start date:28/08/2024
                        Path:C:\Users\user\Desktop\Setup.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\Setup.exe"
                        Imagebase:0x7ff661950000
                        File size:256'912 bytes
                        MD5 hash:850A43E323656B86AE665D8B4FD71369
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:30
                        Start time:07:32:42
                        Start date:28/08/2024
                        Path:C:\Windows\SysWOW64\more.com
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\more.com
                        Imagebase:0xb70000
                        File size:24'576 bytes
                        MD5 hash:03805AE7E8CBC07840108F5C80CF4973
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:31
                        Start time:07:32:42
                        Start date:28/08/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6684c0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:34
                        Start time:07:32:50
                        Start date:28/08/2024
                        Path:C:\Users\user\Desktop\Setup.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\Setup.exe"
                        Imagebase:0x7ff661950000
                        File size:256'912 bytes
                        MD5 hash:850A43E323656B86AE665D8B4FD71369
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:35
                        Start time:07:32:52
                        Start date:28/08/2024
                        Path:C:\Windows\SysWOW64\more.com
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\more.com
                        Imagebase:0xb70000
                        File size:24'576 bytes
                        MD5 hash:03805AE7E8CBC07840108F5C80CF4973
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:36
                        Start time:07:32:52
                        Start date:28/08/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6684c0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:37
                        Start time:07:32:57
                        Start date:28/08/2024
                        Path:C:\Windows\SysWOW64\SearchIndexer.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\SearchIndexer.exe
                        Imagebase:0xb00000
                        File size:711'680 bytes
                        MD5 hash:CF7BEFBA5E20F2F4C7851D016067B89C
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:39
                        Start time:07:33:02
                        Start date:28/08/2024
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 212
                        Imagebase:0x40000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:40
                        Start time:07:33:06
                        Start date:28/08/2024
                        Path:C:\Windows\SysWOW64\SearchIndexer.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\SearchIndexer.exe
                        Imagebase:0xb00000
                        File size:711'680 bytes
                        MD5 hash:CF7BEFBA5E20F2F4C7851D016067B89C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:42
                        Start time:07:33:11
                        Start date:28/08/2024
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 384
                        Imagebase:0x40000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Disassembly

                        Reset < >

                          Non-executed Functions

                          Function 000001DD419A3EAF Relevance: 11.5, Strings: 8, Instructions: 1523COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4F$ 4F$ 4F$ 4F$ 4F$ 4F$ 4F$ 4F
                          • API String ID: 0-3703517576
                          • Opcode ID: 0d87d9ce57303822d36bd737f92b79bd09f4438160395695a0c75a84f95793b6
                          • Instruction ID: e31af839636901db607a9d11a0eb3470e0a2994d4ffbcb4d4466a4fb068067ac
                          • Opcode Fuzzy Hash: 0d87d9ce57303822d36bd737f92b79bd09f4438160395695a0c75a84f95793b6
                          • Instruction Fuzzy Hash: 94C235B5B042405BF724AF34EC42BEA72D5AB85340F18463FF966C7EC2EB74980D8659
                          Function 000001DD419A594F Relevance: 7.5, Strings: 4, Instructions: 2513COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4F$ 4F$ 4F$gfff
                          • API String ID: 0-2384452950
                          • Opcode ID: d42a00bbdc4e9b207bcd9c2cb1da7f197f4ab29db88a16e9ff66627b73762fef
                          • Instruction ID: 52b9e7ae6a5b0af367c86a8bd5e3b0083c3ede1cefd5c2a86cb135d99f78be1b
                          • Opcode Fuzzy Hash: d42a00bbdc4e9b207bcd9c2cb1da7f197f4ab29db88a16e9ff66627b73762fef
                          • Instruction Fuzzy Hash: BC1301B1B042405BF718EF38EC42BBA36D5EB85340F14863BF925C7AC2EB7998098755
                          Function 000001DD4175F3C0 Relevance: 3.9, Strings: 2, Instructions: 1382COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423241215.000001DD4174F000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD4174F000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd4174f000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: F$F
                          • API String ID: 0-3842059619
                          • Opcode ID: 2db8e17fbbcd28942863ff9ecaf7ca11feae20181698e91b8c325214b0b1269a
                          • Instruction ID: 70558cdaa8c0cfc2641946e3e1eda7a54d34943a453d7ef9ea615a96682aed80
                          • Opcode Fuzzy Hash: 2db8e17fbbcd28942863ff9ecaf7ca11feae20181698e91b8c325214b0b1269a
                          • Instruction Fuzzy Hash: 1CB2A271618A49CBE761DB38E8917EA77E1FBA5310F54822BD055C79F2EB34C885CB02
                          Function 000001DD417615C0 Relevance: 3.9, Strings: 2, Instructions: 1382COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423241215.000001DD4174F000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD4174F000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd4174f000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: N$N
                          • API String ID: 0-3855217897
                          • Opcode ID: f616d87ac37d5749780720962d11e48ff80ada23e79fb10529e0c8b53b41d643
                          • Instruction ID: ea8ee5676b05317c2487c4b9aa87a756dece85960a075b859ca6efb9cca0f730
                          • Opcode Fuzzy Hash: f616d87ac37d5749780720962d11e48ff80ada23e79fb10529e0c8b53b41d643
                          • Instruction Fuzzy Hash: CFB2A331614A49CFE7A1DB38E8947EA77E1FBA1350F58822BD145C79F1EB348885CB01
                          Function 000001DD4175E2C0 Relevance: 3.9, Strings: 2, Instructions: 1382COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423241215.000001DD4174F000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD4174F000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd4174f000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: A$A
                          • API String ID: 0-2116726341
                          • Opcode ID: c4392f6e5c7534fa9bc8d3f621e9897d7778ea4ca471deb9ce0f021df91f3a10
                          • Instruction ID: e838731285ee7999fe152ecee9bc6e857130ffe182db77b30a09a7f3b0d75c6b
                          • Opcode Fuzzy Hash: c4392f6e5c7534fa9bc8d3f621e9897d7778ea4ca471deb9ce0f021df91f3a10
                          • Instruction Fuzzy Hash: 47B2A671614A49CBE761EF38E8853E6B7E1FBA5340F54862BD055C79F2EB348882CB41
                          Function 000001DD417604C0 Relevance: 3.9, Strings: 2, Instructions: 1382COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423241215.000001DD4174F000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD4174F000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd4174f000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: I$I
                          • API String ID: 0-2128771023
                          • Opcode ID: 51038b5b31349c194a146f8373227ea87d7456fa2124dc9e13e7d4be06608142
                          • Instruction ID: 429a6fafc87e4348f084bc4c6484f3d5700bcd303ac3b12bf9b12449d3cf6aec
                          • Opcode Fuzzy Hash: 51038b5b31349c194a146f8373227ea87d7456fa2124dc9e13e7d4be06608142
                          • Instruction Fuzzy Hash: 27B2A371618B49CBE761DB34E8953E677E1FBB1350F68822BD046C79B2EB348885CB41
                          Function 000001DD417626C0 Relevance: 3.9, Strings: 2, Instructions: 1382COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423241215.000001DD4174F000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD4174F000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd4174f000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: A$A
                          • API String ID: 0-2116726341
                          • Opcode ID: 5f22024dc1bce9c3f212d0e1d29f006bf091e4a82693c809470478f8f4db8d7b
                          • Instruction ID: 94b85c449dde64ec5611a5ebd2d9e310bf0335bfe37ed74cfd390cef7b914284
                          • Opcode Fuzzy Hash: 5f22024dc1bce9c3f212d0e1d29f006bf091e4a82693c809470478f8f4db8d7b
                          • Instruction Fuzzy Hash: 00B2B571618A49CFE761DB34E8817EA77E1FBA1310F58822BD055C79F2EB349986CB01
                          Function 000001DD4199159F Relevance: 2.1, Strings: 1, Instructions: 803COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: K
                          • API String ID: 0-856455061
                          • Opcode ID: 2de6c9d164f3117b86a138c62c406f856e539d8ce89ebf48cb81af45d0cde882
                          • Instruction ID: 4d714d70180100cde98e561bd4aa833c74085f95d3ef23e3e0926fecb38c8e2d
                          • Opcode Fuzzy Hash: 2de6c9d164f3117b86a138c62c406f856e539d8ce89ebf48cb81af45d0cde882
                          • Instruction Fuzzy Hash: 6252E575B182415BF714DF38BC917EA3BD5BB85320F04863AE8298BBD2E73498058799
                          Function 000001DD4198AC6F Relevance: 1.7, Strings: 1, Instructions: 499COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: VUUU
                          • API String ID: 0-2040033107
                          • Opcode ID: 045655fd3325cab0e2dae8daa4520cd58e7cfbee860123de337c4f630cb95253
                          • Instruction ID: a5efa86ecd206d98cdbd0e7dd402e3d919b84aebbdf8d98b8521731f742dd630
                          • Opcode Fuzzy Hash: 045655fd3325cab0e2dae8daa4520cd58e7cfbee860123de337c4f630cb95253
                          • Instruction Fuzzy Hash: 9F22CE706087428FD324CF28D4906AAB7E2FFD9304F148A7EE49ACB796D734A905CB55
                          Function 000001DD41750D31 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423241215.000001DD4174F000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD4174F000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd4174f000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: (dj
                          • API String ID: 0-1709828271
                          • Opcode ID: bd6f31b8da280bc507e641575549595a71b42dfdb4f9ecab658533be76c48c16
                          • Instruction ID: c520450888552c6198a59f574c898dc8bfd773ff88570472960a50d76abbc7f6
                          • Opcode Fuzzy Hash: bd6f31b8da280bc507e641575549595a71b42dfdb4f9ecab658533be76c48c16
                          • Instruction Fuzzy Hash: 1E41AD6158E7C69FDB034B7498656813FB0AF2B214B1B85DBC4C08F8F3D26A595AD322
                          Function 000001DD41996F9F Relevance: .5, Instructions: 491COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7be038e9481caa0d7a6fadfba8675a18fe89c0584d7ace2e79441b3bd4b33709
                          • Instruction ID: bbbf86b1ab053f3333ce60764ff6a7d6f3bda9eb5fe32a52668afdb8c7ddb144
                          • Opcode Fuzzy Hash: 7be038e9481caa0d7a6fadfba8675a18fe89c0584d7ace2e79441b3bd4b33709
                          • Instruction Fuzzy Hash: 5AF180367142410BF7284E34BC517FA3BD6ABC6711F5C027BE8E487782EB369D098A95
                          Function 000001DD4199753F Relevance: .4, Instructions: 387COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 521a2e0d01953beb8dbb233e987b2c4b4bc28e2b813225623aa041335f0f3ee8
                          • Instruction ID: b53ba2ba129eda3108fee18a4b95c883757ee5db6ae1d13c78d7704517a1ef84
                          • Opcode Fuzzy Hash: 521a2e0d01953beb8dbb233e987b2c4b4bc28e2b813225623aa041335f0f3ee8
                          • Instruction Fuzzy Hash: B0C1D77671424247F768AE39FC417FAB3D4EB90750F14462BE86187BC1EB318D45CAA2
                          Function 000001DD4197F2B8 Relevance: .3, Instructions: 266COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 555474051cd782093f04acf351a072345660e0b37553d807bfe396af4ae2b01e
                          • Instruction ID: 3d3c6fc4de9decee2806fc7beb58a5d67e93c0af227e0bd7a81505fbfc48c820
                          • Opcode Fuzzy Hash: 555474051cd782093f04acf351a072345660e0b37553d807bfe396af4ae2b01e
                          • Instruction Fuzzy Hash: D6B12EB8700205EFEF04DF24D481EAA77A2FF89350F148299E9694F392D731E981CB90
                          Function 000001DD41983318 Relevance: .3, Instructions: 261COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8d89b154dfc62f41d791c1b26eb27778c02cef54eb7a17722a43edf03cbdb46a
                          • Instruction ID: 1840b77ffe7be8f4949fa40c8711401ae01545752a2aa7041cbf752310ea834f
                          • Opcode Fuzzy Hash: 8d89b154dfc62f41d791c1b26eb27778c02cef54eb7a17722a43edf03cbdb46a
                          • Instruction Fuzzy Hash: 04A13EB5710108AFDB44DF64D980EAA77B5BF88300F109259F8998F382D735EA42DBA0
                          Function 000001DD419B1437 Relevance: .3, Instructions: 259COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                          • Instruction ID: eb7b49d8b893eabf5896cf4c4717792de35565ff0f28630fd426fed0b1f2bee3
                          • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                          • Instruction Fuzzy Hash: 57C16035A0120ADFDB15CF14E5D0AE8BBE1BB58314F18C2AED81A5B785C731EA46CB90
                          Function 000001DD4197EE68 Relevance: .2, Instructions: 203COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 386ed6e3a3d02337039808475bdb8985db74f2002d7ab7d29c41db7bf0b864cd
                          • Instruction ID: 364a43dec574d50122071cd626133c63ada9c7c87df30629447005e7b0a01a8c
                          • Opcode Fuzzy Hash: 386ed6e3a3d02337039808475bdb8985db74f2002d7ab7d29c41db7bf0b864cd
                          • Instruction Fuzzy Hash: 4A7170B5B04201EBEE15DF30E842BEA33A6AF45300F108765F9354F7D6EB36EA059691
                          Function 000001DD4198E78F Relevance: .2, Instructions: 179COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c4ae696130d774f626a9ea25bfd3738dea878a192abe5df4b387b2f9a66c5967
                          • Instruction ID: 576e261b084c6f769cc4b890de300edcc2b87a76190a8f80f43f2414efc698d7
                          • Opcode Fuzzy Hash: c4ae696130d774f626a9ea25bfd3738dea878a192abe5df4b387b2f9a66c5967
                          • Instruction Fuzzy Hash: C9513E33F6083647E334CD55884066AA653EFCA711F5B87B9C9987BB5AD975AC0283C0
                          Function 000001DD4198F41F Relevance: .2, Instructions: 163COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f4d474879c6f1696344a0e085fd9ff3f46981dadab37d88ed24923f9a4ad762
                          • Instruction ID: 85544ea7d867c92ab0c0f9700e3423a06956bdded0c99a5d3d1cbe4e72242f42
                          • Opcode Fuzzy Hash: 3f4d474879c6f1696344a0e085fd9ff3f46981dadab37d88ed24923f9a4ad762
                          • Instruction Fuzzy Hash: 9451D4397246454BFB44BF39FC846BA33E2E7C9700F09463AC55887BA2EB7558018B9D
                          Function 000001DD419AA5BF Relevance: .2, Instructions: 152COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d731d3b44684dcb05108bd09d2735119c407b9225834c506b4a35be6714d3a8f
                          • Instruction ID: 503a5045f0cb202edfb9707ac8e5c12877dcf055b0245c83d5e610766a410470
                          • Opcode Fuzzy Hash: d731d3b44684dcb05108bd09d2735119c407b9225834c506b4a35be6714d3a8f
                          • Instruction Fuzzy Hash: CA517431B086C14BE3268E3994906ABFFE35BD5358F5DC6ADC49E17646D372980F8640
                          Function 000001DD419BA730 Relevance: .1, Instructions: 149COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c1c3eeca162a3542835423607404bd722d24ab6ca9e875a0fc2cb9a8b5f5a7d0
                          • Instruction ID: 0065aab86b9b173fd4910315956d6c4f064d74118fb9918d4df36d1eec1c78c6
                          • Opcode Fuzzy Hash: c1c3eeca162a3542835423607404bd722d24ab6ca9e875a0fc2cb9a8b5f5a7d0
                          • Instruction Fuzzy Hash: 34511971E00219DFEB50CFA9E8817EEBBF6BB08304F24866BD529E7681D3759941CB50
                          Function 000001DD419A79BF Relevance: .1, Instructions: 142COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 88076c0c33e180634602ca5b9fe7fb72fd0f446dc22a1babd929134cb5118fab
                          • Instruction ID: 8e1438152b23fe357116824a4141826e5a5a80d7369af40942cf997ede438327
                          • Opcode Fuzzy Hash: 88076c0c33e180634602ca5b9fe7fb72fd0f446dc22a1babd929134cb5118fab
                          • Instruction Fuzzy Hash: DC51A33170C6810FF76D8F7598756B7BFE29F9A30074EC6BDD19ACBA93CA6090098244
                          Function 000001DD41977198 Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b71ee3c944929771d566ea2d509de9ec21748775ebbee02aa82006cf32fde23
                          • Instruction ID: 6821f08bb2a1871ba1a537473304a81b1bcf7fc0f08803a2129d04136147e590
                          • Opcode Fuzzy Hash: 3b71ee3c944929771d566ea2d509de9ec21748775ebbee02aa82006cf32fde23
                          • Instruction Fuzzy Hash: A64151B5E00104EBEF04DFA4ED46BEEB771AF44700F1446A9E9256B382E635AE10DB51
                          Function 000001DD419968DF Relevance: .1, Instructions: 108COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a6dfbf536d7d93527a4c0ac1ae913a8853d373fae8a948cb8883f2f405153452
                          • Instruction ID: e190f699ca936a0e498bc4707c9fc25c7693fac6ceb966d1989d81c59ab2d955
                          • Opcode Fuzzy Hash: a6dfbf536d7d93527a4c0ac1ae913a8853d373fae8a948cb8883f2f405153452
                          • Instruction Fuzzy Hash: 4E4104756182425AE714DF79AC507EB7BD5AF89304F09853AE8D887342E730DC0AC7A6
                          Function 000001DD419A3A9F Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 57439122785517a4b687d152a8043d6ecce9241d7005916f0d321680f55ad4e8
                          • Instruction ID: 8ff98ac5db31d7c9d633bffcca531726f09b8722efb5ab5cd26ef0c88a1118d7
                          • Opcode Fuzzy Hash: 57439122785517a4b687d152a8043d6ecce9241d7005916f0d321680f55ad4e8
                          • Instruction Fuzzy Hash: 2D31B4317086814FF75DCF75A8656B7BBE29F9A300B0EC6BED09ACB693D77094098244
                          Function 000001DD419779C4 Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce9f8eb55d082409392b87719e8b181897f33808ee8dd0fcce975c396d18b510
                          • Instruction ID: feeb151d9fe828b3d85048da99af4d7f9263cfe04fcd021ad5ec2ff3d7962671
                          • Opcode Fuzzy Hash: ce9f8eb55d082409392b87719e8b181897f33808ee8dd0fcce975c396d18b510
                          • Instruction Fuzzy Hash: 01215331604205DBFF68EFB8E4496EAB3F5AF44710F251B2AD43593991E770AE01CB40
                          Function 000001DD3F3D2750 Relevance: .1, Instructions: 64COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1422612172.000001DD3F3C5000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD3F3C5000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd3f3c5000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 62405d79177855bac37b9fbbd0f382940306f11e6082419de3724d4b85248376
                          • Instruction ID: 38082d408711fc2d6da9b20476ce0ba0806feb7c824389d32034eebf95092adf
                          • Opcode Fuzzy Hash: 62405d79177855bac37b9fbbd0f382940306f11e6082419de3724d4b85248376
                          • Instruction Fuzzy Hash: AE112F6280E3C48FDB2747B48C342A07FB09E23220B1F44DBC0C4CF1A3E8181949E722
                          Function 000001DD4198749F Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                          • Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
                          • Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                          • Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595
                          Function 000001DD41977ABE Relevance: .0, Instructions: 2COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                          • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                          • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                          • Instruction Fuzzy Hash:
                          Function 000001DD419774D9 Relevance: 30.1, Strings: 24, Instructions: 141COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: $&$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$Xa4$Xa4$_$g$j$l$o$w$w$x
                          • API String ID: 0-4122906749
                          • Opcode ID: 3d1f0ff41ef16d642c4ce7b4b2b44fe49233bcbf1cd20426557420a8ea4f6f6d
                          • Instruction ID: 3f387382f197cd72d5d94fa0f6234b4a4c1193f1d87709e973c5d9c51e6b3e1e
                          • Opcode Fuzzy Hash: 3d1f0ff41ef16d642c4ce7b4b2b44fe49233bcbf1cd20426557420a8ea4f6f6d
                          • Instruction Fuzzy Hash: 72615770E04299DAEF15CFA8D8483EEBBF1EF05318F10425AD428BB395D3B91A46CB55
                          Function 000001DD419776DC Relevance: 27.6, Strings: 22, Instructions: 141COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: $&$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$_$g$j$l$o$w$w$x
                          • API String ID: 0-2783673184
                          • Opcode ID: d01d369eeaabe9b2df499ef724628e410bf81941d2290df0f05f6256d5aa4273
                          • Instruction ID: 8dfea2e44ea88db133bb7137f7892375dae9451c66d1c55edcacb0aca6bdb756
                          • Opcode Fuzzy Hash: d01d369eeaabe9b2df499ef724628e410bf81941d2290df0f05f6256d5aa4273
                          • Instruction Fuzzy Hash: A0513670E05289DAEF14CFA8D9883EEBBF1AF15314F20425AD464BB3C1D3B94A49CB55
                          Function 000001DD419983EF Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 136COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID: __aulldiv__aullrem
                          • String ID: $.$0
                          • API String ID: 3839614884-1597385752
                          • Opcode ID: 5ced120e9dae2b95f54964dfaa72291566494b1f173f2c07fb459385e4ad0fcf
                          • Instruction ID: 320897cd48a26eef3dbdc3c6e8baa15658941589cc70e010e7effbf659588e1e
                          • Opcode Fuzzy Hash: 5ced120e9dae2b95f54964dfaa72291566494b1f173f2c07fb459385e4ad0fcf
                          • Instruction Fuzzy Hash: D741D8307583998BF7319E78A84179A7BC59FA2B40F04065FF5A49B7C6C7B4C80987A3
                          Function 000001DD4199810F Relevance: 11.4, Strings: 9, Instructions: 112COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: zC$$zC$$zC$(zC$XfC$yC$yC$yC$yC
                          • API String ID: 0-3465494013
                          • Opcode ID: a18f118119518542955fdaedf8028625ffcfac5d12a68d953a3e08b6ef4bab83
                          • Instruction ID: 9d40391a5ec5001eb26fac31cc87657d1916806e15c0d7022d053704d67ec1a2
                          • Opcode Fuzzy Hash: a18f118119518542955fdaedf8028625ffcfac5d12a68d953a3e08b6ef4bab83
                          • Instruction Fuzzy Hash: C93192B5B6480806972C893CA85266B2683ABD4370F69572FF977836E0DFB48D059244
                          Function 000001DD4198FCAF Relevance: 7.8, Strings: 6, Instructions: 275COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4F$ 4F$ 4F$ 4F$ 4F$heC
                          • API String ID: 0-772418692
                          • Opcode ID: ae06115edcb641a05dfcf5b4a5125944856298ee2cabefe28725e30fda5c8ddd
                          • Instruction ID: 6e25e7924a3f71ddf05c21c6cf6b07ba68dec2055d728c869a277b607d24f42f
                          • Opcode Fuzzy Hash: ae06115edcb641a05dfcf5b4a5125944856298ee2cabefe28725e30fda5c8ddd
                          • Instruction Fuzzy Hash: 0A914931B105040BD724CE38A8516BA77D2EBC5360F68472AF9B6C77D1EB75ED09C244
                          Function 000001DD41990AAF Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 494COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID: __aullrem
                          • String ID: deC$deC$xtD
                          • API String ID: 3758378126-1369711728
                          • Opcode ID: b77220b100bef97bd7d9b3325914c7c34c444bee3f05095c8de56894fc65385b
                          • Instruction ID: 47f678ab5a481e33b4adf95dfa8f9e8123503b7e397fa0cef62cfde25cc82583
                          • Opcode Fuzzy Hash: b77220b100bef97bd7d9b3325914c7c34c444bee3f05095c8de56894fc65385b
                          • Instruction Fuzzy Hash: 60021470B142416BE750DF78BC817EA77E9AB80350F08463AF86987B82E775EC09C795
                          Function 000001DD4198FAFF Relevance: 6.4, Strings: 5, Instructions: 150COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: (eC$(eC$,eC$,eC$deC
                          • API String ID: 0-2520889075
                          • Opcode ID: a650aac2c3bfefc6d79999dfb19bd0a84beb0012b9efdb29337ea7b91e54bc68
                          • Instruction ID: 7b64df04fa83b982b2379cc6e6484b9d4cf76bf95f30ac93279d9cdd0be72d92
                          • Opcode Fuzzy Hash: a650aac2c3bfefc6d79999dfb19bd0a84beb0012b9efdb29337ea7b91e54bc68
                          • Instruction Fuzzy Hash: B9512671B103012BE2609E38BC51BA737D89B9AB50F15563AECA9D77C1E736EC088360
                          Function 000001DD4199A85F Relevance: 5.4, Strings: 4, Instructions: 371COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID: __aullrem
                          • String ID: (eC$(eC$,eC$,eC
                          • API String ID: 3758378126-3020691501
                          • Opcode ID: cb4ea360c0a995ac68cc9917b10e2664a6b8da70fae788ba49a868e8e3586c18
                          • Instruction ID: 0569be592ef07016441c85fea11f2ffc68afce9513a87564913b37e74af8c48a
                          • Opcode Fuzzy Hash: cb4ea360c0a995ac68cc9917b10e2664a6b8da70fae788ba49a868e8e3586c18
                          • Instruction Fuzzy Hash: 84C1B771B1020027F6606E74BC42BEB33D9DB91751F08462BFD2996B83F779ED0982A1
                          Function 000001DD41997FDF Relevance: 5.1, Strings: 4, Instructions: 112COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.1423842298.000001DD41977000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001DD41977000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_1dd41977000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: zC$$zC$$zC$XfC
                          • API String ID: 0-782662132
                          • Opcode ID: 0a1c2ec7d78d10629ae3a2b8d9250caed627eeb30eaf1ae287aa479f68fb7010
                          • Instruction ID: eee34e30366fb76f6a39e9c452c9e0e13b858a4941c803161bac2582d11413d3
                          • Opcode Fuzzy Hash: 0a1c2ec7d78d10629ae3a2b8d9250caed627eeb30eaf1ae287aa479f68fb7010
                          • Instruction Fuzzy Hash: 4631C371B1480806972C853CA91166A7A83EBD4370F69872FF977837E0DFF48D059158

                          Non-executed Functions

                          Function 000001FBD9C6A4D9 Relevance: 30.1, Strings: 24, Instructions: 141COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.1551222816.000001FBD9C6A000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001FBD9C6A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_1fbd9c6a000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: $&$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$Xa4$Xa4$_$g$j$l$o$w$w$x
                          • API String ID: 0-4122906749
                          • Opcode ID: 3d1f0ff41ef16d642c4ce7b4b2b44fe49233bcbf1cd20426557420a8ea4f6f6d
                          • Instruction ID: fb5085be9e9b3f98cb132b1793c6803379007c5eb17ad027c20429f3ef5847a4
                          • Opcode Fuzzy Hash: 3d1f0ff41ef16d642c4ce7b4b2b44fe49233bcbf1cd20426557420a8ea4f6f6d
                          • Instruction Fuzzy Hash: 726167B0D0429A9AEB10CFE8D8883EEBFF2EF05358F144119D415BB3A1D3B95A46CB55
                          Function 000001FBD9C6A6DC Relevance: 27.6, Strings: 22, Instructions: 141COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.1551222816.000001FBD9C6A000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001FBD9C6A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_1fbd9c6a000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: $&$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$_$g$j$l$o$w$w$x
                          • API String ID: 0-2783673184
                          • Opcode ID: d01d369eeaabe9b2df499ef724628e410bf81941d2290df0f05f6256d5aa4273
                          • Instruction ID: fa3e2fbed6276081c8478dc3797eabbe66a7a10b2073fa733c6ce54c9dbf7110
                          • Opcode Fuzzy Hash: d01d369eeaabe9b2df499ef724628e410bf81941d2290df0f05f6256d5aa4273
                          • Instruction Fuzzy Hash: 20516A70D042899AEB10CFE8D8883EDBFF2AF19358F244119D465BB3D1D3B94A4ACB55
                          Function 000001FBD9C6A4D5 Relevance: 26.3, Strings: 21, Instructions: 94COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.1551222816.000001FBD9C6A000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001FBD9C6A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_1fbd9c6a000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: $&$1$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$_$g$l$o$w$x
                          • API String ID: 0-2136297362
                          • Opcode ID: 3459ce40d4d1d4d65c2705646b5d0c5c22e833d92cd5dacd617ad8096fc0ec09
                          • Instruction ID: cfb629245ffc87b27498cd56d2b719f4e4c57231cff76553616be4923c891457
                          • Opcode Fuzzy Hash: 3459ce40d4d1d4d65c2705646b5d0c5c22e833d92cd5dacd617ad8096fc0ec09
                          • Instruction Fuzzy Hash: D94108B0D083899AEB11CFE9D8483EDBFB1AF05358F10865AD029BB3D1D3B94649CB55

                          Non-executed Functions

                          Function 000001B2CBF854D9 Relevance: 30.1, Strings: 24, Instructions: 141COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000001D.00000002.2072611143.000001B2CBF85000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001B2CBF85000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_29_2_1b2cbf85000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: $&$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$Xa4$Xa4$_$g$j$l$o$w$w$x
                          • API String ID: 0-4122906749
                          • Opcode ID: 3d1f0ff41ef16d642c4ce7b4b2b44fe49233bcbf1cd20426557420a8ea4f6f6d
                          • Instruction ID: 37b3bfd7fa9f89649ef7a881052fac8565477f8501a09d19b06c21064c407930
                          • Opcode Fuzzy Hash: 3d1f0ff41ef16d642c4ce7b4b2b44fe49233bcbf1cd20426557420a8ea4f6f6d
                          • Instruction Fuzzy Hash: B3613574D042999BEF11CFA8D8483EEBBF1AF05318F204159E454BB391D3BA1A49CB55
                          Function 000001B2CBF856DC Relevance: 27.6, Strings: 22, Instructions: 141COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000001D.00000002.2072611143.000001B2CBF85000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001B2CBF85000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_29_2_1b2cbf85000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: $&$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$_$g$j$l$o$w$w$x
                          • API String ID: 0-2783673184
                          • Opcode ID: d01d369eeaabe9b2df499ef724628e410bf81941d2290df0f05f6256d5aa4273
                          • Instruction ID: ee4434e36c9f285ca60cc8a213deb7c9d0db6112bb33b7520883c3d2da4988ed
                          • Opcode Fuzzy Hash: d01d369eeaabe9b2df499ef724628e410bf81941d2290df0f05f6256d5aa4273
                          • Instruction Fuzzy Hash: A1513970D052899AEF11CFA8D9483EDBFF1AF16318F20415AE454BB3C1D3BA4A49CB55
                          Function 000001B2CBF854D5 Relevance: 26.3, Strings: 21, Instructions: 94COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000001D.00000002.2072611143.000001B2CBF85000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001B2CBF85000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_29_2_1b2cbf85000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: $&$1$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$_$g$l$o$w$x
                          • API String ID: 0-2136297362
                          • Opcode ID: 3459ce40d4d1d4d65c2705646b5d0c5c22e833d92cd5dacd617ad8096fc0ec09
                          • Instruction ID: b49496f5551c752b514ab9ee357c02d529d342d4d05feaaa4cc23b020ceb1746
                          • Opcode Fuzzy Hash: 3459ce40d4d1d4d65c2705646b5d0c5c22e833d92cd5dacd617ad8096fc0ec09
                          • Instruction Fuzzy Hash: 7741D7B0D053999AEB11CFA9D8483DDBFB1AF05318F10465AE068BB3D1D3BA0A49CB55

                          Non-executed Functions

                          Function 0000013D429224D9 Relevance: 30.1, Strings: 24, Instructions: 141COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000022.00000002.2166878513.0000013D42922000.00000004.00000020.00020000.00000000.sdmp, Offset: 0000013D42922000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_13d42922000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: $&$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$Xa4$Xa4$_$g$j$l$o$w$w$x
                          • API String ID: 0-4122906749
                          • Opcode ID: 3d1f0ff41ef16d642c4ce7b4b2b44fe49233bcbf1cd20426557420a8ea4f6f6d
                          • Instruction ID: c795ad9722c0ac412261183f55cb2c015217900ccf29282301d1a35a71d09181
                          • Opcode Fuzzy Hash: 3d1f0ff41ef16d642c4ce7b4b2b44fe49233bcbf1cd20426557420a8ea4f6f6d
                          • Instruction Fuzzy Hash: F2619CB1D04299DAEB14CFA8E4483EEBBF1EF09318F10491AD414BB3D1D7B94A45CB65
                          Function 0000013D429226DC Relevance: 27.6, Strings: 22, Instructions: 141COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000022.00000002.2166878513.0000013D42922000.00000004.00000020.00020000.00000000.sdmp, Offset: 0000013D42922000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_13d42922000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: $&$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$_$g$j$l$o$w$w$x
                          • API String ID: 0-2783673184
                          • Opcode ID: d01d369eeaabe9b2df499ef724628e410bf81941d2290df0f05f6256d5aa4273
                          • Instruction ID: 06012ea6eab679d81271faeae7e467cc3ce63ea7ca38c8cab14f6497aad535c1
                          • Opcode Fuzzy Hash: d01d369eeaabe9b2df499ef724628e410bf81941d2290df0f05f6256d5aa4273
                          • Instruction Fuzzy Hash: C9518CB0D05289DAEB14CFE8E8443EDBBF1AF15314F204519D464BB3C1D7B98A49CB65
                          Function 0000013D429224D5 Relevance: 26.3, Strings: 21, Instructions: 94COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000022.00000002.2166878513.0000013D42922000.00000004.00000020.00020000.00000000.sdmp, Offset: 0000013D42922000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_13d42922000_Setup.jbxd
                          Similarity
                          • API ID:
                          • String ID: $&$1$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$_$g$l$o$w$x
                          • API String ID: 0-2136297362
                          • Opcode ID: 3459ce40d4d1d4d65c2705646b5d0c5c22e833d92cd5dacd617ad8096fc0ec09
                          • Instruction ID: d00c182959ef77b789c20cc352c8751a04dec91e00f04c00b452bb7d68b17164
                          • Opcode Fuzzy Hash: 3459ce40d4d1d4d65c2705646b5d0c5c22e833d92cd5dacd617ad8096fc0ec09
                          • Instruction Fuzzy Hash: 2C4108B0D053899AEB11CFA8E8483DDBFB1AF05318F10465AD028BB3D1D3BA0A49CB55